-2

I'm trying to clean up a small hack on my Wordpress site. It's located at http://www.mydermakare.com. I found the initial spam code in the index.php file and deleted it, but I'm still getting a function session-start error at the top of my page.

Any ideas on where I can find the problem code?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Rob Myrick
  • 859
  • 11
  • 28
  • Can you be a little more specific as to what exactly happened? Are you saying that your site was hacked into and the php pages were modified to include code, or are you saying that you have been having issues with spam on the blog? – Skolor Jan 31 '12 at 16:39
  • I do have spam in the comments box, but I think the problem is from code uploaded through the contact form. I'm only assuming this because it has happened on another one of my websites in the past. – Rob Myrick Jan 31 '12 at 16:41
  • It sounds like a fairly big problem if someone is able to upload code through any sort of publicly accessible form. – Skolor Jan 31 '12 at 16:42
  • haha I just viewed a cached version of the page and had to close it quickly because I'm in work. Just a heads up to anyone else, It's a woman in a bikini. Nothing rude but it's not dull enough for our work regulations haha. – Mark Price Jan 31 '12 at 16:43
  • YES......don't get in trouble for assumed porn at work!!!! – Rob Myrick Jan 31 '12 at 16:43

4 Answers4

2

http://ismyblogworking.com/mydermakare.com shows the results of hack code in your robots.txt file as well as the RSS feed. You're still hacked.

Replace all core WP files and folders, except your theme. That's where the php error is coming from.

Do a complete job of cleaning the hack or it will happen again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host. Change all passswords and scan your own PC. Maybe even find a better, more secure host.

hakre
  • 193,403
  • 52
  • 435
  • 836
markratledge
  • 17,322
  • 12
  • 60
  • 106
0

The lines before line 10 are causing the headers to get sent before line 10 can add/change them. Showing us lines 1-10 might help.

EDIT: Yes i think you have been hacked or something http://sucuri.net/malware/malware-entry-mwjs160 At this point i'm going to step a side, bit too complicated for me and i don't want to tell you the wrong thing.

Mark Price
  • 582
  • 1
  • 8
  • 18
  • Hi Mark, I have a backup file of index.php and I replaced it - and it's not working. Are you saying that lines 1-10 in index.php would be the problem, or would it be elsewhere, considering I already replaced index.php with my backup – Rob Myrick Jan 31 '12 at 16:42
  • If lines 1-10 have an "include" then it may be in the file being included. – Mark Price Jan 31 '12 at 16:45
  • Mark, I just clicked on view source and a weird script is showing at the top. I'm thinking that def looks suspicious. – Rob Myrick Jan 31 '12 at 16:50
0

Did you close your php tag in index.php. Is there any extra space. the error shown here is due to session_start() called in quick-contact.php in quick contact plugin. But PHP had outputted something before. Remove any white space before or after the php tags in any of the primary files

EDIT:

I think this is not the problem with index.php. i think you have added some space somewhere in your php files after the tags. Can you check those

Sabari
  • 6,205
  • 1
  • 27
  • 36
0

Judging from the comments here, your best bet is to probably restore the entire site from a backup. You'll still run into the problem that the vulnerability is still there and likely exploitable still by whoever 'hacked' the site the first time. Finding the particular exploit that was used is fairly far beyond what can be done over a forum like this, but you could probably start by looking at all of your plugins and making sure they're up to date.

Skolor
  • 424
  • 2
  • 10