Several of my websites were hacked yesterday.

The site would load and display for a moment and then the entire window would show white with the text “By Iskorpitx“. Because the site loaded, I knew that it was something within the core of WordPress itself or a plugin or a theme which has been hacked which causes this.

It took me quite some time and I just discovered the issue now. At first I switched the theme, deactivated all plugins and started digging through code but I couldn’t exactly find what was causing this. Eventually I realized that there had to be a SQL injection of some sort and that the issue was in the database itself.

And so it was. There was Javascript injected into the database which actually left the page of the website in the background, creating a white overlay with CSS which showed the “By Iskorpitx” text. The Javascript was injected as a WordPress widget into the sidebar of the site. So just go to Appearance > Widgets and then delete the text widget which was created with the Javascript that is raw encoded. In addition to that, the bad news is that all other widgets are gone since the widgets option value has been completely overwritten in the database with which I assume to be an UPDATE query.

I assume that the hacking by Iskorpitx will be different each time depending on the exploitations he finds in the software. Based on my research, the discussions are mostly related to WordPress and Joomla which are being targeted.

Apparently this infamous Turkish hacker broke a world record in 2010.

Good thing we also have constant, continuous backups running on the server to a remote server in case a site has been hacked and cannot be fixed quickly like this.

Good luck to you and I hope this article will be useful to any other victims struggling to find the source of the hack.