3 days ago I went to pull up my WordPress Blog login & it took me to some crazy, militant Serbian website. I contacted my hosting company (Bravenet) and was advised that there were serious, known issues about that Photocrati theme as follows:
"I was able to confirm that version of photocrafti-theme does allow people to break into the site via a remote exploit. To prevent this from happening in the future, I would contact the people who provided that theme for a solution, or switch to another theme."
wp-content/themes/photocrati-theme/galleries/post-/full/wso.php - Obfuscated PHP code
wp-content/themes/photocrati-theme/galleries/post-/full/r577.php - Looks to be a PHP based backdoor
wp-content/themes/photocrati-theme/galleries/post-/full/murad/Sharp_Cyber.SQL - looks like it's designed to get information about the webserver
wp-content/themes/photocrati-theme/galleries/post-/full/murad/domain.shh - more info gathering
wp-content/themes/photocrati-theme/galleries/post-/full/murad/.htaccess - used to run the scripts
wp-content/themes/photocrati-theme/galleries/post-/full/c100.php - another backdoor shell
Looks like the photocrati-theme allows people to upload images, and someone used it to upload a php file designed to compromise the website.
To fix it, I would start by deleting the following:
I found that file that was recommended for deletion but when I attempt to delete it it tells me its either empty and/or I don't have permission to delete it.
Can someone please tell me - in very simple steps - how to get rid of this photocrati garbage & get my blog back? I would appreciate all recommendations.
They have also modified the following files, which should be replaced with clean copies from wordpress: