Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I am currently managing several of my own sites. Their htaccess files are repeatedly being overwritten to redirect users coming from google searches etc to russian spam sites. I have changed all my passwords, tried every conceivable combination of permissions and contacted my hosting supported and still have no solution. The only way to remove it is to manually rewrite the htaccess to its normal state, which I do, but the malicious conditions are just put in again.
My questions:
Is there any foolproof way to prevent this? I know that the thumb.php used in wordpress had a bug to allow people to do this, but my install of wordpress has no theme or plugin with thumb.php in any form.
In case there is no solution, is there anyway I could write a small php script to overwrite the htaccess file with the non infected version every 5-6 minutes to minimize the chances of it affecting my users?
Thanks
UPDATE: It happened again. This time, I cross checked the time at which the new htaccess file was created with the access logs and found one ip that matched closely. According to 2 online IP tracking tools, the IP is situated in Weehawken, New Jersey, USA. The IP was accessing some of my really old PHP files. As they were no longer in major use, I deleted all of them. Waiting to see if it still continues, and looking at how they accessed the files in the first place to replace them.
If you've been hacked, you most certainly have a backdoor installed - reinstall all wordpress installations from scratch after changing your password and you should be fine. As for the attacks, I'd recommend to set the htaccess-files to readonly for the time being and set up a monitoring system to alert you on redirects.
If the breaches continue, install a traffic sniffer or check the access logs. I do not mean to be rude, but if you do not know how to handle a security breach, you might be better off letting someone else secure your system for you, before someone puts some really nasty stuff on your servers.
Is there any foolproof way to prevent this? I know that the thumb.php used in wordpress had a bug to allow people to do this, but my install of wordpress has no theme or plugin with thumb.php in any form.
It depends on how they are doing this. You may want to check that nothing else, especially a remote php filemanager, has been uploaded and whether it's being accessed whenever .htaccess is being rewritten. You can probably find that in your webserver logs. Look for php files that are being accessed (perhaps by a Russian IP?) that don't look like they belong to wordpress or whatever other web application you have set up. The filename could be wsh.php or some other benign name like image.php. There could be more than one scattered amongst your document root.
Also make sure that your directory permissions aren't writable by any user. This would allow another user on your hosted machine (if you are using shared hosting) to simply copy files into your directories.
In case there is no solution, is there anyway I could write a small php script to overwrite the htaccess file with the non infected version every 5-6 minutes to minimize the chances of it affecting my users?
If they're diligent enough, they can just delete this script. Or write a script themselves to upload the bad .htaccess every 5 or 6 minutes. You need to find out how they're rewriting your .htaccess file, and how they managed to do this in the first place and prevent it from happening again.
Related
I've got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org. (sloppy code even, found their names. Some Russian dudes. But that's off topic) I've taken some measurements to prevent a new hack, but alas...
I've installed a clean WP installation on the server, with clean files and a clean DB.
reinstalled the plugins clean
I have All In One WP Security & Firewall plugin for file scanning, firewall, hide inlog page, etc.
Changed all the wordpress passwords.
I've notices the encoded code is being placed in files called assets.php.
I'm curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I've asked them before and they just say it's my fault, update the wp installation and move on. What should they check if the code is injected from their side?
Your log files (of the web server) e.g. /var/log/nginx/access.log with the nginx web server will tell you who it was. Look for the change date/time of the assets.php file. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.
Usually Wordpress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the index.php (or other) file under attack read-only. In the past I have worked around particular attacks by chown root.root filetobeattacked.php which usually works (but may hinder updates, so it's a temporary solution). If you are not root on the server (shared hosting) perhaps chmod 444 filetobeattacked.php could work.
I had same issue before. It might be the wordpress core files.
Delete all files except wp-content, then download and replace it with the new wordpress files.
Search for 'autofaucet.org' inside wp-content, and remove if necessary.
Open wp-contents/themes/ then check functions.php - check if any additional code is there on top. Check the last updated files and time inside the theme and plugins.
Export database files and searcg for 'autofaucet.org' and remove if any item found.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
This post was edited and submitted for review 1 year ago and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
My Wordpress site has been hacked. Links on the site have been changed to take users to the hacker's site at storage.piterreceiver.ga. This site, in turn, redirects to other sites which my browser flags as dangerous.
Has anyone else had this happen? How can a restore my site and prevent a reoccurrence?
We discovered the behaviour on several of our sites aswell, the culprit seems to be the DSGVO Plugin offered by legalweb.io.
The plugin developer has been informed and the best solution was to clean the _options from the malware code and disabled the plugin.
Thanks to #Jesmond Darmanin i found the the solution how to fix that. He described to delete all occurances of "piterreceiver" in the database.
You can do that in this way:
Connect to your wordpress instance with SSH
Go to your wordpress directory
Execute wp db search --all-tables piterreceiver
Execute wp db query <<< "delete from <table> where <id> = 123456"
Be carefully, this is the "crowbar" method. Just do that, when you are absolutely sure, that the returned value is not needed anymore (which was the case in my installation < lucky guy).
I found the same on one of my sites and could not identify any malware in the files, however, the "site URL" and "home" in "_options" table was altered and I suspect a SQL injection to have been the culprit here.
None of my malware tools could identify anything at the filesystem level so it appears to be some sort of 0day exploit as I cannot find anything similar. I've ensured that everything is updated and will monitor my site further, but a starting point would be to determine if there are any outdated plugins or themes that may suffer from a vulnerability and if yes then a more difficult task would be to identify which. I am looking through my logs now and will update this thread if I find anything.
We found this script in the WP DSGVO Tools (GDPR) Plugin by legalweb and in the Rewrite rules by YOAST SEO. But not all systems with this plugins are corupted.
Affected are mainly pages that have been updated in the last few days.
A backup of the database is sufficient. Nevertheless, it should be determined how the intervention in the page came about.
We saw the same behaviour on our sites and I can confirm the DSGVO plugin is the culprit. Somehow the Matomo/Google Analytics tracking codes were overwritten with the malicious redirect.
I just talked to legalweb and they confirmed that this is the underlying issue - they are working on an update but didn't want to share how the attack was performed. Disabling the plugin and looking for the redirect url in the database solved the issue.
I had the same problem on my wp-website.
No files (.php et al) have been affected(as i can see so far), but i found in the database (wp)_options obfuscated code in "sp_dsgvo_legal_web_texts".
That points to the plugin "WP DSGVO TOOLS (GDPR)".
Since no login was possible anymore, i deleted the plugin subfolder shapepress-dsgvo via sftp on the server in the plugins-directory.
Then i deleted manually every record in the database table:
DELETE FROM wp_options WHERE option_name LIKE 'sp_dsgvo%'
(maybe you have to change the table-prefix wp_ to your needs)
The Official WordPress Plugin-Directory has blocked this plugin on 20.09.21, but that doesn't affect your installation, so you have to clean it manually.
Keep in mind to find some other GDPR Tool, but for now we are happy to have a website, thats online again.
After all, I find the best solution, and please follow these steps:
Rename wp-content folder.
Create new wp-content 'don't forget about permission for this folder.
Install one wp security plugin like word fence it's recommended but you can install whatever you want.
Scan the whole website and directories with this plugin for Malewares.
For more insurance you can search the database with mysqldump -uUSER -pPASSWORD database --extended=FALSE | grep pattern
Change or delete the records found from step 4, (in my case the problem was in the wp_options table and siteurl and home had been changed).
Install a clean and fresh version of your template.
Copy old uploads folder from old wp-content to the new one.
And that's it your website will be alive again.
I just want to say thank you to #David Koenig and #Ralph Rathmann. Your replies were really helpful.
and thanks to the others for their replies and guides.
I recommend to rewrite affected files by the files from clean/original Wordpress (be sure you using the same version of the WP)
I have just managed to restore back a website that was affected by this. My fix was to search the database for storage.piterreceiver.ga and when found, replace it with the actual site's URL. i found two entries that needed to be amended. once that was done, i was able to get back in to Wordpress as usual.
As already mentioned, the problem is about the plugin WP DSGVO Tools (GDPR) and in our case, the database entry could also be deleted in the backend, by navigating to /wp-admin/admin.php?page=sp-dsgvo&tab=statistic-integrations > Matomo > Use Matomo (off) or removing the content from the field "Matomo code".
I scanned my wp-website with sucuri.net and had some high risk malware alert. When I tried to enter my site it directed me to this 'storage.piterreceiver.ga' and '0.johncarlsberg.best' (also with 1,2 etc. as prefix).
Because I also wasn't able to restore my updraftBackup, because I got some authentication errors, I tried uninstalling Plugins and updating everything.
-> For me it fixed the site by uninstalling WP DSGVO Tools (GDPR) Plugin.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I need to clone a wordpress site into my local so that I can try changing it without jeopardizing the running website.
I am fairly new to wordpress. How do I do it?
Is copying the whole folder which include wp-admin, wp-content, wp-includes going to work?
I will try to explain how to do it fairly easily:
For copying / cloning website you will need to copy all the files and copy the database. You certainly can use a plugin for that but it is better to understand how it works under the hoods and do it manually and then migrations will become just a matter of minutes :)
Ok, so let's begin. First create a folder on your local server (or other server) which is going to be the root of your installation. Let's say your site you are copying is "oldsite.com" and the new destination is "localcopy.dev"
Copy all the files from oldsite.com via an oft or hosting panel file manager or via command line. Please note that if you will use ftp than copying process will be extremely slow, it will need to do a separate request for each file and considering that the worpress installation can contain up to 10 000 files it might take more than an hour. I would recommend to create an archive of all files from your hosting file manager and then just download the archive and extract it in your localcopy.dev root folder. That will take 2-5 minutes maximum.
Once you have your files migrated, you need to migrate database. That looks little tricky on the first sight but in a fact it is pretty basic thing. On your hosting, you need to access phpmyadmin. Open the database of the oldsite.com and go to export and export all the tables of the database. If it does not automatically export into a file, then you will need to indicate in export settings to generate export file. It will be a simple text file with .sql extension.
Now we need to modify this .sql file. Open it in any text editor and just find all "oldsite.com" and replace with "localcopy.dev". Once you are done save the file. This is required, because we are migrating to new domain name and need to point all old links to new domain.
Now on your local server (or other destinations server) create a database, open the database via phpmyadmin or other db management application and import the tables from the .sql file we already have.
Now go to the root folder of the localcopy.dev where you already extracted all the files and fine wp-config.php file. Open it and modify database name, database user, database pass with new values so that it can connect to new databse which is on your local server.
Open localcopy.dev in your browser. It should work fine but if it does not, for example, if you see white screen of death, it might be a problem with your .htaccess file. Try deleting it and refreshing the site. Then it should most likely work fine but you might need to log in and go to settings->permalinks and click save to generate new htaccess.
You need to copy the files as well as the database, and update the database to point to your local URL and directory structure.
Copying the files is easy (grab everything in the site root, not just the wp-* folders)...you will likely use FTP/SFTP/SCP to copy them down.
The database is a bit more tricky. There are MySQL dump tools and database copy tools.
Also take a look at WP Migrate DB Pro. It is a paid product, but if you have to do this a bit more than once...paying the cost is well worth the time and aggravation it will solve you.
It is safer to copy the whole wordpress folder and don't forget the .htaccess file as well.
Other than files, you need to make a copy of the database as well.
There are some wordpress plugins available that would ease the pain, for example Duplicator
Also if you are cloning the wordpress site to a new domain, there are some more steps to take (details are here)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 11 months ago.
Improve this question
My site worked fine just a few hours ago. And I have not touched it since then. However, as of now, every single page except for the homepage is showing the following message:
404 Not Found
The resource requested could not be found on this server! Powered By
LiteSpeed Web Server LiteSpeed Technologies is not responsible for
administration and contents of this web site!
The homepage seems to work fine. I can't see any changes and I also scanned it with http://sitecheck3.sucuri.net/ and it returned nothing. I do however, have a plugin called Better WP Security installed and it says that there have been some "Bad login attempts" just before that and that all my WP core files has been modified.
I am not sure what to do now as I don't know how to confirm whether I have been hacked or not.
Could it be my host's fault? Found a thread in a forum with a similar issue:
http://www.ukbusinessforums.co.uk/threads/404-not-found-the-resource-requested-could-not-be-found-on-this-server.291094/
I solved this problem by another simple way...
On a Dashboard - go to Settings, then Permalinks and click Save Changes.
It works perfectly for me.
It sounds like your .htaccess file has been nuked somehow. A plugin attempting to edit it might have corrupted it (I've seen it before). In any case, download a fresh copy of WordPress and re-upload the .htaccess file into the home directory. Alternatively, you can change your permalinks settings to have it generated automatically.
If your site got hacked, typically you will see some hidden divs and malicious script tags injected into your page and/or within your database. If this happens, you need to restore your most recent backup of your files and database. The files on the server should all be considered compromised and a known clean copy must be used.
I had the same problem and saving the permalinks configuration solved for me. As stated here, it happens because there is no .htacess file or that file is corrupted, but I would like to add an observation, at least in my case I didn't have a htacess file because I took a backup from another server and forgot to enable the option to show hidden dot files, thus ending up not including the htacess file in the backup package.
Check the permission given to .htaccess file it must be 755 7=rwx 5=r-x 5=r-x
Permission Action chmod option
======================================
read (view) r or 4
write (edit) w or 2
execute (execute) x or 1
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm finding out that developing my Wordpress child theme and website on my Bitnami local server was a HUGE mistake.
There's apparently no easy way to move it to a live 3rd-party host online.
I've exported the bitnami_wordpress database (careful to select all the tables), then imported it into a new database on my hosting account.
I've installed wordpress, and then replaced the wp-content folder with my own.
I've adjusted the wp-config file.
Still, I lose all my pages. I lose all my media library. My widgets are no longer populated. And weirdly enough only SOME of my CSS seems to work.
And judging from the disparate and spotty "solutions" that I've found on the web, the only real solution seems to be (you guessed it): use Bitnami cloud hosting. However, I'm already a Bluehost customer.
I've even tried 3 plugins so far, and none worked. After all the work I've put into developing the child theme and populating it, this is a real nightmare.
Can anyone tell me what I'm doing wrong? (In simple terms - I don't know php...) I'm completely lost at this point.
I had a similar problem. To get my particular site working, I added the following code to my configuration file:
define('WP_HOME','http://example.com');
define('WP_SITEURL','http://example.com');
After adding the lines, my CSS and uploaded images came back.
Don't forget to replace example.com with your site's domain name.
I found that code at: http://codex.wordpress.org/Changing_The_Site_URL.
Actual user results may vary.
Move all files with wp-admin, wp-content, wp-includes into your host.
Delete wp-config.php file.
Go to site URL EX: example.com and go through typical installation procedure.
Go to your database in your host and delete those 11 tables which have made.
Now you should export the local database and you should open it in any text editor and search and replace your local URL with new one.
Ex: localhost with example.com, then import it to your database of real server.
Now It should work.