Fixing “HACKED+BY+CELLATREIS” message on WordPress

There are many out there hacking into WordPress sites and defacing them. This post seeks to help anyone who’s got the “HACKED+BY+CELLATREIS” or similar message.

This one is simply encoded text in the wp_options table of the database.

To check this is the cause:

  • 1. Goto the wp-options tables in your WordPress database
  • 2. Find the row where the “option_name” column is “widget_text”
  • 3. Copy the “option_value” if it looks like a load of jumbled up characters (e.g. Below for the “HACKED BY CELLATREIS” defacement)

  • document.documentElement.innerHTML = unescape(''%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53%0d%0a%48%41%43%4b%45%44%20%42%59%20%43%45%4c%4c%41%54%52%45%49%53'');

  • 4. If the value contains “unescape”… Goto a site that offers to “unescape” text online (e.g. http://scriptasylum.com/tutorials/encode-decode.html)
  • 5. See what the unescaped code looks like. In the case of the “HACKED BY CELLATREIS” defacement, it will look like the below.

  • document.documentElement.innerHTML = unescape(''HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS
    HACKED BY CELLATREIS'');

  • 6. If the unescaped text looks like the dafacement. Simply delete the option_value, or entire row of the table. This should remove the defacement.
  • Note: If your site has been defaced, it is possible that your password and/or salt have been compromised. Change them as soon as possible to protect your site from further defacement/breaches.

James

James

I'm passionate about technology, and particularly helping people make the most of it. I've spent the last 30 years helping others make the most of technology. My career started in IBM, but I choose to move into smaller business environments, to use a breadth of skills, and help businesses step change their IT services. My skills range from user based technology, through business systems (applications) to infrastructure. I also have a long background in IT security. I focus on what I consider to be "productivity technology", i.e. adding genuine value to peoples lives. I'm not a big gamer, and don't hold much interest in what I consider to be disposable consumer technologies. During the day, you'll find me consulting with businesses or heading up an IT department. At the weekend, you'll find me sat at my Linux PC, writing PHP or Python code, or trying to help others on Twitter, this blog, or my YouTube channel: Artexic.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.