WordPress.org

Ready to get started?Download WordPress

Forums

2.7.1 Site hack - redirect to magic4man.com (11 posts)

  1. iamkohchang
    Member
    Posted 4 years ago #

    I dont keep up to date with whats going on on WordPress as I am not much of a techie. And I dont like to upgrade immediately as it can screw up plugins etc. But anyway . . .

    Have a siate iamkohchang.com - I noticed my admin password wouldnt work and was reset last week. So had to get anew pasword. Then I notied the site redirects to magic4man.com - Japanese porn after about 60 seconds.

    a line of code was in the header and in a sidebar widget, so was easy to find and remove. I thought that was the end of the problem. (Like I said, i am not an techie I went from MS Frontpage to WP as I wanted something simple and hassle free to use.)

    I upgraded to 2.8.4 after I did that, but now may site has gone - just get redirected immediatelty to the porn site.

    I will reinstall WP and the theme (Arthemia)and I have a back up of the database - but how to tell if this back up is clean or if there is something hiding in there?

    Any help / easy to follow instructions greatly appreciated

  2. iamkohchang
    Member
    Posted 4 years ago #

    ALso just noticed that the worm is in my admin section too. In Themes , I clicked to select a different theme and the lightbox that usually displays an overview the theme showed the porn site too

  3. ClaytonJames
    Member
    Posted 4 years ago #

    Here are the redirects.

    Title: Asian Porn Hub – Japanese Porn Movies
    URL: //iamkohchang.com
    Redirects:
    301 -> //www.magic4man.com
    301 -> //magic4man.com/

    Anything strange in your .htaccess file?

  4. iamkohchang
    Member
    Posted 4 years ago #

    .htaccess is this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

  5. whooami
    Member
    Posted 4 years ago #

    whats insde your wp-config.php ? anything unusual?

    im not clicking to look, so what theme are you using? if you arent already, change your theme to a clean freshly uploaded defualt ?

  6. whooami
    Member
    Posted 4 years ago #

    did you disable your plugins before upgrading?

    (also could be a malicious plugin loading only in db)

  7. iamkohchang
    Member
    Posted 4 years ago #

    The wp-config.php looks fine. Nothing relating to a redirect or the magic4man URL.

    I didnt disable the plugins before upgrading. In the Plugin list in Admin section I cant see any plugins that dont recognise and i havent installed any new ones recently - only upgraded existing plugins.

    ( Thanks for the help so far, hopefully this in narrowing down the causes of the problem)

  8. whooami
    Member
    Posted 4 years ago #

    In the Plugin list in Admin section I cant see any plugins that dont recognise and i havent installed any new ones recently - only upgraded existing plugins.

    (also could be a malicious plugin loading only in db)

    im not clicking to look, so what theme are you using? if you arent already, change your theme to a clean freshly uploaded defualt ?

    i not going to regurgitate, sorry :) so here ya go -->

    http://wordpress.org/support/topic/267398?replies=8

    there are tons of other threads here and blogposts elsewhere, and they all say exactly that, in different language.

  9. iamkohchang
    Member
    Posted 4 years ago #

    Thanks - i'll read through that.

    The theme is Arthemia Premium.

  10. 2roguecats
    Member
    Posted 4 years ago #

    A site that I admin also had this hack. I thought I had cleaned, but it came back. Were you able to successfully rid the hack?

  11. iamkohchang
    Member
    Posted 4 years ago #

    Still being hacked. Despite an IT guy working on it for a couple of days and battling with the hacker. Now the hacker only has access to the index.php file on the site and is still redirecting that. All other pages and my other domains are fine.

    If anyone has ideas how this can happen ie. access to a single file - , despite lots of security being added, SSH enabled etc let me know.

    The original problem was a file uploaded in July into the cgi-bin - that isn't visible on file manager. This gave the hacker telnet access to the site. The file was env.cgi See if it on your site http://www.domain.com/cgi-bin/env.cgi and you'll see where they login

Topic Closed

This topic has been closed to new replies.

About this Topic