WordPress site impacted with redirect injection - wordpress

I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.
https://www.athleticclubhk.com/
Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:
window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";
This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.
I've tried to hunt down the theme, plugins, core files and found nothing!
I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme - the problem is still there. I can't find any hidden .htaccess file in the entire root directory.
I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.
The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.
Can anyone help?

The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.
How to confirm:
watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
save complete webpage locally and try to load it, and check in Chrome dev tools, you'll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie
While a temporary resolution of deleting the file will fix things for some time...
There's no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won't cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it's never going to be secure.
The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you're using some nulled plugins or plugins from bad sources.
Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.
Check out some guides on the matter of secure NGINX/PHP-FPM setup:
NGINX and PHP-FPM. What my permissions should be?
Best practice secure NGINX configuration for WordPress
NGINX Security Headers, the right way

Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.
Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.

Disable plugins and check again.
Change the database username and password.
Ask the hosting manager to check the host.

Related

WP site keeps getting hacked for a cryptojacker - How to find the leak?

I've got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org. (sloppy code even, found their names. Some Russian dudes. But that's off topic) I've taken some measurements to prevent a new hack, but alas...
I've installed a clean WP installation on the server, with clean files and a clean DB.
reinstalled the plugins clean
I have All In One WP Security & Firewall plugin for file scanning, firewall, hide inlog page, etc.
Changed all the wordpress passwords.
I've notices the encoded code is being placed in files called assets.php.
I'm curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I've asked them before and they just say it's my fault, update the wp installation and move on. What should they check if the code is injected from their side?
Your log files (of the web server) e.g. /var/log/nginx/access.log with the nginx web server will tell you who it was. Look for the change date/time of the assets.php file. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.
Usually Wordpress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the index.php (or other) file under attack read-only. In the past I have worked around particular attacks by chown root.root filetobeattacked.php which usually works (but may hinder updates, so it's a temporary solution). If you are not root on the server (shared hosting) perhaps chmod 444 filetobeattacked.php could work.
I had same issue before. It might be the wordpress core files.
Delete all files except wp-content, then download and replace it with the new wordpress files.
Search for 'autofaucet.org' inside wp-content, and remove if necessary.
Open wp-contents/themes/ then check functions.php - check if any additional code is there on top. Check the last updated files and time inside the theme and plugins.
Export database files and searcg for 'autofaucet.org' and remove if any item found.

Why is the www version of website not working properly?

I'm facing a problem with the following website: https://www.rhythmandstrums.ie/
When I open the "www" version of it: https://www.rhythmandstrums.ie/ I get a bugged website, failing to open stylesheets and possibly other file sources, whereas if I open the website without the "www", everything works as expected: https://rhythmandstrums.ie/
Some considerations:
This website is hosted in a Wordpress Multisite, so it shares the same configuration files as other websites, none of the other websites have this issue. So I was wondering if this could be a problem with redirection, although, again, none of the other websites have this problem and they share the same config files (including server block settings and such, it is in nginx).
I have checked the DNS values and nameservers and everything looks fine (I took base from all the other websites that were set up in the same way, I can post a screenshot if it might be of help).
This error also seems to happen in the Wordpress backend, with the admin dashboard not being able to load parts of plugins, it seems like it is looking where it doesn't exist.
I have replaced instances of the www version of the url in the database, as I do with other websites as well, but that didn't seem to fix the issue.
I have cleared cache a few times (both in the cache plugin and manually in the nginx server - manually deleting the contents of the cache folder), and since this has been going for a long time, I don't know if this is cache related, but any suggestion is highly appreciated. Again, all the configs, included the cache plugin settings are the same for all the other websites in the network, which none are having this issue.
If I inspect the console when I'm accessing both versions of the website, www and non-www it seems like it's trying to pull information from different locations, but I can't figure out why it's doing that.
Guys, I hope this was not confusing, but let me know if you you would like to see screenshots or other info that might be relevant. Thanks so much in advance, I really appreciate it.

cPanel - send 404 to a php page?

I have an issue in a WordPress site on Hostgator where the htaccess file keeps disappearing. Before you get all, "Check your plugins, dummy" I have the same install of this site running on a completely separate Hostgator account and it's running fine. Furthermore, I have a local instance which, again, is running fine. So if it was a plugin, the issue would be replicated on the other instances, but it's not.
My suspicion is someone who has access to the hosting account is tampering with it. While that sounds paranoid, I can't rule anything out because htaccess files don't just delete themselves.
The bandaid fix has been to just reset permalinks once the site goes down. Annoying, but simple. What might be even neat would be to set my server 404 page to a php script that, when accessed, hits an endpoint I set up in WordPress to programmatically flush the rewrite rules, thus restoring the htaccess page, and then the 404 tries to forward them on again. However, the suggestions on how to do this say putting the error page definitions in the htaccess page. Which doesn't do me much good if the htaccess page is being deleted.
How stupid is this idea? Please let me know in comments.
I'm open to other solutions, but I'm waiting on my hosting support to figure out how the file is being deleted because I assume others with the account info of tampering.

Gateway Anti-Virus Alert - WP

As you can see from the image above. I am experiencing some sort of error message but i have no idea what it means.
I am using wordpress 4.1 with a default theme. Every time i tried to add a menu to the menu structure i get the following message:
Gateway Anti-Virus Alert
This request is blocked by the Firewall Gateway Anti-Virus
Service. Name: Mailer.S (Trojan)
Things that i have already tried:
Using different theme
Installing and re-installing wordpress
Delete everything and start from beginning
And none of this work!
Please help me.
Thank you
You probably got infected with malware, and a service running on your hosting is blocking some malicious code. At best you can contact your hosting provider and ask them how to resolve. Malware on a WordPress site is pretty common by using outdated plugins, themes or having insecure rights on folders and files.
It's pretty hard to get rid of, you have to search trough every file to check for malicious code and check every folder for files that shouldn't be there.

Cannot see changes in Wordpress in FTP client and vice versa

I am having some problems with Wordpress 3.7. I think they may be related and have something to do with a file ownership/rights issue but I am completely stuck.
I am using the default theme and I have uploaded a new header image
several times through the WP admin interface. Now that I am happy
with the image, I want to delete the old images. Firebug tells me
they are in [my wp root]/wp-content/uploads/2014/01. However, in my
FTP client, this directory is not visible. I only see [my wp
root]/wp-content/uploads/2013
.
When I log into the Wordpress admin interface, it tells me I should upgrade to 3.8. When I tell it to go ahead and give it my FTP credentials, it begins but gets stuck at "Verifying the unpacked files…". I get no error messages and when I give up and leave the page, there are no reports about a failed update. It just keeps showing me the "please update" message.
I am using the default theme and want to change style.css. I cannot do this in the theme editor, it tells me I have to make the file writable first, even after I give all the theme files 777 access in my FTP client (which probably is not a good idea). If I edit the file offline instead and then upload it via FTP, this doesn't have any effect. I can even delete the entire file and still nothing changes at the frontend.
I have tried to create a child theme through the FTP client but it does not show up in the WP backend.
The site is on a shared hosting platform. I can't find the details at the moment but it's a fairly regular setup (Linux, Apache, MySQL). I am testing in Firefox and caching is turned off. If I log out, and log back in again: same problems.
It is almost as if I am FTP-ing the wrong computer but I am really not. What am I missing?
Problem solved. I finally asked my hosting provider and as it turns out they had adjusted a few settings, making them too restrictive.

Resources