WordPress.org

Ready to get started?Download WordPress

Forums

Viagra Hack on Church Site (4 posts)

  1. crossview
    Member
    Posted 1 year ago #

    So, I volunteered to manage a site for our church, and it has now been hacked with VIAGRA ads. I have read everything I can find in the forums and support articles. I don't have a decent backup of the site from before it was hacked as it has only been up and running for a few weeks and we have been continually tweaking things. I didn't want to make a backup until it was relatively finished...I know, I know.

    Anyway, the good news is that since we are using a custom theme from Themeforest the malicious code doesn't display on our site due to it being masked by the custom header graphic. The bad news is that it affects the snippet that it displayed in our Google search results. Causing our search results to look like this "Get FREE Viagra. Crossview Community Church." While you and I might think that is hilarious, and might in fact increase church attendance, I don't think my church's leadership will agree.

    The site url is http://www.crossviewcommunity.com

    But like I said you can't really see the problem there. Running the following google search is much more enlightening: Viagra site: http://www.crossviewcommunity.com

    You will see that the various Viagra ads are injected into the snippet.

    Any help would be greatly appreciated.

  2. While you and I might think that is hilarious, and might in fact increase church attendance, I don't think my church's leadership will agree.

    While the juvenile sense of humor in my is inclined to reply, I'll just let that one pass...

    That site comes up clean in the Sucuri SiteCheck but that's not always 100% indicative of a hack.

    http://sitecheck.sucuri.net/results/www.crossviewcommunity.com/

    Unmask Parasites does confirm what you've mentioned.

    http://www.unmaskparasites.com/security-report/

    It could be your .htaccess file. Check your .htaccess file for anything that you don't recognize. Post it to pastebin,com, provide us the link and we can take a look.

  3. crossview
    Member
    Posted 1 year ago #

    I haven't used pastebin before so I hope I'm doing this right...
    http://pastebin.com/raw.php?i=ipPgMcnD

    There isn't much in my .htaccess file. Certainly nothing that looks suspicious to my eyes.

    Thanks Jan for looking at this with me.

  4. crossview
    Member
    Posted 1 year ago #

    Update...I have installed the Wordfence plugin and it revealed several core files that had been suspiciously modified as well as some added files that didn't belong to any theme or plugin. There was also a suspected "Shell Attack" whatever that is... anyway I either reverted to the original core file or deleted the suspicious file and my site appears to be clean for now.

    I ran the sitecheck and unmaskparasites scans above and both show no indications of compromise. Is there anyway to be sure that it is gone?

Topic Closed

This topic has been closed to new replies.

About this Topic