WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacked and all my sites now have impossible cialis and viagra pages (23 posts)

  1. war3rd
    Member
    Posted 2 years ago #

    I'm using the latest version of WP (3.3.1) on all my sites and suddenly about a month ago I have all these pages (or posts) for cialis and viagra. The odd thing is that they appear as pages that aren't possible as actual WP pages (e.g. http://www.DOMAIN.com/wp-includes/index.php?iga=25790&OEQ=1332871201) which are obviously not real URLs.

    I found thi sout because I have Google alerts for all my domains and Google i picking up these pages. Even more interesting, if you click on the links, they show as a blank page in any browser on a windows machine, but if you are using a browser on a linux machine, you can see all the spam copy and links. So... average users wont' see these pages anywhere, but google sure does and is indexing the pages. This will both hurt me (google thinks my site is affiliated with cialis) and is also likely helping the spammers pages that my site now seems to be linking to.

    I have added no plugins, and oddly, this is ahppening to *all* my WP domains, but not my Drupal or Joomla ones, so that is the interesting consistency. Has anyone else seen this? I've looked for odd files, base64 code in existing files, etc, etc and found no smoking gun, i'm I'm stumped. Any advice?

  2. Mark (podz)
    Support Maven
    Posted 2 years ago #

    Start here: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Who is your webhost? (this could be very important)

  3. war3rd
    Member
    Posted 2 years ago #

    Unfortunately I've done all this and my hosting company has no idea what could be going on. They are not WP experts so they've checked all they can on their end, and I've been pouring through all my files, logs, etc, reinstalled, etc and I'm stumped. Google is going to punish the heck out of me for this, I just hop I can figure it out in time, before I get relegated to the black hole.

  4. Julio Potier
    Member
    Posted 2 years ago #

    Hello, contact me, i'm Web Security Consultant and i put back in life hacked website all the time.
    See you !
    [signature moderated]

    [Moderator warning: It is against forum rules to solicit work here.]

  5. The Hack Repair Guy
    Member
    Posted 2 years ago #

    Hi,
    Sadly I see this fairly often. What may have happened is that your website was actually hacked months ago, and hacker left behind some sneaky back door scripts. While you dutifully updated and did all the right things, you may have missed the actual hacker files which are often disguised to look legitimate.

    So you have a few potential issues here:
    1. Possible back door scripts you'll need to locate.
    2. It's possible your database was compromised, which means you'll need to have someone dig into it through phpMyAdmain and root those out.
    3. Double check your plugins as well. Delete all inactive plugins and inactive themes.

    This is really nice summary as well you may find helpful:
    http://www.studiopress.com/tips/wordpress-site-security.htm

  6. Mark (podz)
    Support Maven
    Posted 2 years ago #

    war3rd - what is the name of your webhost? If you tell us the name we can tell you if they are useless.

    "my hosting company has no idea what could be going on"
    In that case - move. Seriously - find a host who does know what goes on. After all if they won't help you now do you expect any help from them ever?

    julio - please do not use the forums to 'get work'. Offer help and knowledge here that will benefit everyone.

  7. Julio Potier
    Member
    Posted 2 years ago #

    Sorry Mark ! I won't do it again.
    I can not offer free help when this work can take a full day :
    - talk with the people to understand the issues and get access
    - search for malicious files
    - updates all that can be
    - find the vulnerability
    - patch the hole
    - come back every day then every week to check the health.
    Also, Web Security is my job, i really can not offer this.

  8. war3rd
    Member
    Posted 2 years ago #

    Mark,
    My webhost is Liquidweb and I just don't think they get wordpress, so I'm on my own. I *did* get hacked months ago and cleaned everything up, but it's most likely I didnt' really clen it all up. I removed all unknown files, found and removed all base64 code, reinstalled everything, to no avail. I may need to rebuild the database, and this really sucks because it's affecting 3 of my sites and really screwing up my traffic and ranking.

    Man... before I moved to WP everything was fine, when I wrote all the code myself, a complete custom site, I never got hacked. I love WP for making things take a lot less time to accomplish now, but damn... these exploits are driving me nuts.

  9. esmi
    Forum Moderator
    Posted 2 years ago #

  10. The Hack Repair Guy
    Member
    Posted 2 years ago #

    It's very likely that you missed the back door hacker scripts. So while you did your best to clear up the "symptoms" of the hack, the actual "bug" was/is possibly still hiding in the background, saved to look like a generic wordpress file.

  11. war3rd
    Member
    Posted 2 years ago #

    I've seen a bunch of those sites, but I'll review them all, thanks Esmi. and yep, hack repair guy, that's the conclusion I've come to. I may have to start over, which will be a nightmare..

  12. perezbox
    Member
    Posted 2 years ago #

    Hi war3rd

    SEO spam, which is what you're dealing with can be really tricky. If you're doing this by hand, try replacing all the core files. Rename wp-admin / wp-includes, then push over fresh copies. Do the same with the root files.

    This is quick and easy for you to do. Why its valuable is because it won't just copy existing files, it'll also allow you to purge any backdoor files that might be in the core install.

    Make note though, this can be a painful process. If not in the root, you'll have to work inward, start with plugin, then move to the theme.

    In most cases the issues you're talking about come from cross-site contamination issues. Not sure of your specific scenario but read these to see if they apply:

    http://blog.sucuri.net/2012/03/website-cross-contamination-blackhat-seo-spam-malware.html

    http://blog.sucuri.net/2012/03/a-little-tale-about-website-cross-contamination.html

    Best of luck

  13. war3rd
    Member
    Posted 2 years ago #

    Perezbox, already done that last week. I have a feeling that I may have resolved the issue, but all the fake links are still indexed by google, so I may have to wait a month or so for them to fade from existence. If I can figure out what they all are I can try de-indexing them from google via webmaster tools, but part of me is really nervous about what I may have still missed. I'm good, but not great at coding, but I'm keeping my fingers crossed.

    Thanks for the links. I'm going to keep reading u on this to be sure I've got it licked (which I'm skeptical about) but also to ensure I can prevent this from happening again. I'm getting so much traffic right now from people looking for horny men sex and v\cialis/viagra that it's revolting. Hopefully I can nip that.

  14. @war3rd: you may need to change hosts. Some hosts are simply insecure and you will get hacked again. You can export your pages/posts and start with a clean WP install, or move the database after scanning it.

    See Moving WordPress « WordPress Codex and Recommended WordPress Web Hosting. Use Google Webmaster's Tools to remove URLs after you set up an account with Google: Google Webmaster Central

  15. war3rd
    Member
    Posted 2 years ago #

    I've been thinking about it. I have a big loyalty problem, and that is keeping me with these guys, but you are probably right... Any recommendations for good, safe and not terribly expensive hosts?

  16. perezbox
    Member
    Posted 2 years ago #

    Hi war3rd

    One infection wouldn't be cause to move just yet. I would talk to the Liquidweb guys to see if they can't provide better insight (i.e., diagnose the logs and what not to understand the potential attack vector). In my experience more often than not there is as much responsibility on the end-user than the host.

    I wouldn't wait for Google to reindex on their own, I would resubmit via webmaster tools so that they can proceed. If you request a review they take on average of 10 hours, although sometimes as much as a week. At least this way you know if you've removed it all. It'll suck if you wait a month hoping its clear just to find out its not.

    I would also lock down your uploads directory, within wp-content, to disallow any PHP files to be uploaded to executed. If it happens again I'd attribute it to a missing backdoor on your server.

    Don't know much about your setup on the server, but if its not in the app directory I'd go up a few directories and check the other server directories as well.

    Thanks

  17. perezbox
    Member
    Posted 2 years ago #

    Hi war3rd

    Lastly, just so you know all the hosts on the list @songdogtech provided have sites that have been hacked.

  18. ambrosite
    Member
    Posted 2 years ago #

    I had good experiences with hostmatters.com when I was with them years ago (I'm on a VPS now, but that is probably overkill for most WP users).

    Also, read this:
    http://ottopress.com/2011/how-to-cope-with-a-hacked-site/

  19. @perezbox said:

    Lastly, just so you know all the hosts on the list @songdogtech provided have sites that have been hacked.

    Means nothing. All shared hosts are vulnerable to some degree. Some are much better than others.

  20. perezbox
    Member
    Posted 2 years ago #

    Hi sondogtech,

    What I actually said was that all the hosts have "sites that have been hacked."

    If you see the distribution of malware across these hosts you'd understand my statement better, specifically the one for the hosts on that page you provided.

    This statement in itself holds no value if you can't quantify or objectively explain it: "Some hosts are simply insecure and you will get hacked again." Are you implying that his is more insecure than the ones on the page you referenced? If so, can you objectively quantify that statement? If not, then it too holds no true value, does it?

    The purpose of my statement was in direct response to consider changing. Too often the immediate response is to change the host, but in reality there are a number of things that comes down on the end-user that should be considered first. I would argue that like WordPress, the biggest weakness for hosts is more often than not the end-user.

    I hope this provides better clarity around my response.

    For the record, I don't work for any host. Just my .02

    Thanks

  21. TheFaro
    Member
    Posted 1 year ago #

    This is happening to my site now. What's interesting is that it only seems to occur in Windows XP. WP used to advise me to update although I have already. The issue would be resolved but only for a day or a few minutes. The links would come right back. I've been meaning to replace all the core files but I'm afraid that it won't resolve the issue since there may be something stored in my database -_-. What a pain.

  22. esmi
    Forum Moderator
    Posted 1 year ago #

    @TheFaro: As per the Forum Welcome, please post your own topic. Your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic