WordPress.org

Support

Support » How-To and Troubleshooting » Hacked and all my sites now have impossible cialis and viagra pages

Hacked and all my sites now have impossible cialis and viagra pages

  • I’m using the latest version of WP (3.3.1) on all my sites and suddenly about a month ago I have all these pages (or posts) for cialis and viagra. The odd thing is that they appear as pages that aren’t possible as actual WP pages (e.g. http://www.DOMAIN.com/wp-includes/index.php?iga=25790&OEQ=1332871201) which are obviously not real URLs.

    I found thi sout because I have Google alerts for all my domains and Google i picking up these pages. Even more interesting, if you click on the links, they show as a blank page in any browser on a windows machine, but if you are using a browser on a linux machine, you can see all the spam copy and links. So… average users wont’ see these pages anywhere, but google sure does and is indexing the pages. This will both hurt me (google thinks my site is affiliated with cialis) and is also likely helping the spammers pages that my site now seems to be linking to.

    I have added no plugins, and oddly, this is ahppening to *all* my WP domains, but not my Drupal or Joomla ones, so that is the interesting consistency. Has anyone else seen this? I’ve looked for odd files, base64 code in existing files, etc, etc and found no smoking gun, i’m I’m stumped. Any advice?

Viewing 15 replies - 1 through 15 (of 22 total)
  • Start here: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Who is your webhost? (this could be very important)

    Unfortunately I’ve done all this and my hosting company has no idea what could be going on. They are not WP experts so they’ve checked all they can on their end, and I’ve been pouring through all my files, logs, etc, reinstalled, etc and I’m stumped. Google is going to punish the heck out of me for this, I just hop I can figure it out in time, before I get relegated to the black hole.

    Hello, contact me, i’m Web Security Consultant and i put back in life hacked website all the time.
    See you !
    [signature moderated]

    [Moderator warning: It is against forum rules to solicit work here.]

    Hi,
    Sadly I see this fairly often. What may have happened is that your website was actually hacked months ago, and hacker left behind some sneaky back door scripts. While you dutifully updated and did all the right things, you may have missed the actual hacker files which are often disguised to look legitimate.

    So you have a few potential issues here:
    1. Possible back door scripts you’ll need to locate.
    2. It’s possible your database was compromised, which means you’ll need to have someone dig into it through phpMyAdmain and root those out.
    3. Double check your plugins as well. Delete all inactive plugins and inactive themes.

    This is really nice summary as well you may find helpful:
    http://www.studiopress.com/tips/wordpress-site-security.htm

    war3rd – what is the name of your webhost? If you tell us the name we can tell you if they are useless.

    my hosting company has no idea what could be going on
    In that case – move. Seriously – find a host who does know what goes on. After all if they won’t help you now do you expect any help from them ever?

    julio – please do not use the forums to ‘get work’. Offer help and knowledge here that will benefit everyone.

    Sorry Mark ! I won’t do it again.
    I can not offer free help when this work can take a full day :
    – talk with the people to understand the issues and get access
    – search for malicious files
    – updates all that can be
    – find the vulnerability
    – patch the hole
    – come back every day then every week to check the health.
    Also, Web Security is my job, i really can not offer this.

    Mark,
    My webhost is Liquidweb and I just don’t think they get wordpress, so I’m on my own. I *did* get hacked months ago and cleaned everything up, but it’s most likely I didnt’ really clen it all up. I removed all unknown files, found and removed all base64 code, reinstalled everything, to no avail. I may need to rebuild the database, and this really sucks because it’s affecting 3 of my sites and really screwing up my traffic and ranking.

    Man… before I moved to WP everything was fine, when I wrote all the code myself, a complete custom site, I never got hacked. I love WP for making things take a lot less time to accomplish now, but damn… these exploits are driving me nuts.

    esmi

    @esmi

    Forum Moderator

    It’s very likely that you missed the back door hacker scripts. So while you did your best to clear up the “symptoms” of the hack, the actual “bug” was/is possibly still hiding in the background, saved to look like a generic wordpress file.

    I’ve seen a bunch of those sites, but I’ll review them all, thanks Esmi. and yep, hack repair guy, that’s the conclusion I’ve come to. I may have to start over, which will be a nightmare..

    perezbox

    @perezbox

    Sucuri.net CEO

    Hi war3rd

    SEO spam, which is what you’re dealing with can be really tricky. If you’re doing this by hand, try replacing all the core files. Rename wp-admin / wp-includes, then push over fresh copies. Do the same with the root files.

    This is quick and easy for you to do. Why its valuable is because it won’t just copy existing files, it’ll also allow you to purge any backdoor files that might be in the core install.

    Make note though, this can be a painful process. If not in the root, you’ll have to work inward, start with plugin, then move to the theme.

    In most cases the issues you’re talking about come from cross-site contamination issues. Not sure of your specific scenario but read these to see if they apply:

    http://blog.sucuri.net/2012/03/website-cross-contamination-blackhat-seo-spam-malware.html

    http://blog.sucuri.net/2012/03/a-little-tale-about-website-cross-contamination.html

    Best of luck

    Perezbox, already done that last week. I have a feeling that I may have resolved the issue, but all the fake links are still indexed by google, so I may have to wait a month or so for them to fade from existence. If I can figure out what they all are I can try de-indexing them from google via webmaster tools, but part of me is really nervous about what I may have still missed. I’m good, but not great at coding, but I’m keeping my fingers crossed.

    Thanks for the links. I’m going to keep reading u on this to be sure I’ve got it licked (which I’m skeptical about) but also to ensure I can prevent this from happening again. I’m getting so much traffic right now from people looking for horny men sex and v\cialis/viagra that it’s revolting. Hopefully I can nip that.

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    @war3rd: you may need to change hosts. Some hosts are simply insecure and you will get hacked again. You can export your pages/posts and start with a clean WP install, or move the database after scanning it.

    See Moving WordPress « WordPress Codex and Recommended WordPress Web Hosting. Use Google Webmaster’s Tools to remove URLs after you set up an account with Google: Google Webmaster Central

    I’ve been thinking about it. I have a big loyalty problem, and that is keeping me with these guys, but you are probably right… Any recommendations for good, safe and not terribly expensive hosts?

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Hacked and all my sites now have impossible cialis and viagra pages’ is closed to new replies.
Skip to toolbar