Fixing “HACKED+BY+CELLATREIS” message on WordPress

There are many out there hacking into WordPress sites and defacing them. This post seeks to help anyone who’s got the “HACKED+BY+CELLATREIS” or similar message.

This one is simply encoded text in the wp_options table of the database.

To check this is the cause:

  • 1. Goto the wp-options tables in your WordPress database
  • 2. Find the row where the “option_name” column is “widget_text”
  • 3. Copy the “option_value” if it looks like a load of jumbled up characters (e.g. Below for the “HACKED BY CELLATREIS” defacement)

  • document.documentElement.innerHTML = unescape(''%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53'');

  • 4. If the value contains “unescape”… Goto a site that offers to “unescape” text online (e.g. http://scriptasylum.com/tutorials/encode-decode.html)
  • 5. See what the unescaped code looks like. In the case of the “HACKED BY CELLATREIS” defacement, it will look like the below.

  • document.documentElement.innerHTML = unescape(''HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS'');

  • 6. If the unescaped text looks like the dafacement. Simply delete the option_value, or entire row of the table. This should remove the defacement.
  • Note: If your site has been defaced, it is possible that your password and/or salt have been compromised. Change them as soon as possible to protect your site from further defacement/breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *