Support » Fixing WordPress » 2.7.1 Site hack – redirect to magic4man.com

  • iamkohchang

    (@iamkohchang)


    I dont keep up to date with whats going on on WordPress as I am not much of a techie. And I dont like to upgrade immediately as it can screw up plugins etc. But anyway . . .

    Have a siate iamkohchang.com – I noticed my admin password wouldnt work and was reset last week. So had to get anew pasword. Then I notied the site redirects to magic4man.com – Japanese porn after about 60 seconds.

    a line of code was in the header and in a sidebar widget, so was easy to find and remove. I thought that was the end of the problem. (Like I said, i am not an techie I went from MS Frontpage to WP as I wanted something simple and hassle free to use.)

    I upgraded to 2.8.4 after I did that, but now may site has gone – just get redirected immediatelty to the porn site.

    I will reinstall WP and the theme (Arthemia)and I have a back up of the database – but how to tell if this back up is clean or if there is something hiding in there?

    Any help / easy to follow instructions greatly appreciated

Viewing 10 replies - 1 through 10 (of 10 total)
  • iamkohchang

    (@iamkohchang)

    ALso just noticed that the worm is in my admin section too. In Themes , I clicked to select a different theme and the lightbox that usually displays an overview the theme showed the porn site too

    Clayton James

    (@claytonjames)

    Here are the redirects.

    Title: Asian Porn Hub – Japanese Porn Movies
    URL: //iamkohchang.com
    Redirects:
    301 -> //www.magic4man.com
    301 -> //magic4man.com/

    Anything strange in your .htaccess file?

    iamkohchang

    (@iamkohchang)

    .htaccess is this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    whooami

    (@whooami)

    Member

    whats insde your wp-config.php ? anything unusual?

    im not clicking to look, so what theme are you using? if you arent already, change your theme to a clean freshly uploaded defualt ?

    whooami

    (@whooami)

    Member

    did you disable your plugins before upgrading?

    (also could be a malicious plugin loading only in db)

    iamkohchang

    (@iamkohchang)

    The wp-config.php looks fine. Nothing relating to a redirect or the magic4man URL.

    I didnt disable the plugins before upgrading. In the Plugin list in Admin section I cant see any plugins that dont recognise and i havent installed any new ones recently – only upgraded existing plugins.

    ( Thanks for the help so far, hopefully this in narrowing down the causes of the problem)

    whooami

    (@whooami)

    Member

    In the Plugin list in Admin section I cant see any plugins that dont recognise and i havent installed any new ones recently – only upgraded existing plugins.

    (also could be a malicious plugin loading only in db)

    im not clicking to look, so what theme are you using? if you arent already, change your theme to a clean freshly uploaded defualt ?

    i not going to regurgitate, sorry 🙂 so here ya go –>

    http://wordpress.org/support/topic/267398?replies=8

    there are tons of other threads here and blogposts elsewhere, and they all say exactly that, in different language.

    iamkohchang

    (@iamkohchang)

    Thanks – i’ll read through that.

    The theme is Arthemia Premium.

    2roguecats

    (@2roguecats)

    A site that I admin also had this hack. I thought I had cleaned, but it came back. Were you able to successfully rid the hack?

    iamkohchang

    (@iamkohchang)

    Still being hacked. Despite an IT guy working on it for a couple of days and battling with the hacker. Now the hacker only has access to the index.php file on the site and is still redirecting that. All other pages and my other domains are fine.

    If anyone has ideas how this can happen ie. access to a single file – , despite lots of security being added, SSH enabled etc let me know.

    The original problem was a file uploaded in July into the cgi-bin – that isn’t visible on file manager. This gave the hacker telnet access to the site. The file was env.cgi See if it on your site http://www.domain.com/cgi-bin/env.cgi and you’ll see where they login

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘2.7.1 Site hack – redirect to magic4man.com’ is closed to new replies.