Support » Fixing WordPress » Hacked Site

  • In November I was hacked with the japanese keyword hack. I went into my cpanel and investigated every file there was. I found multiple files infected with gibberish code and the ever present eval(base64 junk!!!! I also found a number of text files labeled king.txt that displayed this:

    [redacted]

    I simply hit delete on every file I could find that looked malicious, gibberish and out of place. I am not a developer, coder, designer or security auditor. But when you see things like “hacked by ……” it isn’t hard to draw the conclusion that file doesn’t belong! So I hit delete.

    What prompted me to do this investigation was I found a number of indexed pages on google for my site with japanese characters. All in all I have deindexed over 200 of them using the google URL removal tool which can be found here
    https://www.google.com/webmasters/tools/removals

    I used the other google removal tool and it didn’t remove any of these indexed pages. Using this google removal tool deindexed those japanese pages within hours
    https://www.google.com/webmasters/tools/removals

    The problem I am having that none of the wordpress guides or FAQ pages on hacked sites references is how to actually locate, identify or confidently know which files are infected. Yeah it says to use succuri or wordfence scanners. Well I have wordfence installed and was installed prior to this hack. It didn’t stop it. My hosting company has run multiple scans using succurri and their in house malware tool. They have found nothing!!! In fact at one point they blamed google for this.

    The wordpress hacked guide infers that a wordpress owner knows how to code, develop or navigate their cpanel or database. I know how to login, but that is about the extent of it. You have millions of website owners that possess the same skill level I have and your not providing any step by step instructions on how to identify and locate these infected files.

    I say all of this because after deleting all the files I could find that looked malicious my site still creates one japanese web page every day. EVERY DAY I have to do a google sitewide search for my domain. Copy and paste the url into the google URL removal tool.

    My hosting company can not find any reference to the URL I am deleting. They can not find it in the database or the file manager. Sucurri scan says my site is fine. There is no malicious malware, but yet today I found three text files named king.txt and when opening up that file I see this:

    [redacted]

    So how am I supposed to have any confidence in spending money with wordfence or succurri when there scanners cant find this:

    [redacted]

    can’t find out which file, database, line of code keeps producing a japanese web page that points to a 404 on my site?

    What am I actually supposed to do here? What am I actually supposed to be looking for? What file am I actually supposed to be investigating? What area of my cpanel am I actually supposed to be opening, and what am I actually supposed to be looking for?

    No I am not goiing to download my site in an xml format and delete all of my plugins and all of my content and whatever other nonsense you state in your wordpress guide.

    What files should I be doing a search for? What should I be searching for in the database? what words, verbiage, symbols, references should I actually be typing into the search box within my file manager or database page to find infected files to finally clean this up once and for all 6 months after the fact?

    • This topic was modified 6 months, 3 weeks ago by  Steve Stern.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • I have also checked my search console ownership to make sure that I am the only owner or verified owner of my site. I have also check my sitemap to make sure there are no funny URLs or additions that I did not put there. Both check out just fine.

    What am I actually supposed to be looking for in these files? What am I actually supposed to be searching for to finally remove this japanese keyword hack? what verbiage am I supposed to be looking for. What part of the URL that I have provided for my site should I use as a search parameter because I have tried everything past the .php in every combination of sequences you can think of and find nothing. I can deindex that URL and have it removed in a couple of hours, but tomorow there will be another unique URL displaying chinese characters.

    What do I need to search for within my cpanel to finally put a stop to this?

    I can’t see your plugins so I can’t tell what’s there so I’ll just speak in generalities here while remembering you mentioned running WordFence.

    My first recommendation is to run iThemes Security and Wordfence together. They behave well together and compliment each other.

    I’d also install the Sucuri scanner plugin, enable it and run it then disable it again. You really don’t need that many security plugins that do the same things but Sucuri is worth running here and there. Run then disable.

    Deindexing something in Google doesn’t remove it from your website. If Google finds it again it may put it back.

    I did an offline scan of your site and didn’t see anything but there are stealth SQL injections and such that hide then run and then hide again.

    I did a search for a few parts of the keyword string you mentioned via Google and your own site’s search… nothing. Doesn’t mean it isn’t there.

    It’s possible there’s something hidden in your database or an external script your site calls that has a problem.

    Another thing is if there are external links pointing to your site and generating 404 errors then there’s little you can do except take the URL string causing that 404 and pointing it to some interesting content you do have via a 301 redirect.

    Search engines watch for 301s and try to modify their data to reflect the change. You might try contacting the referring site and ask them to correct their links if you can find them via the referrer logs.

    • This reply was modified 6 months, 3 weeks ago by  JNashHawkins.

    Thank you for taking the time to offer your assistance. I did install both succuri and ithemes. Did a scan found nothing and uninstalled. I realize deindexing doesn’t remove it from the site or core files. Which is why I am trying to figure out what files to look in and what to actually look for in the files I open up.

    I can’t be the only one in the world that has had this hack and trying to figure out how to clean a site afterwards. There has to be a tool, guide, resource somewhere that states step by step how to remove this japanese keyword hack. WordPress.org has generaliites. Google has more generalities.

    Really no site on the internet has cleaning instructions for this malware invasion?

    I was hoping I’d find it when I looked and could help you.

    Do continue running iThemes along with the WordFence. iThemes Security doesn’t always work immediately but seems to go through a ‘learning’ process.

    I have bookmarked your site in my automated system so I’ll probably be watching there for a while and if there’s anything else I can help you with then feel free to ask.

    I’ll probably be reading all your digital nomad content and such. My cardiologist probably won’t approve my traveling much but I love to dream.

    I also found a thread on here about that hack by searching Google. https://wordpress.org/support/topic/current-vulnerability-affecting-thousands-of-wp-sites/. Nothing much there either about this hack.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hacked Site’ is closed to new replies.