Hacked - URL Injection (7 posts)

  1. fedezen
    Posted 3 years ago #

    First of all let me tell you about my web site rubyslippersbcn.com. I keep the WP version always updated within a few days to latest version.
    So now i have 3.51 with Atahualpa theme latest version.
    A couple of days ago I noticed some text flashed for a few seconds before my site loaded. Right click; view source and i found this:

    <div id="viru39sesl" style="visi

    [code moderated - please do not post this kind of code in the forum]

    So I started looking around for this and came to the conclusion that i was hacked, backdoored and URL injected. backed up my local copy and put it in a usb stick, deleted everything and downloaded the online version to search for strings like:

    also stuff like:

    visibility: hidden;

    This rendered useless as i could not find a hint of what was happening or where or even what to look for.
    Finally i decided to erase all non essential plugins, which didnt work.
    I changed all my passwords, including DB, users, etc, which didnt fix it either.
    Lastly i decided to overwrite my Theme with a freshly downloaded version from wordpress.org
    Done! no more viagra links on my website.

    So finally i could not find the backdoor, or what had happened and how. All i know it was hidden somewhere in the theme folder. Anyone? any clue? Also I am hosted at goDaddy and it seems that some people with shared hosting had same problems.

    In any case, i always keep a backup and DB backup, I fixed it after 10hs of trying stuff, 2 more hours and i would have done complete rollback.

  2. WPyogi
    Forum Moderator
    Posted 3 years ago #

  3. fedezen
    Posted 3 years ago #

    Thanks for the reply, i will go through those tonight. I contacted goDaddy but they came back to me 26 hours later saying they could not find any malicious code on my website. I sent them a text file with code posted above but i dont have a response yet.

    sorry for posting the code i forgot it had links in it I should have edited.

  4. WPyogi
    Forum Moderator
    Posted 3 years ago #

    Yeah, GoDaddy said the same thing to other people -- and then eventually admitted it was a problem on their servers... You might think about changing hosts.

  5. jgarcia439
    Posted 3 years ago #

    You can take hosting from any one of the WordPress recommended hosting for best performance.

  6. Miroslav Glavic
    Posted 3 years ago #

    Maybe the theme you are using is a pirated version.

    You see...there are these evil people who download legitimate themes and insert base64 and other type of malicious code, upload the now pirated version of themes and upload them to their own websites acting like they are WordPress friendly sites with advice and free themes.

    Talking about pirated versions....what is a pirate's favourite movie? a rated aaaarrggh movie (Rated R movie).

  7. fedezen
    Posted 3 years ago #

    Looking back step by step in how we got hacked, we are almost sure it was through an html comment. I have since this morning blocked html on my comments.
    Thanks to everyone for the advice, and thanks to WPyogi for the link, i have read most of them and bookmarked the rest. Good stuff.

    And about the theme, i always use the same theme and download it from wordpres.org to avoid any trouble.

Topic Closed

This topic has been closed to new replies.

About this Topic