WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacked/Malware, need help please (22 posts)

  1. SaboSmith
    Member
    Posted 1 year ago #

    Hey all,

    We've just had a very heavy traffic hit due to downranking of articles. After some time searching I've discovered that it appears we've been hacked.

    <!-- Begin Top Bar -->			
    
            <!--start-add-div-content--><p class="nemonn">What this select group of how Quick Cash Payday Loans <a href="http://arthurmurray.com/" title="Quick Cash Payday Loans">Quick Cash Payday Loans</a> are understandably the following. If you to understanding the peak of Viagra Online 50mg <a href="http://alleganlibrary.org/" title="Viagra Online 50mg">Viagra Online 50mg</a> nyu urology erectile function. An soc to uncover the choice of Buy Cialis In Australia <a href="http://so-an.fr/" title="Buy Cialis In Australia">Buy Cialis In Australia</a> tobacco use recreational drug cimetidine. It was awarded service either has Viagra 100mg Online <a href="http://www.biaff.org/" title="Viagra 100mg Online">Viagra 100mg Online</a> reviewed in microsurgical revascularization. Diagnosis the action of damaged innervation loss of modest How To Use Viagra <a href="http://icpmg2014.com.au/" title="How To Use Viagra">How To Use Viagra</a> nonexclusive viagra cialis and urinary dysfunction. Finally the appeals management center amc in their profits Viagra Kaufen <a href="http://chalkfarmdesign.com.au/" title="Viagra Kaufen">Viagra Kaufen</a> on a part upon the figure tissues. Giles brindley demonstrated cad were not positive and receipt of Cialis <a href="http://www.arizonalawreview.org/" title="Cialis">Cialis</a> therapeutic modalities to notify and microsurgical revascularization. Asian j montorsi giuliana meuleman e auerbach eardly mccullough ar Cialis <a href="http://www.acosa.org/" title="Cialis">Cialis</a> et early warning system for sexual measures. An soc was once thought that these would The Cheapest Terms Pay Day Loans <a href="http://shutupandplaythehits.co.uk/" title="The Cheapest Terms Pay Day Loans">The Cheapest Terms Pay Day Loans</a> include those raised at and impotence. However under anesthesia malleable or problems and Viagra <a href="http://www.allcommunitymedia.org/" title="Viagra">Viagra</a> opiates can result of the. Low testosterone levels hypogonadism usually end with enough stimulation Buy Cialis Viagra <a href="http://www.givingsight.org/" title="Buy Cialis Viagra">Buy Cialis Viagra</a> to erectile dysfunctionmen who lose their lifetime. Physical examination in at nyu urology erectile dysfunction Viagra Online <a href="http://avoidaclaim.com/" title="Viagra Online">Viagra Online</a> include the issuance of the. Remand as intermittent claudication in treating Viagra <a href="http://alalamiatv.com" title="Viagra">Viagra</a> male sexual functioning apparent? Without in some others their profits on not required Cialis <a href="http://www.africansinvermont.org/" title="Cialis">Cialis</a> where there has gained popularity of penile. Dp reasoned the record shows or Viagra 100mg <a href="http://www.allwomeninmedia.org/" title="Viagra 100mg">Viagra 100mg</a> aggravated by cad in.</p><!--end-add-div-content--><div id="header">  			
    
              <div id="headerpages">				
    
                <div class="wrapper1">
    
                  <div id="someunknownrapper">
    
                    <div class="someunknownrapperl">
    
                      <div id="headernavigation1">

    That features on the majority of our pages. We had this happen 2 years ago but it was plugin related, removing it fixed it instantly. However, we've not added a plugin in recent weeks and this stuff hit the website yesterday.

    Any help on how to remove it, and how it got there, would be very much appreciated.

  2. The Hack Repair Guy
    Member
    Posted 1 year ago #

    I would start by asking host if they have a backup from prior to the hacker text being added, then recover to that.

  3. esmi
    Forum Moderator
    Posted 1 year ago #

  4. The Hack Repair Guy
    Member
    Posted 1 year ago #

    In addition to the backup notes, I recommend you change all your passwords, and make sure to set only one person as Administrator just in case.

  5. LinePlaneVolume
    Member
    Posted 1 year ago #

    One of the sites I'm working on was just hacked as well, and had the same "nemonn" class in the header. I deleted the theme folder and re-uploaded the local version and that did the trick, for now. I backed up the hacked theme folder so I can do a little more digging.

  6. zotsf
    Member
    Posted 1 year ago #

    I found this as well on a slew of sites that are on a shared server.

    I think the real culprit was a new file that was inserted into the core, wp-rss3.php.

    I'd gotten a notice from the hosting provider that this was a potential security risk. When I edited it I found a script with resetting this parameter $_8b7b.

    Here's an interesting post on it.
    https://discussion.dreamhost.com/printthread.php?tid=134262&page=12

    This post is way more interesting...
    http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

  7. I find the non-printable version of that web page to be much more easier to read, even with the pagination but to each there own.

    https://discussion.dreamhost.com/thread-134262.html

    I think the real culprit was a new file that was inserted into the core, wp-rss3.php.

    I think you may want to generalize that some more as "the real culprit was that Very Bad People™ were able to write to my blog's file system."

    It's why the file permission section of Hardening WordPress is often a good read after you've deloused an infected installation/server.

  8. zotsf
    Member
    Posted 1 year ago #

    Thanks Jan, the hardening wordpress article is a great resource.

    This article really identifies the issue.

    http://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

    There couldn't be much of a better write up.

    The hack must have been placed by someone with shell or FTP access. This is a general PHP hack, and not limited in anyway to wordpress.

    It's a nasty one. I hope this research helped.

  9. robertallen
    Member
    Posted 1 year ago #

    I have installed the Sucuri plugin, and even ran the scanner on those sites mentioned above. Everything came up clean. But I'm seeing this file in the wp-admin folder (thanks to another poster on here)

    update-correct-debra.php

    Is this the malicious file? If so, how do I properly remove it? Do I just delete it? I want to make sure to do this right so I don't mess up the functionality of this site.

  10. willt87
    Member
    Posted 1 year ago #

    That is almost certainly the file! But it's possible that there are others. Delete it and change all your passwords (FTP, database, wordpress admin).

  11. willt87
    Member
    Posted 1 year ago #

    This is what I have found out about "nemonn"

    Just removing the obfuscated javascript from the header will not work permanently.

    There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

    Just updating / reinstalling WordPress from the admin won't remove this file.

    Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

  12. Starejosel
    Member
    Posted 1 year ago #

    I seem to have been a victim of the malware, albeit in a very strange way--I am the admin on a forum hosted at GoDaddy; the site seems to work perfectly normally. However, when I link to it in Google+ or Facebook, the preview shows the "Mayan Viagra spam". Poking around the site [ Link removed ] (you can see it here) with firebug, I found that <p class="nemonn"> with all the junk has been inserted on every page; however, it doesn't show on the page.

    I am not really qualified to deal with this--so any advice for a complete newbie would be appreciated. I am running WP 3.4.2, BBpress 2.2.2, and using the latest version of the Graphene theme. I have a number of plugins installed--if it is helpful, I can list them.

    Any help will be much appreciated.

    Thanks,
    Martin

    p.s. A bit of extra information which may or may not be useful: If I select and copy the whole page into apple's textedit app, then the spam is visible at the top of the page.

  13. damsko
    Member
    Posted 1 year ago #

    Warning, the url linked in two replies by "zotsf" on this thread has been flagged by Avast! Antivirus as infected:

    Infection Details
    URL:	http://domesticenthusiast.blogspot.nl/20...
    Process:	D:\Mozilla Firefox\firefox.exe
    Infection:	PHP:Shell-AU [Trj]

    hxxp://domesticenthusiast.blogspot.com/2012/03/dyslexic-mayans-want-to-sell-you-cialis.html

  14. robertallen
    Member
    Posted 1 year ago #

    A client of mine recently purchased "Sucuri", which is $89 for one site, and $189 for 2-5. We thought we had cleaned out all the files, but when Sucuri went in, they were able to find and clean things we missed.

    I don't know how anyone feels about premium plugins, but it sure was worth the money in the long run.

    Just a thought.

  15. Jay
    Member
    Posted 1 year ago #

    I found the culprit file in the /wp-admin/includes folder

  16. clickraider
    Member
    Posted 1 year ago #

    What is the file called Jay?

  17. Jay
    Member
    Posted 1 year ago #

    The name appears to vary, but the one I found was class-wp-eat-broken.php

  18. clickraider
    Member
    Posted 1 year ago #

    Can you copy and paste any unique line of the code on that file so that I can do an entire site search throughout my entire site. I do not see any files that are weird except for a few that contain the text "backpress". Is that normal? I also lost many function buttons in admin area. I used to be able to declare the site TITL, KEYWORDS and DESCRIPTION through a plugin, now I do not have that option to change it. I can only change the TITLE.

  19. Starejosel
    Member
    Posted 1 year ago #

    I found a base64 encode file in my wp-admin/images file which is
    called archive-dispassionate-intrigue.php
    Is this likely to be the culprit? Can I just remove it?

    Also, how can I safely view it without executing it?

    Thanks!

    Martin

  20. Jay
    Member
    Posted 1 year ago #

    I also found a file located in the wp-admin/images. Again, it seems that the name of the hacked file changes.

  21. Starejosel
    Member
    Posted 1 year ago #

    I found the file that was hacked by the base64 encoded file. It was the
    header.php file in my active theme. It was easy to remove the inserted bit of code, as it was set off in comments:<!--start-add-div-content-->... <!--end-add-div-content-->

    I hope that this info is useful.

  22. esmi
    Forum Moderator
    Posted 1 year ago #

    If your site has been hacked, then you need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    In the meantime, and as per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.