Support » Fixing WordPress » All my sites (6) hacked

  • I’m running 4.0.1 and all my sites (6) on hostgator are not accessible anymore since this morning using chrome. It says they are all infected with [ malware site deleted, why give them air time? ]

    I have two other sites, also 4.0.1, on another server and they are accessible.

Viewing 15 replies - 1 through 15 (of 92 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I’ve had the same issue now (soaksoak.ru, wp 4.0.1, hostgator, only in chrome with phishing and malware protection enabled). I found out where’s the problem with Wordfence
    https://wordpress.org/plugins/wordfence/

    Btw, there was soaksoak.ru error in the chrome console last couple of days, but the sites were working fine, until today.

    Anyway, try this first – download fresh wp installation, and check these files, if they’re recently changed, I’m guessing you got the same two hacked:
    /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js

    Replace them with the files from the fresh installation.

    If it isn’t the problem with them, install Wordfence and scan to find the issue.

    Now I’m trying to find out how the hell this happened, and I came accross your post. We have a number of client sites, with identical dev versions on the hostgator and live ones on other hosts, live sites are perfectly fine, dev sites got the hack (literally all of them), figure can’t be the issue with the sites, so I’m guessing it’s something up to hostgator.

    My site just got the same issue from that same attack site and around the same time. Both /wp-includes/template-loader.php /wp-includes/js/swfobject.js were changed and the host is amazon, not hostgator.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Replace them with the files from the fresh installation.

    If it isn’t the problem with them, install Wordfence and scan to find the issue.

    Also do these steps.

    http://codex.wordpress.org/Hardening_WordPress

    It will make updating your installation less user friendly (the filesystem is locked down) but as your site is hacked then for now that is not a bad thing.

    Used wordfence, same files affected:

    /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js

    Replaced with originals, now google chrome allows access.

    Seems to be a wide spread issue.

    Now I’ll update all my clients sites.

    Thanks!

    Btw if you have the same issue, keep posting here, it might be a bug that needs being looked at.

    Same issue, same files affected.

    /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js

    I am using BLUEHOST, not Host Gator.

    Thanks for this thread and the helpful answers!

    For those who replaced the /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js, is google still sending out malware warnings? My still is for some reason and I have submitted a review via webmaster tools. Wonder how long it will take to clear up

    Also have just found that I have this problem. I’m with hostgator and all my sites are now showing the same error. I’m not using Wordfence however.

    Haven’t tried the fixes found here; only just found it and off to try and fix now.

    *** Edit ***

    I have replaced the files:
    /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js

    …as suggested on one of my sites, however has not had the desired effect. I am still receiving the malware warning. Although looking at the history of these files I can see that they were both edited yesterday on all of my installations of WordPress (not by me).

    @khunter2013
    @scottwatsonco

    Have you tried scanning with Wordfence? I’d suggest you to do that, probably some other files are being affected also.

    Thank you @iLabz just trying that now however it has come back negative saying there are no issues. Misread the post previously thought the suggestion was that Wordfence was causing the issue not a possible solution :/ Appreciated.

    From what I’ve seen, when this is fixed it immediately removes the warning from Chrome – not sure if that is 100% consistent, but it was in my test (make sure you do a CTRL-F5 hard refresh on your browser or clear your browser cache).

    You can also check by running something like a http://webpagetest.org test on your site – look to see if it is loading any content from soaksoak.ru

    I’d suggest completely deleting your /wp-admin/ and /wp-includes/ directories and replacing those with fresh copies direct from wordpress.org.

    A couple other things to look for:

    – Do you have revslider installed? Look at the contents of /wp-content/plugins/revslider/temp/update_extract/ – I’ve seen an instance of this being the hack’s source. Removing those files and putting permissions on the /revslider/temp/ folder that prevent it from being modified might be a good idea.

    – A folder /wp-content/plugins/cached_data/ – that likely does not belong, and it looks like it may have been where some of the files were placed while the hack was being performed. A bulk mailing script also was sitting in that folder.

    I’m seeing this on a few sites, replacing the infected files did not fix the error.

    I have found that replacing the files has worked on all but one of my sites :/ can’t explain why; did all the same things, have the same setups etc…

    What error are you seeing? I believe that if you’re getting a warning that “Attackers currently on soaksoak.ru…”, it may resolve itself immediately when the references to soaksoak are removed.

    But if you are seeing something like “Attackers currently on yoursite.com…” (using your actual domain name), then you’ll need to submit a malware review request to Google: https://support.google.com/webmasters/answer/163633?rd=1

    I’m not sure that’s the difference, but I believe the problem may be that if you’re getting the soaksoak.ru message, Google hasn’t identified your site as problematic, Chrome just sees content from soaksoak.ru, which it knows is bad. But if you’re seeing the message about your site, then Google has determined your domain is regularly serving this content and you need to do the malware removal request.

    Have y’all found any similar plugins? I’m seeing outdated Akismet on each site.

Viewing 15 replies - 1 through 15 (of 92 total)
  • The topic ‘All my sites (6) hacked’ is closed to new replies.