WordPress.org

Ready to get started?Download WordPress

Forums

Search Engine Hack - My Site Got Reported By Google (12 posts)

  1. dadaas
    Member
    Posted 1 year ago #

    Dont know where to start.
    Few months ago i have notice that some weird querrys for viagra appears for my site. And my site have nothing to do with viagra or anythign else like that. It is simple domestic fun website with jokes, pictures and videos.

    http://www.surfvic.com

    Now google send me a warnign that my site is probably hacked but i check everything and i dont see it hacked. Everything looks fine and no problems with anything.

    But when you go to http://www.google.com and write this down: site:surfvic.com viagra
    You willl see there are tons of indexed pages of my site and all of them give eror 404 so i really dont understand how, who and why did someone make this from my search results.

    Please any help is apriciate because i m really lost here on this problem.

  2. dadaas
    Member
    Posted 1 year ago #

    [ Moderated: please do not post suspected malware on these forums ]

    Please can someone who is advanced wordpress coder tell if this code is a hack?

    I have found it on different wordpress websites in wp-includes directory and i think it is hack because this same code is inside of different filenames: sometimes is called wp-dball.pgp, rss-rewrite.php, theme-loads.php

    This is weird let me know if this si the thing i need to remove?

  3. dadaas
    Member
    Posted 1 year ago #

    Here is some discussion i have on this topic:
    Google group

    A guy found a cache of the page that is hacked. Can you check the source of it and see what kind of plugin/templae or something is doing this?

    [ link redacted ]

  4. bcworkz
    Member
    Posted 1 year ago #

    That is definitely not the proper code for wp_setcookie(). Not only does it not even set a cookie, it is definitely malicious. It allows arbitrary data to be POSTed to your server and saved as a presumably executable file.

    Not only should this sort of code be removed, but your entire site is suspect. Start working through FAQ My site was hacked.

  5. dadaas
    Member
    Posted 1 year ago #

    Yea i found some site on France Language with details how to remove this thing. It is injected in database in wp-options, search for base64 and you will see wp-optimize inside wp-options table with a base64 code which is malicious. Then delete this files.

    I found this files by date. I updated to latest version of wordpress and then in wp-includes i saw malicious files with different names.

    I m not sure if wp-optimize is guilty for injecting this thing in database but i really dont like to see wp-optimize as major part of this hack... So maybe there should be warning on this plugin.

  6. bcworkz
    Member
    Posted 1 year ago #

    I'm sure the malicious wp-optimize entry is just another camouflage technique to try to avoid discovery and has nothing to do with the plugin. If you are using this plugin, be sure you are using the latest version. Older versions had a feature that might have been exploited to escalate user privilege. (My guess based on examination of the plugin code)

    Be absolutely sure you remove every single bit of this infection if you want to go that route. If you miss one thing like the snippet you posted, the whole thing can easily return.

  7. dadaas
    Member
    Posted 1 year ago #

    No, it had to do somethign with wp-optimize because long time ago my wp optimize was not working, i had no clue that i was hacked...
    it gave me blank page..

    Yea i remove everything and now i m monitoring if the thing will come back. most important is to clean database...

    On my server they cant edit or modify files, that why they use tehnique with uploading and adding a files.

  8. Aloys de Vries
    Member
    Posted 1 year ago #

    I had something like this after a virus on my computer copied my passwords from my ftp-programme. Maybe you should change your site's password. Do not have your ftp-programme remember your passwords!

  9. dadaas
    Member
    Posted 1 year ago #

    Nah this is not that. but yes i have change all passwords because this backdoors can read wp-config and store and then use it. So it is important to clean all files and database infections and then change passwords.

  10. dadaas
    Member
    Posted 1 year ago #

    Just a update on this topic:

    I finished deleting 40 wordpress websites from my host and now i m in process of restoring them. I could not clean the damn thing and this Pharma Hack is so nasty, nothing i have seen before. You really dont know how many backdoors did the infect and when they infect your server it appears they can do anything.

    If someone know the person/company hat is doing this and if there are some law suit against them, please provide links. I m willing to help in all kind of forms (signing pettiotions, telling my story, donating money...).

  11. Andrew
    Forum Moderator
    Posted 1 year ago #

  12. dadaas
    Member
    Posted 1 year ago #

    Yea i have read all of this pages + more results for this problem i got from Google and to be honest it looks like you cant clean this thing. Maybe some weak Pharma Hacks with obvious backdoors. but i had database infection. So i wipe everything and now i m installing from fresh new database and files.

    And it is intresting tat i got infected half year ago. 6 months i didnt know i was infected. that is the nasty part of this Pharma Hack.

    To all who read this, check your website for Pharma Hack, there is high chance you are infected if you dont update plugins and wordpress instantly.

Topic Closed

This topic has been closed to new replies.

About this Topic