WordPress.org

Ready to get started?Download WordPress

Forums

Hacked: Can't find source of injection (9 posts)

  1. sommernyte
    Member
    Posted 2 years ago #

    I was contacted to rescue an old WP site of mine that I haven't worked on in a few months. It started showing in Google with words like "Cialis" and "Viagra" in the search engine results. Investigation showed Google reported it as appearing to be cloaked as of May 17th.

    I've changes all passwords and security keys, but cannot find the source of the injected code. When I run Google's "Fetch as Google" tool, I see this in the header:

    HTTP/1.1 200 OK
    Date: Tue, 22 May 2012 02:16:21 GMT
    Server: Apache
    Cache-Control: no-cache, no-store, must-revalidate
    Keep-Alive: timeout=2, max=10
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
    
    <!DOCTYPE html>
    
    <html dir="ltr" lang="en-US">
    
    <style>
    .c2fvhhr33	{
    	visibility: hidden;
    }
    </style>
    <meta charset="UTF-8" />
    <title>...

    Where the STYLE has been injected. There is then code injected into some rollover JavaScript in the template:

    <script type="text/javascript">
    <!--
    function MM_swapImgRestore() { //v3.0
      var i,x,a=document.MM_sr; for(i=0;a&&i&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a class='c2fvhhr33' href="http://www.mysite.com/">rockbottom viagra prices</a><a class='c2fvhhr33' href="http://www.mysite.com/">cialis daily dose strength</a> ...

    etc. where the http://www.mysite.com/ links are actual links within my site (edited for client privacy).

    I disabled all plugins and re-ran the "Fetch as Google" tool and the code was still injected. I changed themes and re-ran the "Fetch as Google" tool and the code was still there. I've searched the entire WP database for "%visibility: hidden;%" as well as "%<noscript%" and others I found via various blogs as potential sources of injection.

    I've searched the wp_options table and see no odd entries; I've searched all of the plugin folders and see nothing odd there, either.

    Starting from scratch with a clean WP install and all new plugins and themes is not a viable option right now due to the complexity of the site.

    Other ideas?

  2. Starting from scratch with a clean WP install

    Good.

    and all new plugins and themes is not a viable option right now due to the complexity of the site

    Not so good. Until you completely delouse your WordPress installation, everyone one of those plugins and themes are suspect and may have exploit code in them.

    Getting fresh copies from the source really is the way to go. If you can't do that, for whatever reason, then you risk being continuously compromised.

    Here is the standard response for hacked sites.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    Hardening WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

  3. sommernyte
    Member
    Posted 2 years ago #

    The theme and one plugin - the main plugin that runs the site - are custom and there is no "source" to reinstall them from. :(

    Looks like I've already been to almost all of the posts you've referenced, but I will check the ones I have not yet been to...

  4. RichardWPG
    Member
    Posted 2 years ago #

    Perhaps you may ask help from the tech person in your hosting provider and they might find the source of injection.

  5. sommernyte
    Member
    Posted 2 years ago #

    I am already working with my web host, who is as stumped as I am at the moment... but they are looking!

    Was just hoping someone here might have more insight than I'm able to manage on my own at the moment. :)

    I've gone through all of the links above and have done all except replace WP install and plugins. And while that would "fix" it, it still wouldn't tell me what happened, so I'm going to plug away at it a while longer to try to find that actual source/cause.

  6. adpawl
    Member
    Posted 2 years ago #

    Want to find the source?
    Best way is checking files by modification time ....combined with server logs analysis.

    Often, each case requires individual attention, so there is no single recipe.

  7. Johnb81
    Member
    Posted 2 years ago #

    Hi sommernyte,

    You can also do the following:

    1. Download all the WordPress files from your website to a local location.
    2. Download the latest WordPress files.
    3. Compare both (you will see differences in plugins and themes) but you should not notice changes in the WordPress code.

    Like this you can find out what is the injection etc, and hopefully once you know what is the injection, you can find out more about it (on google or so) how it is typically injected.

    To compare directories and files you can use a free open source tool such as WinMerge.

  8. vtxyzzy
    Member
    Posted 2 years ago #

    Have you tried the Exploit Scanner plugin and the Sucuri.net scanner?

    Here is an article with more info on Exploit Scanner:

    http://www.totalbounty.com/839/how-to-find-malware-in-wordpress-with-exploit-scanner/

  9. sommernyte
    Member
    Posted 2 years ago #

    I had looked at the modification times, but the tricky part is I no longer work for the company whose website this is, so I had no idea who'd updated what and when since I'd left. I was just called back to rescue the site.

    This was the message from my web host, who ultimately found the affected files:

    At least the following files are
    infected:

    /wp-content/plugins/voucherpress/tcpdf/config/lang/view.php
    /wp-content/plugins/gravityforms/languages/language.php

    Those files are relatively new (created within the last two months). So we compared the modification times on those two files to see exactly what else was happening on the site when they were created, and we found that at the moment that happened, a Russian IP address was issuing POST commands to this URL:

    /wp-content/plugins/constant-contact-api/wplogs.php

    So that was also an infected file. However, that file has since been deleted. So it may have been the original source of the infection, or it may not; it's impossible to tell without seeing it, which we can't do.

    The original source of this was most likely that one of your plugins was compromised when you originally downloaded it (these are all too common), but that original infection may have been overwritten by an upgrade to that plugin... which doesn't help once it's spread.

    I've since replaced all WP files with a clean download as well as all plugins.

    LOVE my web host... I was determined to find out WHERE the infected files were and they did it. :)

Topic Closed

This topic has been closed to new replies.

About this Topic