WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Hacked! List of Links in the source code (6 posts)

  1. samiotis
    Member
    Posted 2 years ago #

    Two of my wordpress sites, both on the same account, have been hacked and I can not find out where it comes from. I have searched all possible sources to find something similar but found nothing. I tried the usual and turned off all plugins, tried to spot something by screening the files and folders, searched for .exe and iframe but came up short again.

    The hack can only be seen in the source code of the sites. At the bottom of the page is a huge list with links that have been injected in a very clever and potentially dangerous way. I say dangerous because when I look at the Google webmaster tools, there is no maleware detected on my sites but id I check what Google sees, I can see ONLY the list of links! All other content gets suppressed by the hack.

    I tried Exploit Scanner but it only runs in circles and says 0 files scanned.

    Here are the two sites: http://www.accommodationkohtao.com and http://www.island-cruises.org. Any help is much appreciated.

  2. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

  3. samiotis
    Member
    Posted 2 years ago #

    Been through all of the above. Thanks emsi, but there is nothing in there that would bring me near to find where to look. Except the one guy who mentioned I'd have to go through every single file on my wp installation and search manually... That would take month. Is there any way to locate where the injection is originated on my wp? The links in question are not staying the same the change dynamically upon refreshing the source code.
    Help...

  4. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Except the one guy who mentioned I'd have to go through every single file on my wp installation and search manually.

    Sometimes, that's the only way.

  5. samiotis
    Member
    Posted 2 years ago #

    I'm still hoping for a better idea - 2 sites search every file... I guess I'm faster rebuilding it, except of the fact that if I don't find where these links come from I might risk taking them over via my backup files.

  6. samiotis
    Member
    Posted 2 years ago #

    OK, after a more or less sleepless night and hours of studying protocols, I found the devil! And since I hate it when threats are closed without solution here comes the solution for this one:

    The injection occurred through the plugin "Effects for NGGallery". I recommend to immediately delete this plugin with all files in it. The bugger sits in the utmost deepest folder of the plugin. Before I deleted it (don't bother deactivating it - who knows what that might cause...), I made note of how the injection was built.

    9 files are added to the folder wp-content/plugins/effects-for-nextgen-gallery/effects/highslide/lib/themes/default/graphics/outlines

    1. 370.php which contains the first crack of wp salt and attacks the storage of the secret key. And it does probably lots of other things too. Like infecting my config file with some additional keys.

    2. ee7b.php does about the same as the above. Lots of encrypted stuff starting with a salt attack.

    3. bi is an empty file

    4. csi converts ip addresses into numbers

    5. cnf is an encrypted config file and I guess the guy has access to the complete wp by now.

    6. lb is the link library so actually searching for one of the urls in this list, easily copied from the infected site's source code, on the cpanel's file manager should reveal the location of this file.

    7.lock is an empty file

    8. rlf is the click counter

    9. skwd are the site keywords, basically a list of all words you can imagine, very long.

    If your site got infected read this: After removing the folder with the plugin you need to go to your config file and change the secret keys. This is essential otherwise you might get it back again. When you get to the config file you will find a website address where you can obtain new secret keys. It's as simple as copy/paste but important to do it. The hacker has modified this file by adding additional keys, thus letting a back door open for future attacks.

    I'm not 100% sure if it was the effects for nggallery but it was the oldes plugin on the site, last updated 500+ days ago which made it suspicious to me.

    As a last note, the plugin was installed on only one of the two sites, but the link list showed in both sites, so if you run multiple sites on one account, better change the secret key there too.

Topic Closed

This topic has been closed to new replies.

About this Topic