I noticed that on a wordpress site I'm going to take over the following scripts are found on multiple pages:
When the page is displayed here is what I see:
This seems incredibly scammy, does anyone know what this is?
I am going to delete all of those and restrict access to the website in the meantime
Thank you
One of two things likely happened. Either you are serving flash and have a really old version on your computer - OR - your website has been compromised and injected with some sort of malware.
Are the unusual scripts showing up in the content or the theme files? If they are showing up on the content, that means someone has added these scripts to the database, and it will require a bit of cleanup (or a restore to a previous version). If the scripts are showing up in actual .php files, then someone has gained access to the file system on the server.
You should re-install WordPress entirely to ensure all core files are clean, and then go through plugins and themes to ensure all malicious code has been removed.
Also, it would be good to find out how this happened, to attempt to stop it from happening again.
Related
I have a real problem on my cpanel I do not understand all my sites and my applications have not worked since this morning, try to restore without success I have tried everything, I am afraid to watch help me.
when I check the files of my site and application there are unknown files that create themselves all the time even when I delete completely when I update it comes back alone and it affects the operation of my site and application
I don't know if I was really hacked, or if it's an extension problem, or it's a quota or php problem but nothing's going well here are some images of the unknown folders, I've already written to support they say they will delete the hosting and create a new one when I can't afford it right now
According to your screenshot, you have really messed up your WordPress Core. Firstly, fix your .htaccess and 'delete the folders'. Additionally, you can always reinstall WordPress Core to fix any problems that might have happened from a Malware action.
However, there has been a rise in WordPress Database Malware as well, so you might wanna look in that as well.
I have seen lots of critical errors on my WordPress website. I attached a screenshot below that shows some of these issues. Please look at this and provide some suggestions so that I can fix this problem.
Thank you so much.
Depends how badly broken your site has become.
What is it doing to make you think it's been hacked? Is it just the warnings in the Wordfence scan report?
Before going much further you should for sure grab a backup of your database, wp-config.php, and the contents of the directories wp-content/themes, wp-content/uploads, and wp-content/plugins. Might be a good idea to make a separate backup of the entire WordPress installation directory.
Since you can still access the administration panel, might as well change your password just to be safe. Are there multiple users for your WP installation?
What changes have been made if you click "Details" button in the Wordfence scan?
If you're sure changes to the wp-core files are due to a hack, you can try to repair them using Wordfence's repair feature--it'll restore them to their base WordPress version. But if significant differences are showing for dozens of core files, might be a good idea start over with a clean installation of WordPress.
You'll also want to track down what allowed these malicious changes to be made (has an unknown IP logged into your administration panel recently? Are you using a plugin with a known security issue?), or it'll just happen again.
I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.
https://www.athleticclubhk.com/
Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:
window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";
This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.
I've tried to hunt down the theme, plugins, core files and found nothing!
I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme - the problem is still there. I can't find any hidden .htaccess file in the entire root directory.
I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.
The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.
Can anyone help?
The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.
How to confirm:
watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
save complete webpage locally and try to load it, and check in Chrome dev tools, you'll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie
While a temporary resolution of deleting the file will fix things for some time...
There's no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won't cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it's never going to be secure.
The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you're using some nulled plugins or plugins from bad sources.
Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.
Check out some guides on the matter of secure NGINX/PHP-FPM setup:
NGINX and PHP-FPM. What my permissions should be?
Best practice secure NGINX configuration for WordPress
NGINX Security Headers, the right way
Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.
Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.
Disable plugins and check again.
Change the database username and password.
Ask the hosting manager to check the host.
Hi the website of a friend was hacked.
Many files have gotten code injections. His programmer deleted all these.
Now the situation is, that the site (wordpress with shop plugin) is still running realy slow sometimes. Sometimes it goes fast.
Now after searching the web for: "troubleshooting code injections", "find code injections" and stuff like that, I have no idea to troubleshoot the problem, because his programmer has no local backup and changed all files so I cant look for recently changed files at all.
What would be the way of choice to get the problem?
Possible Solution or Suggestions:
Use these very famous virus scanning and detecting website
By using above site you will come to know if virus still exist or not.
Suggestions:
As you said you are using wordpress so it will be very easy to detect virus.how?
Use following security plugins for scanning core files.
All In One WP Security & Firewall
wordfence
Lastly
To hacker's or malware lives in follow important files of wordpress
Check all theme files specially
header.php
footer.php
index.php ( mostly infected )
also do a upgrade of wordpress so it will make sure that core files are not modified.
thanks
hope it helps
I got a problem that's driving me up the wall: I made a Wordpress Blog, using the Gantry framework for layout en several different widgets and plugins. Everything works fine in FF, Safari, and Chrome, but trying to open the site with IE 8 the browser crashes or in the best cases I get a message that the tab has been closed and reopened due to an error; after which the site is loaded fine. I try finding out what happens during the opening of the page, but the debug panel of IE doesn't point out any error!
Does anybody have clue on what the problem might be?
The website is: http://www.danielevecchiotti.it/
I suffered from the same attack today, so I investigated a bit:
That injection is done through the hole in one of the plugins, most likely through the outdated contact-form-7 plugin. Check if you have this folder in your wp-content/plugins directory - even if it is not activated in Wordpress, the very presence of it there is a potential security threat as the attacker can use the direct URL of the plugin faulty file to access it.
(source: http://wewatchyourwebsite.com/wordpress/2011/11/wordpress-websites-infected-through-outdated-contact-form-7-plugin)
Patching the hole: if you use this plugin, update it to the latest version which is not vulnerable. If you don't use it and just keep it deactivated (like I did), you can remove it at all.
It is also a good idea to prevent people from accessing your plugins directly. You can create a wp-content/plugins/.htaccess with the following content:
<Files *.php>
deny from all
</Files>
This might not work with every configuration, but usually plugins are only accessed in the code, not with HTTP calls so that shouldn't do harm to visitors' experience.
Restoring your site: If you don't have backup of your *.php files to restore them all from by overwriting your current ones, you need to search for every file containing the string specific to the malicious code, e.g. "eva1fYlbakBcVSir". Then you need to edit all those files - for every file, remove a long line from it's end.
Or if you're proficient with command line and, say, perl, you can build a regular expression to do the work for you.
What was the purpose of the attack? Obviously there were links to some Java plugin added to your site's pages by those code snippets. The plugin added is believed to be the following: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278
However, I didn't manage yet to decipher the injected code fully - it's very well messed up and the reverse engineering is hard. So I can't tell for sure that apart from showing that Java plugin to visitors the exploit was doing nothing like reading users' passwords or removing some files (unlikely, but possible).
I can't find any information about that as well, looks like nobody traced the consequences fully yet.
Please share if you know more.
I finally found the problem: the site has been HACKED!
I noticed the index.php and wp-blog-header.php files modified on a strange date and time. Downloading the two files I found they had been compromised: a whole section of unreadable code had been added. Uploading the original PHP files the above problem was solved.