Photocracti Theme Hacked – Need Assistance

  • Author
    Posts
  • #970515

    kdroberts
    Member

    3 days ago I went to pull up my WordPress Blog login & it took me to some crazy, militant Serbian website. I contacted my hosting company (Bravenet) and was advised that there were serious, known issues about that Photocrati theme as follows:

    “I was able to confirm that version of photocrafti-theme does allow people to break into the site via a remote exploit. To prevent this from happening in the future, I would contact the people who provided that theme for a solution, or switch to another theme.”

    wp-content/themes/photocrati-theme/galleries/post-/full/wso.php – Obfuscated PHP code
    wp-content/themes/photocrati-theme/galleries/post-/full/r577.php – Looks to be a PHP based backdoor
    wp-content/themes/photocrati-theme/galleries/post-/full/murad/Sharp_Cyber.SQL – looks like it’s designed to get information about the webserver
    wp-content/themes/photocrati-theme/galleries/post-/full/murad/domain.shh – more info gathering
    wp-content/themes/photocrati-theme/galleries/post-/full/murad/.htaccess – used to run the scripts
    wp-content/themes/photocrati-theme/galleries/post-/full/c100.php – another backdoor shell

    Looks like the photocrati-theme allows people to upload images, and someone used it to upload a php file designed to compromise the website.

    To fix it, I would start by deleting the following:
    wp-content/themes/photocrati-theme/galleries/post-“

    I found that file that was recommended for deletion but when I attempt to delete it it tells me its either empty and/or I don’t have permission to delete it.

    Can someone please tell me – in very simple steps – how to get rid of this photocrati garbage & get my blog back? I would appreciate all recommendations.

    Thanks !

    They have also modified the following files, which should be replaced with clean copies from wordpress:
    index.php
    wp-login.php

    #970690

    supportbot
    Member

    You did not specify a blog address or reason for posting when you created this topic.

    This support forum is for blogs hosted at WordPress.com. If your question is about a self-hosted WordPress blog then you’ll find help at the WordPress.org forums.

    If you don’t understand the difference between WordPress.com and WordPress.org, you may find this information helpful.

    If you forgot to include a link to your blog, you can reply and include it below. It’ll help people to answer your question.

    This is an automated message.

    #970692

    kdroberts
    Member

    The blog is: http://rvlife.redsroads.net

    But I have it disabled because its been hacked & I’m worried it probably carries a virus & did not want that to spread to people who read our blog daily.

    #970693

    timethief
    Member

    It’s clear to me that your question is about a self-hosted WordPress blog and you’ll find help at the WordPress.org forums. http://wordpress.org/support/
    read > http://support.wordpress.com/com-vs-org/

    #970694

    timethief
    Member

    This is the wordpress.com support forum. Here we provide support only for blogs that wordpress.com hosts and that site is not one of them.

    #970697

    kdroberts
    Member

    Thanks timethief. I will try there & appreciate your reply.

    #970700

    timethief
    Member

    You’re welcome and best wishes.

The topic ‘Photocracti Theme Hacked – Need Assistance’ is closed to new replies.