WordPress.org

Ready to get started?Download WordPress

Forums

Blog Hijacked. Found some code in the theme which redirects to other sites (5 posts)

  1. Gauhar Kachchhi
    Member
    Posted 2 years ago #

    Friends...

    My wordpress blog was hijacked. I did not realize it soon enough, because I never noticed anything unusual, except that my traffic fell 70%.

    At first I thought it was coz I had activated CloudFlare on my blog, and so I disabled it. But traffic did not return.

    A couple of days ago, I accessed by blog from an iPad, instead of my PC. And I was shocked to see I was redirected to some spammy site called googledservics or something like that...

    I ran a Virus Scanner from my cPanel, and it removed a couple of files which it said were infected.

    Later today, I checked my blog using http://sitecheck.sucuri.net/scanner/ and found it was still infected.

    Found some code which was not supposed to be there in my theme files.

    In functions.php, I found

    [Code moderated as per the Forum Rules. Please use the pastebin]

    And footer.php had a line of code

    <div id="scricode486397491"></div>

    I have removed this extra code, but am not sure if it was a false alarm or really malware. A fresh unmodified copy of the theme does not have these extra lines of code, and I sure did not add them.

    What should I do now? Could there be more of such malware code in my blog? I have changed the password and made it more secure. But I am afraid it could come back.

    In logs, I have found hundreds of attempts everyday to access wp-login.php

    My infected blog is http://www.civilprojectsonline.com/

    Any suggestions?

  2. Gauhar Kachchhi
    Member
    Posted 2 years ago #

    Here is the malicious code I had removed from functions.pho -- http://pastebin.com/2Ryf1sRh

    followed by <div id="scricode486397491"></div> from footer.php

    Sorry for directly pasting the entire code in the earlier post. Didn't know the rules...

  3. Ugh.

    Best thing to do is scrub the files and reset passwords.

    Delete all the WP files and folders EXCEPT:

    .htaccess
    wp-config.php
    wp-content/uploads

    Get FRESH copies of everything from WordPress.org, or the people you bought the themes/plugins from. Change your FTP/SSH password. THEN upload everything back to your site.

    THEN change your passwords on your WP install.

    And tell your host you were hacked.

  4. perezbox
    Member
    Posted 2 years ago #

    All good recommendations.

    Don't forget to scan your local environment. Folks often forget that and its often their own environment in which they are most vulnerable.

    Also see if your host will allow you to work via SFTP or SSH instead of FTP.

Topic Closed

This topic has been closed to new replies.

About this Topic