Support » Fixing WordPress » All my sites (6) hacked

  • I’m running 4.0.1 and all my sites (6) on hostgator are not accessible anymore since this morning using chrome. It says they are all infected with [ malware site deleted, why give them air time? ]

    I have two other sites, also 4.0.1, on another server and they are accessible.

Viewing 15 replies - 16 through 30 (of 92 total)
  • Same issue here with soaksoak.ru on two wp sites, replacing those files fixed the issue, though I looked in both before replacing and saw no reference to soaksoak.ru. Not sure how that works.

    I’m on my own server, it’s not limited to a shared hosting provider.

    I am getting the Attackers currently on yoursite might attempt to install dangerous programs on your computer that steal or delete your information (for example, photos, passwords, messages, and credit cards) error text.

    I have removed the infected files and replaced them with those from 4.1 RC build. Also submitted a review via google webmaster tools.

    Wordfence scan turning up nothing atm

    Website also hacked here with soaksoak.ru. Receiving warning in Google Chrome and in search results.

    I have updated the files mentioned above which has removed the soaksoak.ru javascript.

    I have manually updated revolution slider to the latest version.

    Akismet plugin was also out of date.

    I’d like to add that I have the soaksoak.ru on a site and also found several files in the site root and includes folder that have been affected. I wish I noted the file names before posting here, but the modified dates seem to correspond with the same edit date as the template-loader.php
    and swfobject.js files. Also Avast identified these files as containing malware references.

    Can someone check their site root for these file names?

    How do you actually replace these files?

    I only replace the 2 files & wait around an hour until no more warning from google…. u may try scan ur website using this http://www.virustotal.com

    Shalu, try watch this video… https://www.youtube.com/watch?v=7_u8zJFTgoQ

    find the folder & replace the files…

    /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js

    and eliminating or that deeb do with these files?

    Some of my sites from on hostgator has the same issues, but don’t know how to replace the files. Thanks max-lee, checking that video out. One thing, where do I get fresh files for
    /wp-includes/js/swfobject.js
    wp-includes/js/swfobject.js?ver=2.2-20120417

    Same infection being seen on host WP-Engine. Still curious about method of infection.

    Shalu, download the fresh wp installation zip file then extract it. the fresh copy is in the folder…

    Can also report being infected on WP-Engine.
    Removing the file and fixing template-loader.php didn’t remove the Google warning though

    Thanks Maxilee for that, trying it. It worked for one of the sites. Not for others. Requested on Webmaster tools.

    The site I’ve seen infected with this was compromised via revslider, or at least that’s how it looks. It was running a very old version, I don’t know at this point if that’s how everyone is infected or if it varies. Revslider can be at /plugins/revslider/ but can also be buried inside of your theme if it includes the slider itself.

    I believe the attacker is able to upload a file into /revslider/temp/update_extract/, and then open that file up to compromise the site.

    For those of you that are seeing this problem, do you have revslider somewhere on the site? I would take a look at the /revslider/temp/update_extract folder (and the folders inside it) to see if anything looks suspicious. The file we found had an innocuous name, but opening it up was it obfuscated and clearly a malicious file. You can also open up your access logs and see if someone is accessing files that include ‘update_extract’ in the URL.

    if you try these sites piemse.com – b-superfit.com – terranovamusical.com.co

Viewing 15 replies - 16 through 30 (of 92 total)
  • The topic ‘All my sites (6) hacked’ is closed to new replies.