WordPress.org

Ready to get started?Download WordPress

Forums

site hacked. help please? (22 posts)

  1. mydog8it
    Member
    Posted 1 year ago #

    My client's website has been hacked. A few pages of the site have "cialis" titles in google, and display "cialis" info when you paste a link to the page into facebook. One visitor was actually served a spam "cialis for order" page when visiting the site and sent a screenshot, but I cannot recreate that issue. The problem can be seen here: hacked and here's a screenshot of what one visitor saw: screenshot

    It appears to be some version of the "pharma" hack, but I've searched through every folder/file on the server and I can't find anything that looks suspicious. The code on all the pages looks fine - there are no visible links or redirects. htaccess is fine. I've looked for the files listed here and searched the database for these entries: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php and didn't find anything. I've spent the last few hours doing a directory comparison with the original install files and didn't find anything awry.

    Does anyone have any info on how to find and fix this? Any help is appreciated.

  2. farsabbutt
    Inactive
    Posted 1 year ago #

    Have you confirmed that the theme files do not contain base_64 code that might look something like:
    [Code removed]

  3. mydog8it
    Member
    Posted 1 year ago #

    There's nothing like that in any of the theme files. I checked the child theme and genesis, just checked the inactive 2013 theme files (holy crap, there are a lot of them...) and I had already deleted the other inactive themes. :/

  4. mydog8it
    Member
    Posted 1 year ago #

    I was looking through all of the wp_option names in the database and found "rewrite_rules" in there. I don't see that listed in the codex option reference. Could that be it?

  5. mydog8it
    Member
    Posted 1 year ago #

    Update: when I run the site through http://sitecheck.sucuri.net/ it comes back clean. When I use the "fetch as google" tool, I see the correct page info. I asked the hosting company to check through the files and they couldn't find anything either. Clearly there is an issue as the titles are all still showing up with "cialis" info in search results.

    Does anyone have any thoughts on how to resolve this? I feel terrible - this site is for a non-profit kids/education related organization.

  6. esmi
    Forum Moderator
    Posted 1 year ago #

  7. Does this happen across all browsers?

    Check your site from a different computer or web browser.

    It is possible your browser is infected with a local malware... which can often display this type of behavior.

  8. mydog8it
    Member
    Posted 1 year ago #

    I've already changed all of the passwords, secret keys and checked the htaccess files, and I've literally opened and scanned through every theme php file and I've done a directory comparison through EVERYTHING and there are no "extra" files anywhere. None of the wp_options rows listed as the problem are in the database. But thanks for the links, Esmi. I've gone through most of them, but there are a couple I haven't seen, so I'll check those out.

    Yes, Josh, I see the altered titles in google on Chrome, Firefox and IE. Initially I thought the user that was served the "cialis" page had a virus or malware as I cannot recreate the issue of actually seeing the "cialis" page: Screenshot from other person . But since I'm seeing altered info in google and yahoo I don't think it's a computer issue.

  9. esmi
    Forum Moderator
    Posted 1 year ago #

    Have you tried using another computer?

  10. esmi
    Forum Moderator
    Posted 1 year ago #

    You mentioned checking files but you didn't say anything about checking your database...

  11. mydog8it
    Member
    Posted 1 year ago #

    Yes, when I do a google site search on my android phone, I get "cialis" page titles. If I click on them, it takes me to the correct site and everything looks just fine.

  12. mydog8it
    Member
    Posted 1 year ago #

    I searched through wp_options in the database and didn't find any of the names the help files said to delete. I actually printed out all of the rows in wp_options and started going through them one by one to make sure they all belong. So far the only questionable entry was rewrite_rules.

  13. esmi
    Forum Moderator
    Posted 1 year ago #

    May I suggest that you try looking through the wp_posts table?

  14. farsabbutt
    Inactive
    Posted 1 year ago #

    Browse through the "Posts" table within the database, check to see if you can spot something malicious there.

  15. mydog8it
    Member
    Posted 1 year ago #

    What should I look for in wp_posts?

    I did see one user without an email address in the db, which seems odd, but they're only a subscriber. I'm not sure how to check to see if that user has changed/added anything?

  16. esmi
    Forum Moderator
    Posted 1 year ago #

    What should I look for in wp_posts?

    You need to actually look at the post titles and content to see if any links have been inserted into the database itself.

    I did see one user without an email address in the db, which seems odd,

    That's more than odd. That's downright seriously suspicious! WordPress will never allow anyone to register on a site without an email address. Remove that user.

  17. farsabbutt
    Inactive
    Posted 1 year ago #

    Looks Like hacker has attacked your site via MySQL Injection

  18. esmi
    Forum Moderator
    Posted 1 year ago #

    Possibly but the entry point may have been elsewhere on the server.

  19. mydog8it
    Member
    Posted 1 year ago #

    Alright, user without an email address has been deleted. I did not, however, find any posts by that user in the db.

    I exported everything in wp_posts to an odt file and did a search for "cialis" and came up with nothing. Would it be that obvious, or would it look more like a script or something in the database?

  20. farsabbutt
    Inactive
    Posted 1 year ago #

    Above you mentioned the following response when I asked to look for base_64 code in files:

    I checked the child theme and genesis, just checked the inactive 2013 theme files (holy crap, there are a lot of them...)

    Have you made sure to delete themes that contains base_64 strings in files and revert back to default wordpress theme (twenty twelve) ?

  21. esmi
    Forum Moderator
    Posted 1 year ago #

    Have you made sure to delete themes that contains base_64 strings in files

    It might be an idea to first determine which theme files were "base_64".

    Would it be that obvious

    Not necessarily. It could be obfuscated.

  22. mydog8it
    Member
    Posted 1 year ago #

    There were no base_64 strings in any of the active theme files. twenty eleven and twenty twelve were inactive - I just deleted them rather than going through all of the files, so I suppose something could have been in there and it's already been deleted. I did go through the twenty thirteen php files and didn't find any base_64 strings in there either.

    So I've been reading though this page: http://blog.aw-snap.info/2011/02/pharmacy-hack.html and it sounds like this is what's going on with this site:

    I have seen 4-5 WordPress sites in the last couple of days hacked with a Pharma/Payday loan hack that has proved to be extremely well cloaked. The File Viewer Tool is not showing the spam content and in a couple of the sites Fetch as Googlebot failed to reveal the spam content. In these hacks the spam links and the bit of script hiding the links has been hidden away in the database.

    I've looked for cialis spelled backwards in the db and haven't found anything so far...

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags