Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Have you resolved the hack, is your website secure again?
Which hosting service are you using?
I have backed up my www folder with FTP and then deleted everything.
Also made a support ticket @ my hosting previder (Ioniq). Maybe the problem is at their side??
At installation of WP3.5 I already changed the admin login name and cannot think of what I’ve done wrong.
Did experiment with plugings though, but all serached on the WP site…
So, no, my website is not online anymore. As soon as my Cpanel works again I will install through Cpanel. Scared though if it will or can happen again…
If cPanel is down, it’s not WP, its your server.
Ok tnx, will wait for support then!
ok my hosting previder answered:
Probably your website is defaced through an older version of WP, or a WP module which has a leak (I translated from Dutch)
Is there a blacklist of modules/plugins which are provided by hackers and can cause damage??
I have the same problem since 14:56 this afternoon, my website and all its subdomains have an overwritten index.php (that’s where I see the time) with the same “Hacked by Badi” text. I don’t use WP so I think there’s an other cause. My website is probably on the same server from Ioniq. They didn’t reply on my message to them yet.
cPanel is up again by the way, this afternoon I also got an error there.
I had the same problem. A few of my customers who were all on the same server got hacked. The page presented a white blank background with the text “Hacked by Badi”. It was an overlay text widget and easy to delete.
The hack seemed to mess with the encoding. Umlauts weren’t presented correctly but a forum posted the tip to edit out following line in wp-config.php:
// define('DB_CHARSET', 'utf8');
This worked for me as well. Going on to changing all passwords…
OK, Iam back online.
Ioniq replyed very quick and uploaded a backup.
One problem in WP – Under widgets my sidebar has dissappeared..
The same has happened to my. I got three sites hacked, but only one fully. The two others only got char set changed to UTF-7.
Here’s more on the topic.
http://wordpress.org/support/topic/calling-all-site-owners-hacked-by-walangkaji-badi-etc-need-some-help?replies=14
Ioniq replyed very quick to me too and also restored a backup of yesterday by my request. Everything is up and running fine again.
In their reply the wrote that an old version of Joomla or WordPress caused the possibility to get hacked.
In my case this is not possible because I don’t use these systems.
What strikes me is that since today a few people on Ioniqs servers have these problems, so is this our fault or is there something else wrong?
Very strange that this has happened to sites that aren’t even on WP.
The plot thickens.
Let’s keep each other posted people!
I’m working with my hosts and Securi to try to work this out.
This morning at 5 o’clock I received an answer that the problems were solved. As far as I can see everything is okay now.
Yesterday after they restored a backup I wasn’t fully satisfied because the /cgi-sys/defaultwebpage.cgi page (where I was redicted to once by the hack) still showed the hacked page.
It seems to me that they worked all night to fix everything, they admit that they have found some ‘irregularities’ and improved some security policies. They cleaned up all webspaces and restored some with backups.
They don’t say it like this and still give the advice to update our software/systems, but it strongly seems to me that something has happened on their side. However it must be said they were on it right away, even in the weekend and it seems to be fixed very fast.
J87, is there any chance you can get your hosts to elaborate on the irregularities so that we can let our hosts know.
Let us know, but obviously don’t post info directly here as we don’t want to spread the vulnerability. If you can gather info, I’ll drop you my email address.
Thanks.
Today I got hacked by Badi as well 7 websites, all on the same server, have a number of sites on a different server not touched, but have 2 wordpress sites on same server not hacked, will see if I can work out what the differences are.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
These threads a getting a bit chaotic guys. If you’re requesting support for your own issues, despite any similarities to this thread, can you please create your own threads. Otherwise it becomes really difficult to track down who’s having which issue.
