Hi the website of a friend was hacked.
Many files have gotten code injections. His programmer deleted all these.
Now the situation is, that the site (wordpress with shop plugin) is still running realy slow sometimes. Sometimes it goes fast.
Now after searching the web for: "troubleshooting code injections", "find code injections" and stuff like that, I have no idea to troubleshoot the problem, because his programmer has no local backup and changed all files so I cant look for recently changed files at all.
What would be the way of choice to get the problem?
Possible Solution or Suggestions:
Use these very famous virus scanning and detecting website
By using above site you will come to know if virus still exist or not.
Suggestions:
As you said you are using wordpress so it will be very easy to detect virus.how?
Use following security plugins for scanning core files.
All In One WP Security & Firewall
wordfence
Lastly
To hacker's or malware lives in follow important files of wordpress
Check all theme files specially
header.php
footer.php
index.php ( mostly infected )
also do a upgrade of wordpress so it will make sure that core files are not modified.
thanks
hope it helps
Related
I get an alert from wordfence that one of the Wordpress core files has changed. Its about wp-login.php
Some lines about cookies were #commented since the 23th. See image.
I asked my hoster about it if they did it, because i have a running support ticket about woocommerce,varnish and cookies with them.
But they say they don't know.
Now i'm wondering are there plugins that edit core files? and what is the #commented code about?
So that i have a better understanding where i'm standing in this situation. I dont think i'm hacked. But any advice would be helpful.
compared files wordfence screenshot
I noticed that on a wordpress site I'm going to take over the following scripts are found on multiple pages:
When the page is displayed here is what I see:
This seems incredibly scammy, does anyone know what this is?
I am going to delete all of those and restrict access to the website in the meantime
Thank you
One of two things likely happened. Either you are serving flash and have a really old version on your computer - OR - your website has been compromised and injected with some sort of malware.
Are the unusual scripts showing up in the content or the theme files? If they are showing up on the content, that means someone has added these scripts to the database, and it will require a bit of cleanup (or a restore to a previous version). If the scripts are showing up in actual .php files, then someone has gained access to the file system on the server.
You should re-install WordPress entirely to ensure all core files are clean, and then go through plugins and themes to ensure all malicious code has been removed.
Also, it would be good to find out how this happened, to attempt to stop it from happening again.
I have website (thebyandby.com) that got hacked several weeks ago. The problem is, the description on Google is showing a spam description for viagra and one the most popular posts (when linked to from Google) goes to a spam website.
The site is a WordPress website so I reinstalled the theme and made sure everything was updated. There are only two plugins installed, Akismet and Google Analytics. I don't think the plugins could be effected but I am not sure. The problem was still there so I checked when Google last indexed my site and it was after I had reinstalled my theme. I checked for malware from Google Webmaster and it said it didn't find any malware. I ran grep -r "viagra" on my entire web directory and nothing was found. I really don't know what else to do. Could this be a database problem?
Yes, it could well be that you have content in the database which is compromised. After all, that's where all the pages and posts are stored. Does your hosting company provide a tool like phpMyAdmin for browsing and editing the database?
But equally, if you have only reinstalled the theme then there are a lot more core WordPress files that could have been compromised by the hacker. Given that you are having problems, it would be well worth doing a complete reinstall of the WordPress files. Just make sure you keep a copy of your wp-config file, as you will need to copy that back. Also make sure you reinstall the same version of WordPress that you currently have.
But you know what: It may save you time in the long-run to just export all your posts and pages from within WordPress and then wipe the hacked site completely and install the whole thing from scratch. You can open the export file in any decent editor and once you've got your head around the XML structure, you can delete any rubbish that the hacker put there. I guess this option depends on how much content you had already put up on the site and how readily you could reconfigure the new site to match the old one.
Of-course if you have a full files and database backup from before the hacker got there, then you have an easy option that avoids all this grief ;-)
My wordpress has been working fine (it is updated), and then this morning I got a warning from google about visiting my site. When I clicked on the details I got the message below. I went and disabled my comments all together. Deleted plugins that I think might have caused it. I am unsure what else to do. I need help to should I do now? Thank you for your time to hear my case!
What happened when Google visited this site?
Of the 7 pages we tested on the site over the past 90 days, 7 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-07, and the last time suspicious content was found on this site was on 2012-03-07.
Malicious software is hosted on 1 domain(s), including happynewyear.osa.pl/.
This site was hosted on 1 network(s) including AS29873 (BIZLAND).
You need to be sure you completely clean your site to fix the hack, i.e. replace all core WP files and folders, check theme files for php code and links, etc. Replacing plugins and disabling comments is not enough.
Use http://sitecheck.sucuri.net/ and see FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host. Change all passwords. Scan your own PC. You may need to consider changing web hosts, too, in order to find a more secure host.
You will find many tips there about Wordpress hack, how to clean it, ...
Many Wordpress Tips After Hack
But you will get many different tips about it ... just try to do your best with this website and using Google is the best way to clean it.
The important thing to remember is that any and every PHP file and all of the stored procedures of the database are now contaminated and need to be deleted. If any passwords were stored in the clear (such as login passwords) you'll need to change them too.
Once you've wiped all of those, you'll need to install a fresh copy of WordPress - and let this be a lesson to you to keep your WordPress up-to-date and not have as few plugins as possible on your site.
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.
I got a problem that's driving me up the wall: I made a Wordpress Blog, using the Gantry framework for layout en several different widgets and plugins. Everything works fine in FF, Safari, and Chrome, but trying to open the site with IE 8 the browser crashes or in the best cases I get a message that the tab has been closed and reopened due to an error; after which the site is loaded fine. I try finding out what happens during the opening of the page, but the debug panel of IE doesn't point out any error!
Does anybody have clue on what the problem might be?
The website is: http://www.danielevecchiotti.it/
I suffered from the same attack today, so I investigated a bit:
That injection is done through the hole in one of the plugins, most likely through the outdated contact-form-7 plugin. Check if you have this folder in your wp-content/plugins directory - even if it is not activated in Wordpress, the very presence of it there is a potential security threat as the attacker can use the direct URL of the plugin faulty file to access it.
(source: http://wewatchyourwebsite.com/wordpress/2011/11/wordpress-websites-infected-through-outdated-contact-form-7-plugin)
Patching the hole: if you use this plugin, update it to the latest version which is not vulnerable. If you don't use it and just keep it deactivated (like I did), you can remove it at all.
It is also a good idea to prevent people from accessing your plugins directly. You can create a wp-content/plugins/.htaccess with the following content:
<Files *.php>
deny from all
</Files>
This might not work with every configuration, but usually plugins are only accessed in the code, not with HTTP calls so that shouldn't do harm to visitors' experience.
Restoring your site: If you don't have backup of your *.php files to restore them all from by overwriting your current ones, you need to search for every file containing the string specific to the malicious code, e.g. "eva1fYlbakBcVSir". Then you need to edit all those files - for every file, remove a long line from it's end.
Or if you're proficient with command line and, say, perl, you can build a regular expression to do the work for you.
What was the purpose of the attack? Obviously there were links to some Java plugin added to your site's pages by those code snippets. The plugin added is believed to be the following: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278
However, I didn't manage yet to decipher the injected code fully - it's very well messed up and the reverse engineering is hard. So I can't tell for sure that apart from showing that Java plugin to visitors the exploit was doing nothing like reading users' passwords or removing some files (unlikely, but possible).
I can't find any information about that as well, looks like nobody traced the consequences fully yet.
Please share if you know more.
I finally found the problem: the site has been HACKED!
I noticed the index.php and wp-blog-header.php files modified on a strange date and time. Downloading the two files I found they had been compromised: a whole section of unreadable code had been added. Uploading the original PHP files the above problem was solved.