A friend of mine’s server was recently hacked by the Turkish Hacker iSKORPiTX. He has a number of Wordpress installs running on a number of domains and needed to get his sites back up and running. Here are the steps that I took to get one of his sites back to how it was before the hack – which I documented so that we had a guideline on what to do for each install.
Recovering from the iskorpitx Hack on Wordpress 2.9.2
This hack modifies a number of files in your wordpress installation as well as replacing the contents of any index.php files. Use the following steps to recover your installation.
Be sure to make a backup of the hacked install – as you can always revert to the hacked version if the steps below do not help you or cause any other damage.
- Download the latest version of Wordpress (2.9.2) from http://www.wordpress.org and unzip (doesn’t matter where, you just need the original referenced files in the steps below).
- Log in to your site and remove the index.html file in public_html (or your folder root).
- Replace the index.php file contents with the index.php contents from the wordpress folder in Step 1.
- Navigate to the wp-includes folder and replace the default-embeds.php, default-filters.php and default-widgets.php file from Step 1 in the same location (wordpress/wp-includes/default-*.php).
- Navigate to the wp-admin folder and replace the index.php and index-extra.php files from Step 1 (wordpress/wp-admin/index.php and wordpress/wp-admin/index-extra.php).
- Replace the missing files in the wp-admin/css folder (login.css and login-rtl.css).
- Replace the missing images in the wp-admin/images folder – (the easiest thing to do is copy all the images from Step 1 directory, skipping the duplicates and replacing the 3 missing images).
- Remove the in.txt file from wp-admin/maint folder.
- Navigate to the wp-content folder.
- Replace the index.php file with the index.php file (wordpress/wp-content/index.php) – this is an empty file just to prevent access to the folders.
- Repeat Step 10, replacing the wp-content/themes/index.php and wp-content/plugins/index.php files (these are also empty files).
- Replace the index.php file in your active theme folder with the index.php file from your theme (DO NOT USE the Step 1 default/classic index.php file unless you have not modified your themes index.php file or are using the default theme).
- Navigate every other folder and remove any references to in.txt
Update: Also make sure to disable and update/replace all your plugins as any plugins that have an index.php file will also be hacked.
Eighty Six, or myself cannot be held responsible for any adverse effects that the above fix may cause – these steps were taken and worked on his Wordpress 2.9.2 installs on his server. Your server may be setup differently, but use the following as a guideline. If you have any other files that you notice need fixing, please let me know and I will update the steps above.
Good luck.