Title: Suspected Hack Last modified: August 22, 2016 --- # Suspected Hack * Resolved [Caskast](https://wordpress.org/support/users/caskast/) * (@caskast) * [11 years, 6 months ago](https://wordpress.org/support/topic/suspected-hack-1/) * Hello everyone, i suspect that my server has been compromised and i’m trying to find out what these files are doing exactly. It looks like it is either sending data or being used for spam. * Has anyone seen these before? * **frommshead.php** _ [ Malware redacted ] * `[10-Dec-2014 12:07:00 UTC] PHP Warning: mkdir(): File exists in /home/vetcpd/ public_html/wpinstall.php on line 156` * I am currently taking steps to secure the server more but i am curious what this is and how to stop it next time. Viewing 11 replies - 1 through 11 (of 11 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [11 years, 6 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5566945) * No suspect about it, you’re hacked. * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html) * [kb0wwp](https://wordpress.org/support/users/kb0wwp/) * (@kb0wwp) * [11 years, 6 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5566999) * I have that also. Restoring from a backup. * [chaos](https://wordpress.org/support/users/chaos1/) * (@chaos1) * [11 years, 6 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567148) * Found this on a server I manage, here is some detail on the code. * [http://pastebin.com/v42Rv9DF](http://pastebin.com/v42Rv9DF) * [Tevya](https://wordpress.org/support/users/thefiddler/) * (@thefiddler) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567165) * I just found it on a site too. Any idea what it is or what it does? Securi doesn’t detect anything wrong with the site, no has Google flagged it like it has so many sites infected by the most recent WP attack: [http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html](http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html) * [Tevya](https://wordpress.org/support/users/thefiddler/) * (@thefiddler) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567166) * Nevermind. I found a vulnerable version of Revslider on the site. I thought we’d updated it on all sites, but somehow this one didn’t get updated. I think it’s clean now. Doing some checking to be sure. Also checking other sites on the same server. Fortunately I think my host has things so locked down and separated between“ apps” that there’s not much chance this site was used to infect others. Going to check anyway, to be sure. * [abehjat](https://wordpress.org/support/users/abehjat/) * (@abehjat) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567210) * I got hacked as well. * Luckily, the hacker couldn’t edit their source files (that leads to the infection), and have read most of their code) * Check all the files that are edited on December 31, 2013 (at 4:17 PM) * All the damaged files have been editing by that time based on the following code: * ‘touch(“wp-includes/xmlrpc.php”, mktime(12, 17, 11, 12, 31, 2013));’ * (they hacked .htaccess files, too) * [red5host](https://wordpress.org/support/users/goduel/) * (@goduel) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567220) * check also for files such as * wp-options.php as frommshead creates this then is meant to delete itself frommshead. php wpinstall-Copy.php * check and delete all error logs also * i would suggest comparing all core wordpress and deleting replace them along with theme files also. * make sure all server backups are removed also or it could revisit * [oskerlau](https://wordpress.org/support/users/oskerlau/) * (@oskerlau) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567229) * Mine got these new files too: admin-ajax.php class-wp-index.php jquery.php wp- class-headers.php ms-head.php frommshead.php * Modified: index.php * [Ben Heath](https://wordpress.org/support/users/btheath/) * (@btheath) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567230) * Same issue with a site I manage as well. * We saw that Google had marked the site as containing malicious files, and so I took a look at the ftp to find the same files and issues as mentioned in this forum. * I’ve gone in and removed every change I could find by looking at the timestamps. Every file that had an issue all had a matching timestamp, so this was the clue to finding all of the issues. * Now that I’ve removed every issue I could find, as well as using the suggestions mentioned above by Jan Dembowski, I submitted to google in Webmaster Tools, a request for them to check the site again, and release the “This site contains malicious …” warning. * The wait may be up to 24 hours for them to review it, but hopefully, we’ll be in the clear. * I’ll report back here if there are any other hoops I have to jump through. * [lovetrenna](https://wordpress.org/support/users/lovetrenna/) * (@lovetrenna) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567231) * Do any of your pages say 503 Unavailable I believe my website was hacked as well because I got emails sying there were failed attempts to my login and I was on a “Lock Down” from WordPress. So I was able to go onto WordPress yesterday for a few minutes and got kicked off again. * I let it be today and it still says 503 Unavailable what should I do? Does anyone know what I could do to get my website up again and figure out whats wrong. * [WPyogi](https://wordpress.org/support/users/wpyogi/) * (@wpyogi) * [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567232) * **[@lovetrenna](https://wordpress.org/support/users/lovetrenna/)** – please do not post the same question in more than one place – that’s not how these forums work – I just answered your thread here: * [https://wordpress.org/support/topic/503-unavailable-cant-log-onto-my-own-site?replies=3](https://wordpress.org/support/topic/503-unavailable-cant-log-onto-my-own-site?replies=3) Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘Suspected Hack’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 11 replies * 11 participants * Last reply from: [WPyogi](https://wordpress.org/support/users/wpyogi/) * Last activity: [11 years, 5 months ago](https://wordpress.org/support/topic/suspected-hack-1/#post-5567232) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics