The Scuri scan came back clear?
I’ll start going through the resources.
Should I do something like right now to protect our main site/moneymaker? It’s on the same server??
And it may be that they changed your actual database entries. I would go edit some of your posts and see if the links have been injected right into the posts.
For example on stupidrepublicanquotes.com teh first post say
– Speaker Paul Ryan in response to the Planned Parenthood clinic cloud atlas screenplay pdf download in Colorado Springs, Colorado, which left three people–including a police officer–dead.
and the part ‘cloud atlas screenplay pdf download’ is a link – check to see if that link is in the actual post. if it is, the links are in your database.
I hope you keep a good set of database backups.
On that first post, check when the post was revised, that may give you a clue as to when the hack occurred.
Should I do something like right now to protect our main site/moneymaker? It’s on the same server??
Change all your passwords: ftp, panel, all users on the sites who aren’t subscribers would be a good thing too.
@libamericaorg
Hello,
Just checked http://www.stupidrepublicanquotes.com
Looks like hacker was able to directly modify database (I guess Facebook url is directly stored in database). So quick guess is that your mysql server is not safe for these minor sites. Change password and if possible server port as quick fix. But it will probably don’t last long.
Check by disabling any external way of updating site like XMLRPC and “open” ways. Also, check http and mysql logs to try to sort out how they did that (might be an old plugin for instance). Another idea, you could try to check all open ports on server to see if all processes are “legit” / called by either OS/LAMP – eventually kill “rogue” ones.
Hope it helps,
@libamericaorg
I also forgot one thing, if you have quite often attacks like that, you can try CloudFlare, even the free plan is rather efficient on a bunch of things.
Could this be DNS poisoning? If you don’t put “www” in front of stupidrepublicanquotes.com there is a lot of links that do that and I haven’t clicked them but obviously they are probably going somewhere else because those URLs do not exist on the site.
For example:
(DO NOT CLICK THIS)
http://stupidrepublicanquotes.com/cloud-atlas-screenplay-PDF-download
That’s redirecting to some page that has nothing to do with WordPress and is not a page on our site.
With or without the WWW gets me the same page and links to the same site.
Try setting the permalinks to the default and see what the links show.
Did you look at the post yet to see if the link is actually there?
@all
What’s the difference with this cloud atlas url by the way? Ping gives same result from here. I didn’t try more network commands though.
Try installing the wordfence plugin and seeing if it finds anything.
Resolved!
Everything was resolved when host switched EVERYTHING over to NGINX (our main site had only been switched over). I think that was the solution. My husband handled the rest after he got home.
Thank you everyone for your help!
Good! True that NGINX is great because it can proxy/manage a lot of things.
You’re welcome; like I said if you still spot a bunch of attacks, pull CloudFlare on top of your DNS, it’s a good option for that.
GL,
