• Resolved keyvan21

    (@keyvan21)


    hello
    i open my website today, and see all of my pages redirect to deleted
    help me plz…!
    thanks

Viewing 15 replies - 16 through 30 (of 51 total)
  • Same problem, in 2 different sites that we have.
    We revert back to previous day and all OK, but problem started a few hours later.
    We do have Advanced Access Manager. We are all day trying to see where it comes from. We use Wordfence Premium but it didnt help.

    I think I found a suspect IP :
    2a07:5741:0:140::1

    Was trying something like (not real URL):
    https://[XXXXXX].org/wp-admin/admin-ajax.php?%5Bobfuscated%5D=home&option_value=https%3A%2F%2Fjs.wiilberedmodels.com%2Fsample%3Fd%3D1

    Please be ware that the code is injected to the posts and then extend to the to the files…

    @salvaramirez You mean to pages?

    Yes, to pages.
    This morning we found teh code in a couple of posts, then in all the posts a few hours later (around 300), and then to around 50-60 pages. We have quite a big website.
    I really recommend you to chnge db password (remember to change wp-config after that).

    Password is changed.
    Now I cross my fingers and hope for the best 🙁

    The best way to check is to check for older posts… It starts there 🙂

    @salvaramirez check? For what.
    I searched the site with Search Regex (mentioned above) and I have deleted the inserted script from all posts. Is that what you mean?

    I’ve got the same problem on a couple of websites. All are using advanced custom fields pro, all in one seo pack, advanced access manager, polylang, really simple ssl, contact form 7. So any of them can cause problem.
    If you have an exact information which plugin causes it let here know. I’m trying to find it in the server logs but without success.

    Ok, I am not alone. Found this thread by searching for wiilberedmodels.

    I made a file change scan and I think NO file was changed. I am pretty sure that this is a sql injection.

    I had 6 DB´s infected. In the last 4 years I made no plugin changes on this websites. On thursday I installed “WP Live Chat and Advanced Access Manager” and today I am hacked. Maybe it is coincidence but do you all use WP Live Chat or Advanced Access Manager?

    My Plugins are:

    Adminimize
    Advanced Access Manager
    Advanced Custom Fields
    CommerceGurus Toolkit
    Contact Form 7
    Duplicate Page
    Jquery Validation For Contact Form 7
    LayerSlider WP
    MailChimp for WordPress
    Redux Framework
    Widget CSS Classes
    WP Live Chat Support
    WPBakery Visual Composer
    WPFront User Role Editor
    Yoast SEO

    Please list all your installed plugins. We have to find the biggest common denominator.

    • This reply was modified 1 year, 2 months ago by marc77.
    • This reply was modified 1 year, 2 months ago by marc77.
    • This reply was modified 1 year, 2 months ago by marc77.
    • This reply was modified 1 year, 2 months ago by marc77.

    So as far as I know, it uses and url injection like /wp-admin/admin-ajax.php?action=fs_set_db_option to change home option.

    This particular one seems to be blocked by Wordfence, but some others may not.

    It must be not just oneplugin, but several. I can say I dont have live chat and I got hacked.

    @marc77 Nope.

    I had 20+ websites infected. Are some of you using InfiniteWP ?

    @salvaramirez
    @karelne

    Ok, Thank you.

    Maybe you have Advanced Access Manager?

    Please list all your active plugins.

    • This reply was modified 1 year, 2 months ago by marc77.

    Advanced Access Manager, Custom post type app page template, Custom POst type UI, Duplicate post, GDPR Cookie compliance, Ninja Forms, Toolser types, Worldfence, WordPress IMporter, WPS Hide login

Viewing 15 replies - 16 through 30 (of 51 total)
  • The topic ‘Hack’ is closed to new replies.