Need help? Check out our Support site, then

Photocracti Theme Hacked - Need Assistance

  1. 3 days ago I went to pull up my WordPress Blog login & it took me to some crazy, militant Serbian website. I contacted my hosting company (Bravenet) and was advised that there were serious, known issues about that Photocrati theme as follows:

    "I was able to confirm that version of photocrafti-theme does allow people to break into the site via a remote exploit. To prevent this from happening in the future, I would contact the people who provided that theme for a solution, or switch to another theme."

    wp-content/themes/photocrati-theme/galleries/post-/full/wso.php - Obfuscated PHP code
    wp-content/themes/photocrati-theme/galleries/post-/full/r577.php - Looks to be a PHP based backdoor
    wp-content/themes/photocrati-theme/galleries/post-/full/murad/Sharp_Cyber.SQL - looks like it's designed to get information about the webserver
    wp-content/themes/photocrati-theme/galleries/post-/full/murad/domain.shh - more info gathering
    wp-content/themes/photocrati-theme/galleries/post-/full/murad/.htaccess - used to run the scripts
    wp-content/themes/photocrati-theme/galleries/post-/full/c100.php - another backdoor shell

    Looks like the photocrati-theme allows people to upload images, and someone used it to upload a php file designed to compromise the website.

    To fix it, I would start by deleting the following:

    I found that file that was recommended for deletion but when I attempt to delete it it tells me its either empty and/or I don't have permission to delete it.

    Can someone please tell me - in very simple steps - how to get rid of this photocrati garbage & get my blog back? I would appreciate all recommendations.

    Thanks !

    They have also modified the following files, which should be replaced with clean copies from wordpress:

  2. You did not specify a blog address or reason for posting when you created this topic.

    This support forum is for blogs hosted at If your question is about a self-hosted WordPress blog then you'll find help at the forums.

    If you don't understand the difference between and, you may find this information helpful.

    If you forgot to include a link to your blog, you can reply and include it below. It'll help people to answer your question.

    This is an automated message.

  3. The blog is:

    But I have it disabled because its been hacked & I'm worried it probably carries a virus & did not want that to spread to people who read our blog daily.

  4. It's clear to me that your question is about a self-hosted WordPress blog and you'll find help at the forums.
    read >

  5. This is the support forum. Here we provide support only for blogs that hosts and that site is not one of them.

  6. Thanks timethief. I will try there & appreciate your reply.

  7. You're welcome and best wishes.

Topic Closed

This topic has been closed to new replies.

About this Topic