Okey, let me guess: you’re here thanks to Google? :-) You used it after finding how your website was upgraded with text ”Hacked By BALA SNIPER”, that being sprinkled all over the place. Here are my observations about what Bala Sniper does: a) the hacker will crappify your WordPress-powered website’s site name and slogan, b) he will also change the encoding for page and feeds to UTF-7, c) the hacker also removes content from your Widgets, d) there will also be a new widget, an ordinary text box, with JavaScript inside it. The JavaScript has some kind of encrypted or encoded message, which according to DDecode.com has this familiar message: ”Hacked by BALA SNIPER”. That new widget area might be disabled, but it’s there somewhere. So far this is all I’ve found, but of course it’s possible the hacker has done something more. I’ll try to update this blog post if new information comes to light.
27 December 2016: It’s possible that this Bala Sniper is actually a hacker team from Kurdistan, whose aim is to — somehow — work towards independent Kurdistan state.
29 December 2016: Looks like many hacked sites had newest WP version installed. Many hacked sites are from Sweden, Finland, Germany.
