WordPress.org

Ready to get started?Download WordPress

Forums

brend-store.ru hijacked my site via a plugin (25 posts)

  1. crose13
    Member
    Posted 3 years ago #

    I tried to download the Maintenance Mode plugin for my site and it redirected me to scareware. I immediately closed my browser, but it wasn't enough. My site has now been hijacked by brend-store.ru. I've found two other cases of this hijacker, but not enough to get the support I need. I currently have an "under construction" page up to stop my site from redirecting to the malicious site, but the rest of my site is still messed up. Any help would be greatly appreciated!

  2. dontbegauche
    Member
    Posted 3 years ago #

    I am having the same problem, not from Maintenance Mode however as it isn't installed. This is a pain!!!

  3. kmessinger
    Volunteer Moderator
    Posted 3 years ago #

  4. crose13
    Member
    Posted 3 years ago #

    Did you TRY to download a plugin that did it? I read all of the articles from WordPress already and nothing helped. I didn't want to have to restart everything, so I logged into my server and deleted anything that didn't look necessary. Somewhere along the way, I deleted the right thing. I think it was in the Downloads folder.

  5. dontbegauche
    Member
    Posted 3 years ago #

    Ok, after much trouble. I realized this is a .htaccess code injection hack/virus. Every site on my host/server had a corrupted/injected .htaccess file redirecting sites to brend-store.ru. I manually went through every file and removed this hack. They placed the code about 200 lines down to hide it, and to the right (if you edit via a text editor).

    I still have no idea how this hack/virus came about. But it did infect my whole hosting account (JustHost.com), so I am contacting them to take further cautionary steps.

  6. crose13
    Member
    Posted 3 years ago #

    I contacted my host, who removed the rest I didn't find. You're right. All the articles say check .htaccess, but they inject a fake one in EVERY folder. This hack seems to be common but not often talked about, probably because many people wouldn't notice and would assume their site is just messed up.

    I hope plugin owners start checking their own stuff more often because others not noticing is how it's spreading. Let me know if your hosting provider gives you any helpful hints :)

  7. dontbegauche
    Member
    Posted 3 years ago #

    My host has been no help unfortunately! They said, "your site is fine." Haha BULL! Anyway, I hope the "internet police" find the bottom line of this problem. I don't like thinking it can happen again without me knowing how to stop it.

    Glad you got it fixed, for now my sites are OK too "fingers crossed"!

  8. crose13
    Member
    Posted 3 years ago #

    My host thankfully removed EVERY little trace for me. I know there are WordPress security plugins, but I don't know how effective they are against hijacking and injected files. I'm really hesitant about downloading any updates or plugins with this thing infecting WordPress...

  9. dontbegauche
    Member
    Posted 3 years ago #

    Glad to hear your host helped. Yea, it does seem to infect mostly WordPress users, but it also infected sites on my host that were not WordPress sites. I think somehow the hackers are gaining FTP access through some WordPress hack and then infecting all folders/sites on the server. I am weary to download ANYTHING at this point!

  10. HetrixByte-Andrei
    Member
    Posted 3 years ago #

    If the attacker has somehow managed to exploit your wordpress site and upload a shell script in there then he can do whatever he wishes into your account, thus being able to infect all your other websites and plan even more backdoor scripts.

  11. dontbegauche
    Member
    Posted 3 years ago #

    How should we protect ourselves against further attacks then, other than by changing passwords?

  12. dontbegauche
    Member
    Posted 3 years ago #

    The hackers got into my stuff again, like you mentioned Hetrix. They didn't get in through SSH, just FTP. I cleaned up all .htaccess files last night, and they re-injected them today, to direct to another spam site, not brent-store.ru however.

    And my host is no help, so thankfully some good friends are helping my tighten ship.

  13. crose13
    Member
    Posted 3 years ago #

    I posted on the forum of the plugin that was ALSO hijacked and gave the problem to me...

    I was rudely told not to make such accusations and they linked to THIS support thread to say I have taken back my accusation and it was my server's fault. Then they closed my post. Um...my server FIXED it. It was still the Maintenance Mode plugin that gave it to me. Not intentionally, but I believe it is infected too. You'd think you could find better help online eh dontbegauche?

    I'd look into changing hosting. There are times when my hosting provider is the only one who can save me.

  14. I tried to download the Maintenance Mode plugin for my site

    Out of curiosity ... WHERE did you try to download this from?

  15. crose13
    Member
    Posted 3 years ago #

    I went into my backend. I went to plugins. I did a search for it as I've used it several times before. I downloaded it from the official location, and it redirected me to a scareware site...the same one my site started redirecting to. I ran Malwarebytes on my computer. Nothing.

    I checked my backend, most of the fake inserted .htaccess files giving me trouble were in my plugins folder in the Maintenance Mode plugin files. This all also ONLY affected my site I installed Maintenance Mode to and it happened the second I tried. All subdomains and other domains on the same sever were unaffected. It was NOT my hosting provider. It was this plugin.

    I love Maintenance Mode. I've used it many times. However, it was the ONLY thing I was trying to change and there seems to have been some other complains around the day I had my trouble, but the forum admins are closing all topics on the matter. I just checked it again on a superfluous domain. It seems to be working fine now. I don't think it was Maintenance Mode's fault, but I do think it was temporarily hijacked or something of that nature.

  16. I checked your other post. As esmi pointed out, the odds are it's NOT the plugin but the SOURCE (which has not been updated in 8 months). Now, since you said wordpress.org is the source, I would speculate further that your site actually was already compromised somehow and the installation of ANY plugin would have triggered that.

    Esmi wasn't being rude, by the way. She's a well respected, well educated and highly knowledgeable moderator of these forums. Terse, yes, but she rightly pointed out the odds are that it's NOT the plugin. And as she pointed out, if you feel it's the plugin, email plugins@wordpress.org and explain the situation.

    Seriously, the odds are your account on that server is compromised.

    Start out by following kmessinger's advice. Get your site CLEAN. Use http://sitecheck.sucuri.net/scanner/ to scan your install. Change ALL YOUR PASSWORDS. Search your site for any other /htaccess files.

    dontbegauche - Change passwords, obviously, but also make a backup of your site and then nuke everything that isn't in wp-content. Upload it all fresh. For what IS in wp-content, delete the plugins and themes and get fresh copies of THEM as well. Make sure you permissions are good (775 for wp-content/uploads). Change the WP passwords as well as FTP/SSH. Use the Sucuri scan.

    Also, as always, talk to your host. Tell them your account may have been compromised. Sadly, if they're incompetent and can't (or won't) help you, I would STRONGLY suggest moving to a better host. A good host will help you dig this out.

  17. crose13
    Member
    Posted 3 years ago #

    I run security and before kmessinger said anything, I'd already read all of those articles. I'd just done a redesign and always clean out my whole server between redesigner. I am familiar with Sucuri Site Check and run it as often as I run Malwarebytes on my physical machine. It was checked and fine BEFORE the plugin install, but not after. If my server was compromised, wouldn't it affect ALL of my domains and subdomains because it only effected the one I'd just installed the plugin on?

    I do understand Esmi's position, I just didn't appreciate being treated like I'm intentionally badmouthing a plugin I've used before and appreciated. I also did not retract my statement and don't appreciate words being put in my mouth. I would have loved to have had an opportunity to say how much I do love the plugin but the WordPress plugin page DID redirect me to a scareware site. My OWN site did not send me to scareware or spam. THAT plugin page did. I did my best to alert the proper authorities to fix it. I know that the plugin would never intentionally hijack my site, but I do feel it or its source was compromised.

    My site was perfectly fine before the plugin, and only the one part was compromised after. The files I found that restored my site long enough to get my hosting provider to fix the rest were new files created that day and that time in my WordPress plugin files in a folder for the Maintenance Mode plugin in a folder that had not finished downloading and my WordPress said there was an error with the plugin. Something doesn't add up. Within the past month more than just me have reported the plugin messing up their sites and blogs. More than just me have reported the plugin and even Esmi said it was "unlikely" not impossible. In the past month a fantastic plugin has been likely responsible for messing up several sites...it may be worth paying some attention to instead of arguing with already upset users.

  18. If my server was compromised, wouldn't it affect ALL of my domains and subdomains because it only effected the one I'd just installed the plugin on?

    If they're all run under the same account on the same server, the odds are likely that would be yes, but... If you ever manage to fully understand the machinations of hackers and spammers, you are well up on the rest of us.

    Now to clarify ... We actually don't know if the WordPress.org site sent you to the scareware site. YOU assume wordpress.org was compromised. I assume your server was compromised. Neither of us know just yet :) Both of us have totally valid reasons for the assumptions.

    We know this: You attempted to use the in-app Plugin Installer to install a plugin and, via methods as of yet unknown, you were not directed to the wordpress.org page but instead to a scareware site.

    Is that a correct assessment of what happened? (Yes, I know it's simplifying it, but right now, we need to do that a bit.)

    My gut tells me that in order for YOU and you alone to be redirected like that (and since no one else has jumped up and said 'me too! THAT plugin!', I'm sorry to say I strongly feel it's JUST you), then something was ALREADY wrong on your server. What was wrong? My candidates in order of likelihood:

    1) You had another plugin/theme on that WordPress install that was corrupted.
    2) Your install was insecure and a legit (but evil) plugin/theme is using that to leverage the hack
    3) Your login ID (SSH/FTP) was compromised
    4) Your server has a security hole

    What we would need to do, were this MY server, is grab the access logs and error logs and look at what the hell was passed through to my server at that time. A GOOD host will help you. I repeat this because the one time I was hacked - through my own stupidity - my host helped me trace it back to a time-frame on a Friday where I was, indeed, being an idiot (FTP instead of SFTP on a Windows box with no virus protection, using IE ... I know).

  19. crose13
    Member
    Posted 3 years ago #

    Thank you so much for the help. It just seems so weird that I opened the plugin and when I clicked to download, it opened the scareware site in the same window...and it was only the ONE site, not any of its subdomains or my other domains. I had not installed any other new plugins whatsoever in the past few months or so and the theme I installed I built myself. That would leave either a hole in my server security, which seems unlike since only one site was affected. There is just a lot of big doubts about EVERY possibility, including my own thought. What can I do to figure out what happened and ensure it doesn't happen again. Changing my login, etc. helps if that was the issue, but if it was compromised once it can be again. I'd like to know for sure what happened so I can be better educated if it happens again.

  20. dontbegauche
    Member
    Posted 3 years ago #

    Crose13: Check your uploads folder for strange files/folders. I think I might have found some backdoor/virus files in one of my website's uploads folders. I guess I'll find out if this was the culprit in a few days...

  21. meylodie
    Member
    Posted 3 years ago #

    Hi,
    Thanks for the tip about the WordPress .htaccess, I found the thread here thanks to a search on the web... and the Domain name where my admin pages were redirected. I found all the links redirecting to the same website plus lines to make it seen by the search engines...

    Whereas the scripts that you may find that have allowed to hack the sites, I had found some before : php files installed in the uploads directory. Since then I added lines of code in a .htaccess placed into the uploads directory to prevent listing the files and executing cgi in that directory.

    Here the plugin which have found to be the source of the leak was wp-phpmyadmin. It has not been updated for a while, and usually I had it deactivated except when I needed to use it, but this time I had forgotten to deactivate it after use.

    Once a while now, I activate the debug in the wp-config.php file, and look what message errors it provides, then once the faulty plugins removed or replaced I deactivate the debug feature again.

    Regards,
    Mélodie

  22. dvwp
    Member
    Posted 2 years ago #

    Our site was hacked in a way that redirected pages to powerprogramm.ru/make/index.php.

    after checking with sucuri, a careful review of our .htaccess file showed that it had been compromised and the redirect code had been added.

    when checking your file, be sure to look further down in the document. in our case (as another mentioned above) the script was 'hidden' 50 lines down in the page and to the right. it might be missed at a quick glance.

    hope this helps others.

  23. dvwp
    Member
    Posted 2 years ago #

    also, i should add, the now defunct wp-phpmyadmin plug in was installed on this site. it is highly suspected to be a cause in the attack.

  24. ainal
    Member
    Posted 2 years ago #

    Dear All, i Have a problem in my site.my site is always redirect a page its say:How to Get from JFK to Manhattan and Back? - navettejfk.com
    Mode Maintenance

    Sorry for the inconvenience.
    Our website is currently undergoing scheduled maintenance.
    Please try back in 60 jours
    Thank you for your understanding.

    how can i solved it.please replay answare.

    thanks.

  25. esmi
    Forum Moderator
    Posted 2 years ago #

    Please post your own topic.

Topic Closed

This topic has been closed to new replies.

About this Topic