Forums

WordPress › Support » How-To and Troubleshooting

[resolved] I've been hacked, permalinks are going off site (13 posts)

  1. roseba
    Member
    Posted 1 year ago #

    It started about a two weeks ago when I opened up comments to non-registered users. After awhile, getting comment spams, I put some Captchas in place.

    I was monitoring my traffic very closely and I kept noticing traffic from ubiquity services. The ip's kept rotating, the user agent and other headers kept rotating. In essence, it was not consistent with a human.

    I began blocking those ip's on the htaccess level. I also contacted ubiquity who essentially said, "not their problem".

    I stopped getting as much traffic from ubiquity but noticed very odd referral urls. I was getting referrals from a lot of non-search engines, and when I visited their sites, there was no trace of my domain. I knew something was up.

    I looked into various things to shore up my security even more, many of which ended up breaking my site, or locking ME out.

    I scanned through my folders looking for modified dates. I ran a few WP plugins on security that exposed certain "base64" codes etc. But it all looked like it was a normal part of the plugins in question. (Adminer has a lot of that.)

    Last night when I checked on my site, and clicked on one of my permalinks, it took me off site. I discovered ALL of my links are doing that.

    I removed EVERY file from my WP directory and put a clean install of WP. I also downloaded my plugins a new. It did not fix the problem which leads me to believe it may be part of the database, which is not my strong suit.

    I'm not sure where to look and how to troubleshoot at this point.

    I need some help.

  2. roseba
    Member
    Posted 1 year ago #

    Oh and my website is http://www.roseba.com/

  3. keesiemeijer
    moderator
    Posted 1 year ago #

    try

    - switching to the default theme by renaming your current theme's folder in wp-content/themes using FTP or whatever file management application your host provides.

    - resetting the plugins folder by using FTP or whatever file management application your host provides. Sometimes, an apparently inactive plugin can still cause problems.

    - set your permalink structure to the default structure at Settings > Permalinks in your admin panel and see if the redirecting still happens

    - renaming the .htaccess file or deleting it after a backup of the .htaccess file.

  4. roseba
    Member
    Posted 1 year ago #

    I'm not sure what you are saying. Last night, I deactivated ALL of my plugins.

    I followed that by deleting the entire directory, and then reinstalling wordpress from scratch. Then I reinstalled all the plugins from scratch.

    So all files there, are brand new files except the robots.txt and htaccess and the wp-config file. (And the theme I had a backup of)

  5. roseba
    Member
    Posted 1 year ago #

    I did switch the permalink structure, found it to work, switched it back and now it works. Fascinating.

  6. keesiemeijer
    moderator
    Posted 1 year ago #

    read this: http://wordpress.org/support/topic/how-do-i-verify-recover-from-a-hack?replies=17

    Your site has also has an iframe that refers to http://www.dsnextgen.com/

    I don't think this is a hack. Try switching to the default theme.

  7. roseba
    Member
    Posted 1 year ago #

    I don't know what dsnextgen is. But I did try switching the permalinks to default. It worked. Then I switched it back to custom and it also worked.

    Thanks for your help. I have to do some back end work to see if there are other things out there to clean up.

    I do feel there was a hack because of the unusual traffic I was seeing, especially the bunch of referrals coming from youtube, for instance. (I don't have anything on youtube). And a bunch of other small websites. And the number of requests in the past week to read my xmlrpc.php file and my robots.txt file.

  8. keesiemeijer
    moderator
    Posted 1 year ago #

    Yes this is a hack but probably one that resides in a plugin or theme.
    scan your theme for malicious code with this plugin: http://wordpress.org/extend/plugins/tac/

  9. roseba
    Member
    Posted 1 year ago #

    I will look at your suggested plugin. All my plugins are newly installed from WordPress. (I didn't keep what was there)

  10. roseba
    Member
    Posted 1 year ago #

    Theme is clean. Hopefully, I killed whatever code was there by reinstalling everything cleanly.

  11. keesiemeijer
    moderator
    Posted 1 year ago #

    Well that is a good sign. Just to be sure check your files with this plugin: http://wordpress.org/extend/plugins/exploit-scanner/

  12. roseba
    Member
    Posted 1 year ago #

    Who ever was at it, is still trying to do this. This is frustrating because I don't know what the original exploit was, so I can't shore it up.

    And despite the fact that I have listed the ip addresses to ubiquity, they don't want to do anything about it.

    The latest is this morning from: 108.62.220.8

  13. keesiemeijer
    moderator
    Posted 1 year ago #

    There is a lot you can do to secure your install further:
    http://codex.wordpress.org/Hardening_WordPress

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags