WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Site Redirects to WPstats.org (20 posts)

  1. jacey
    Member
    Posted 1 year ago #

    As of yesterday morning, my self-hosted WordPress blog redirects to WPStats.org. I can access the site by using wp-admin and see that it is stll there but neither I nor anyone else can see anything by the redirected page (which is essentially a set of links trying to sell products and services). The Control Panel for my website still shows the redirect going to where it should.

  2. Can you provide a link to your site please?

    You might want to check with your host and see if they can run your site through some sort of scanner and see if it's been hacked.

    Or you may want to download your theme files and see if there are any weird files in there.

    It does sounds like something malicious is going on.

  3. jacey
    Member
    Posted 1 year ago #

    http://www/jackcurtin.com/ldo. Host has checked and found nothing evident.

    I did find a plugin called nrelate Related Content which I never installed and which I have disabled.

    What should I be looking for in theme files? A quick search doesn't show anything obvious.

  4. In your HTML source code, I can see this:

    <!--
    	top.location="http://pagesinxt.com/?dn=www.wpstats.org&fp=wiiaqB%2BcbViX3VFDWlwapb0JHRJmoC4knolUjmCLJJuP8Pg532JrTxqbrXKJcHQmNF0hNQveKmm%2FpP5zVUyJ3Q%3D%3D&prvtof=D2MpvQRniEupJvyTyVqHF1qIsZy0ZMZm6wFwhBdFsLw%3D&poru=dHIQZK7nyAbHK5dvk7kdUD7%2BM8Nim6Y3xsbaWOM%2Bxm2az%2FGb7PYluKNxUx2abX9b4dHJBwmZerIWOmsQYtAr92Ghl7xA03g9R1DtJf2SzLg%3D&cifr=1&flrdr=yes&nxte=js";
    	/*
    -->

    I would look at your header.php and see what's in there.
    Look in the .htaccess file in the root folder.

    I just ran your site through the sucuri scanner - http://sitecheck.sucuri.net/results/jackcurtin.com/ldo/
    and your site is indeed infected.

    Here are some links to help you out:

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Once you have cleaned up your site, make sure to change your WordPress and FTP passwords.

    Good luck...

  5. One more thing.. If you got this theme from a Google search it might have come with the malicious code in it.
    You could try and do a theme switch and see if that solves the issue. Make sure you pick one from the theme repository though.

    There's a lot of nasty folks out there. :(

  6. jacey
    Member
    Posted 1 year ago #

    Still a disaster.

    Can you tell where to find this source code text you and sucuri uncovered:

    [Code moderated. Please do not post hack code blocks in the forums.]

    Also, where is the .htaccess file?

  7. esmi
    Forum Moderator
    Posted 1 year ago #

    As per the instructions in the resources posted above, you have to check right through your site. Your .htaccess file is in your root WordPress folder - assuming you are using (or have used) custom permalinks.

  8. jacey
    Member
    Posted 1 year ago #

    Yeah, I'm a bit slow. Sorry. Found .htaccess and it seems fine. Still do not know which file I am looking for to see html source code.

  9. esmi
    Forum Moderator
    Posted 1 year ago #

    Chances are that you will not find that exact source markup in your files. what it might be (for example) is a javascript that's adding the markup. Or a php file that contains obfuscated code. Certainly anything that contains 1evalorbase64` is Not Right(tm).

  10. jacey
    Member
    Posted 1 year ago #

    I find two .htacess files, one in the home directory with zero bytes and a 2020 datedand another in /public_html/ with 369 bytes and today's date/. Does that tell us anything(and I'll stop being annoying with questions after this until and unless I can find that troublesome code). Thanks.

  11. esmi
    Forum Moderator
    Posted 1 year ago #

    The empty one in your root WP folder suggests that you're not using custom permalinks but that's about it. The one in your web root doesn't tell us anything really.

  12. whitelight308@msn.com
    Member
    Posted 1 year ago #

    Jacey, did you find out how to fix the problem? The same thing happened to my site and much of the terminology in the "how to fix hacked sites" on WP goes right over my novice head. Any info you can give me about how you fixed it would be greatly appreciated! Or if you can recommend someone good and reasonably priced if that's what you did.

  13. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

  14. whitelight308@msn.com
    Member
    Posted 1 year ago #

    WPyogi, thanks, but I already have that info. I was asking Jacey if he found any shortcuts.

  15. whitelight308@msn.com
    Member
    Posted 1 year ago #

    Jacey- in case this helps you since you seemed to have the same problem- I just deactivated all my plug-ins and my site came back up! I then reactivated them one by one and found the plug-in culprit: "spamcap."

  16. jacey
    Member
    Posted 1 year ago #

    My apologies to you and everyone reading this thread; I should have reported the problem solved and what the solution was. A friend of mine helping me out found the malicious code in the WordPress Database
    Backup plugin. Try disabling or removing that and see if it helps. If not, I guess the best course is to check other plugins. Maybe one of the moderators here will jump in and add more suggestions. Good luck.

  17. jacey
    Member
    Posted 1 year ago #

    Looking at whitelight308's post suggests that plugins really are the target of this hack,

  18. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

    Yes, but with any hack, just removing the errant code is not necessarily sufficient -- you also want to make sure that any "back doors" are eliminated. So that's why we suggest going through all the suggested resources. Also, only use plugins from reliable, reputable sources.

  19. jacey
    Member
    Posted 1 year ago #

    True dat.

  20. worthcommenting
    Member
    Posted 1 year ago #

    yea i updated this yesterday or today and now all my stats are gone...

Topic Closed

This topic has been closed to new replies.

About this Topic