Something strange is on my website. How do I get rid of it?

A friend told me, google my site with the following words added:

edberry.com merisa wolf

Select the 4th entry, which is:

[DOC]

DISCLAMER: the following is for educational purposes … – Ed Berry

edberry.com/…/Intructions-for-Acceptance-of-Warranty-Deed…

And then download a Word file that I did not put on my site. (I am not in the warranty deed business.)

edberry.com is a multisite.

How do I find where this document is on my site?

How do I find and remove other such unwanted documents?

How do I prevent hackers from adding material to my site?

Thanks,

Ed

  • aecnu
    • WP Unicorn

    Greetings Ed,

    Thank you for this great question and bringing this significant issue to our attention.

    The document in question is located in edberry.com/SiteDocs/Home/

    Security starts with the host filtering using their firewall plus other server related security precautions.

    Though this document is indeed on your hosting account and you think that deleting it is the first thing to do, it has a lot of information as to when the breach happened and also help to find other breaches and documents therein.

    There are many possibilities not limited to another hosted customer had a breach and they got files into your folders, but this also depends on server configuration as well.

    I actually do NOT believe this is a WordPress issue but rather a hosting account issue in general. That even if you had a regular plain web site that this would have happened for reasons previously given.

    Right now it is my opinion that the best thing to do, depending on how long ago this breach occurred, is to have the host dig in and figure out exactly the date and time this happened by the files date and times as well as what IP block it came from.

    The file and folder dates are very important in this case, deleting them will only hinder the discovery of the breach if at all possible.

    Please advise what they have to say like when and where concerning dates and folders.

    Cheers, Joe

  • aecnu
    • WP Unicorn

    Greetings Ed,

    Thank you for letting me know and I look forward to your further input in any event.

    We will be here and if we can help more let me know.

    I am leaving this ticket open while you folks has time to do some digging as to what or at least when it happened.

    Cheers, Joe

  • exberry
    • The Incredible Code Injector

    Here’s what I learned:

    Someone, without my permission, added the /Home folder to my /SiteDocs folder on January 7, 2012. Then they uploaded 5 Word files.

    There is no evidence of malicious intent and my site has not been harmed. This is very strange but I have no other information about how or why this happened.

    I am the only administrative user on my site. Maybe someone discovered my password during January.

    Ed

  • aecnu
    • WP Unicorn

    Greetings Ed,

    Thank you for letting us know and for your detailed explanation of what happened to the best of your knowledge, it is certainly appreciated.

    Certainly you have since changed you password to an alpha numeric including upper and lower case letters?

    For your sites security of course.

    Cheers, Joe

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.