I have a problem with my website, I get information from wordfence about my WordPress website getting hacked
enter image description here add found a code eval($_SERVER['HTTP_81DB2B3'] so i removed it but in a few second the code going back. someone, please help me
I had something very similar to this. Go to your cPanel and search for "Cron Jobs" and scroll down to see if there's any malicious cronjobs setup. You might have some that look like eval(gzinflate(base64_decode(.... that are essentially causing this to reoccur. Not a complete fix to this issue, but you'll have to delete those cronjobs to ensure that that line of code doesn't keep reappearing. In addition to that, you'll also need to make sure those cronjobs don't show up again. Use a plugin like Wordfence (suggested above as well) to look for malicious files and if it helps replace your home directory (except for wp-content and wp-config) with fresh files.
If your website got hacked then I guess more than 1 file was affected by it,
case-1: If you are able to access the Wordpress Backend In this case, if you are able to access the Wordpress backend then I suggest you
Step-1: Add one plugin called (Wordfence Security – Firewall & Malware Scan
) and scan your website with it.
Step-2: After scanning the site remove all suspicious code from the site.
Case 2: If you are not able to access the Wordpress backend then you have to update your Wordpress manually with the hosting file manager or FTP.
Please Note: Please take a backup of your website before do any changes.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
This post was edited and submitted for review 1 year ago and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
My Wordpress site has been hacked. Links on the site have been changed to take users to the hacker's site at storage.piterreceiver.ga. This site, in turn, redirects to other sites which my browser flags as dangerous.
Has anyone else had this happen? How can a restore my site and prevent a reoccurrence?
We discovered the behaviour on several of our sites aswell, the culprit seems to be the DSGVO Plugin offered by legalweb.io.
The plugin developer has been informed and the best solution was to clean the _options from the malware code and disabled the plugin.
Thanks to #Jesmond Darmanin i found the the solution how to fix that. He described to delete all occurances of "piterreceiver" in the database.
You can do that in this way:
Connect to your wordpress instance with SSH
Go to your wordpress directory
Execute wp db search --all-tables piterreceiver
Execute wp db query <<< "delete from <table> where <id> = 123456"
Be carefully, this is the "crowbar" method. Just do that, when you are absolutely sure, that the returned value is not needed anymore (which was the case in my installation < lucky guy).
I found the same on one of my sites and could not identify any malware in the files, however, the "site URL" and "home" in "_options" table was altered and I suspect a SQL injection to have been the culprit here.
None of my malware tools could identify anything at the filesystem level so it appears to be some sort of 0day exploit as I cannot find anything similar. I've ensured that everything is updated and will monitor my site further, but a starting point would be to determine if there are any outdated plugins or themes that may suffer from a vulnerability and if yes then a more difficult task would be to identify which. I am looking through my logs now and will update this thread if I find anything.
We found this script in the WP DSGVO Tools (GDPR) Plugin by legalweb and in the Rewrite rules by YOAST SEO. But not all systems with this plugins are corupted.
Affected are mainly pages that have been updated in the last few days.
A backup of the database is sufficient. Nevertheless, it should be determined how the intervention in the page came about.
We saw the same behaviour on our sites and I can confirm the DSGVO plugin is the culprit. Somehow the Matomo/Google Analytics tracking codes were overwritten with the malicious redirect.
I just talked to legalweb and they confirmed that this is the underlying issue - they are working on an update but didn't want to share how the attack was performed. Disabling the plugin and looking for the redirect url in the database solved the issue.
I had the same problem on my wp-website.
No files (.php et al) have been affected(as i can see so far), but i found in the database (wp)_options obfuscated code in "sp_dsgvo_legal_web_texts".
That points to the plugin "WP DSGVO TOOLS (GDPR)".
Since no login was possible anymore, i deleted the plugin subfolder shapepress-dsgvo via sftp on the server in the plugins-directory.
Then i deleted manually every record in the database table:
DELETE FROM wp_options WHERE option_name LIKE 'sp_dsgvo%'
(maybe you have to change the table-prefix wp_ to your needs)
The Official WordPress Plugin-Directory has blocked this plugin on 20.09.21, but that doesn't affect your installation, so you have to clean it manually.
Keep in mind to find some other GDPR Tool, but for now we are happy to have a website, thats online again.
After all, I find the best solution, and please follow these steps:
Rename wp-content folder.
Create new wp-content 'don't forget about permission for this folder.
Install one wp security plugin like word fence it's recommended but you can install whatever you want.
Scan the whole website and directories with this plugin for Malewares.
For more insurance you can search the database with mysqldump -uUSER -pPASSWORD database --extended=FALSE | grep pattern
Change or delete the records found from step 4, (in my case the problem was in the wp_options table and siteurl and home had been changed).
Install a clean and fresh version of your template.
Copy old uploads folder from old wp-content to the new one.
And that's it your website will be alive again.
I just want to say thank you to #David Koenig and #Ralph Rathmann. Your replies were really helpful.
and thanks to the others for their replies and guides.
I recommend to rewrite affected files by the files from clean/original Wordpress (be sure you using the same version of the WP)
I have just managed to restore back a website that was affected by this. My fix was to search the database for storage.piterreceiver.ga and when found, replace it with the actual site's URL. i found two entries that needed to be amended. once that was done, i was able to get back in to Wordpress as usual.
As already mentioned, the problem is about the plugin WP DSGVO Tools (GDPR) and in our case, the database entry could also be deleted in the backend, by navigating to /wp-admin/admin.php?page=sp-dsgvo&tab=statistic-integrations > Matomo > Use Matomo (off) or removing the content from the field "Matomo code".
I scanned my wp-website with sucuri.net and had some high risk malware alert. When I tried to enter my site it directed me to this 'storage.piterreceiver.ga' and '0.johncarlsberg.best' (also with 1,2 etc. as prefix).
Because I also wasn't able to restore my updraftBackup, because I got some authentication errors, I tried uninstalling Plugins and updating everything.
-> For me it fixed the site by uninstalling WP DSGVO Tools (GDPR) Plugin.
I’m using the latest version of Wordpress (4.7.4).
I have something very weird going on in my Dashboard. Not sure when this started.
Can’t say for sure it started with the latest version of Wordpress or not.
My Dashboard became completely useless.
It’s like it’s showing me a flashback of a Dashboard from a few days or hours ago:
Comments I’ve deleted in the Dashboard (hitting “trash”) are suddenly back there, awaiting my moderation.
Plugins I’ve deactivated or even deleted are all back there and according to Dashboard still running (while in my FTP folder they’re certainly gone).
The plugin page cannot be trusted anymore as it shows some plugins are activated that aren’t and vice versa. I have to check on my actual website to confirm which ones are running.
Updates aren’t shown correctly. Once I’ve updated a plugin, a few minutes later it shows me again that there’s a new update.
As you can tell it’s all pretty much the same phenomenon.
It’s as if I’m seeing an older version of my Dashboard.
Not sure what else is broken.
The only other thing I noticed is that even on my actual blog I still see a comment. Blog post says “1 comment”, but the actual comment doesn’t show up.
At first, this all sounds like a “cache problem”.
But I’ve already turned off all caching:
No caching plugin installed
Turned off server caching via htaccess
Disabled leverage browser caching
Emptied my own browser cache
Other things I tested:
Turn off all plugins.
Switch to the standard Wordpress theme “Twenty Twelve”
I tried WP_DEBUG, but nothing related shows up.
I researched the internet, but nobody has described a similar problem, so I suppose this is not a common Wordpress issue.
The issue remains.
Unfortunately I’m not a developer and don’t know too much about the Wordpress codex etc.
But to me it sounds that the mistake is definitely not in the plugin or theme folder.
The problem is that I’ve reached the point where I really cannot turn off plugins via Dashboard properly anymore. It’s so annyoing!
My questions are:
Is it safe to assume that this is related to the Wordpress core
files?
What files exactly are in “charge of” the Dashboard?
Should I just try to re-download the newest Wordpress version and replace a few files (if so which ones)?
Should I do a clean Wordpress re-install or would that be too drastic?
Any other suggestions?
EDIT:
Additionally I tried now:
I manually downloaded the newest version of Wordpress and did just as
described on the Wordpress.org website. I manually replaced wp-admin,
wp-include folders and all root files. The issue remains...
The way my Dashboard is right now, I really can’t use it.
Please advice!
I contacted my host service again.
They just gave me the same line to insert into my .htaccess file and I told them I already tried it and it didn't work.
I then showed them my .htaccess file and they deleted the whole part that concerned their server caching.
Now server caching is completely off and everything works again.
Still not sure why this previously never caused issues.
In the end, it had nothing to do with Wordpress.
I hope this answer will help people who run into similar problems.
I have a client who has asked me to start working on their Wordpress site. The admin page is broken and I do not have access to the database yet (I am trying to track down the previous people who worked on it). It is quite messy, I know.
What I am doing now is migrating peices over to a new wordpress site using Wamp server just to get it functional, but I am wondering if the solution is simpler than that. Ideally, I would just fix the the login, but I have minimal Wordpress experience and don't know where to start.
Here is the website: http://fundafighter.com
If you go to http://fundafighter.com/wp-admin you'll notice that it is broken. I reroutes to "login-2", which I don't think is normal. So far I haven't found any folder with that title...
I would log into the site via FTP, check the wp-config.php file for any redirects for wp-login.php. Then, check the .htaccess file for the same. Remove any references.
If you get that page working, and you need to reset the password, I would follow this tutorial through phpMyAdmin:
https://codex.wordpress.org/Resetting_Your_Password#Through_phpMyAdmin
I have a wordpress site which is acting strange lately. It seems like the database is spontaneously rolling back a few hours from time to time. I have noticed it happen at least four times.
When I updated to wordpress 3.5, after a short time, maybe 30-60 minutes I noticed the nag to upgrade was back. I ran the upgrade a second time, even though I was certain that I had already upgraded.
I added a new category and changed a widget on one of my sidebars, only to find that my changes were gone the next day and I had to redo them.
I added a post yesterday, linked to it in various places and then returned several hours later to find the post missing. I rewrote the post from memory and put it back on the site.
This morning when I went to the site, the original post was back and the one that I had recreated from memory was gone. The post's id number was the same as the previous day. I think there was also a draft post that disappeared and reappeared as well.
One last clue which may or may not be related is that when I go to a page on the blog that should generate a 404 message I get a single piece of text which says: "defaced by t3ll0" I noticed this recently, within the last few weeks. I'm not sure how long it has been like that.
I ran Sucuri Scanner, and it found no evidence of malware. Any suggestions of how to troubleshoot this? Could this be a problem with my database rather than wordpress?
UPDATE: It appears that the primary problem I was noticing was because of two versions of the site being up simultaneously. The DNS settings had not been updated to the new site. I'm still investigating if the site was hacked.
You got hacked. "defaced by t3ll0" is the clue. Someone has control of your site and your hosting account.
Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.
Change all passwords. Scan your own PC for spyware that may have grabbed your login and password.
http://sitecheck.sucuri.net/ is a good resource, but it scans for malware and not accounts that were hacked and are not being used to distribute malware or have spam links.
Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
You have not applied security may be at number of places.
1. File permissions, folder permissions.
2. Upload folder permissions.
3. Execute permissions.
Now, if you are not a developer how would you check for these vulnerabilities?
I am suggesting you to take a backup of your DB(Export it). Get rid of the existing WP core and reinstall it from fresh.
Delete all plugins and install them all from fresh sources.
If you have used a custom theme then get the backed up version of it and delete the current one as there is a deface to it.
And you can check for a lot of vulnerabilities with plugins like this: http://wordpress.org/extend/plugins/better-wp-security/
Rename your administrator account. Harden your password. Remove write permission from .htaccess and wp-config.php file.