Support » Fixing WordPress » Hacked/Malware, need help please

  • Hey all,

    We’ve just had a very heavy traffic hit due to downranking of articles. After some time searching I’ve discovered that it appears we’ve been hacked.

    <!-- Begin Top Bar -->			
            <!--start-add-div-content--><p class="nemonn">What this select group of how Quick Cash Payday Loans <a href="" title="Quick Cash Payday Loans">Quick Cash Payday Loans</a> are understandably the following. If you to understanding the peak of Viagra Online 50mg <a href="" title="Viagra Online 50mg">Viagra Online 50mg</a> nyu urology erectile function. An soc to uncover the choice of Buy Cialis In Australia <a href="" title="Buy Cialis In Australia">Buy Cialis In Australia</a> tobacco use recreational drug cimetidine. It was awarded service either has Viagra 100mg Online <a href="" title="Viagra 100mg Online">Viagra 100mg Online</a> reviewed in microsurgical revascularization. Diagnosis the action of damaged innervation loss of modest How To Use Viagra <a href="" title="How To Use Viagra">How To Use Viagra</a> nonexclusive viagra cialis and urinary dysfunction. Finally the appeals management center amc in their profits Viagra Kaufen <a href="" title="Viagra Kaufen">Viagra Kaufen</a> on a part upon the figure tissues. Giles brindley demonstrated cad were not positive and receipt of Cialis <a href="" title="Cialis">Cialis</a> therapeutic modalities to notify and microsurgical revascularization. Asian j montorsi giuliana meuleman e auerbach eardly mccullough ar Cialis <a href="" title="Cialis">Cialis</a> et early warning system for sexual measures. An soc was once thought that these would The Cheapest Terms Pay Day Loans <a href="" title="The Cheapest Terms Pay Day Loans">The Cheapest Terms Pay Day Loans</a> include those raised at and impotence. However under anesthesia malleable or problems and Viagra <a href="" title="Viagra">Viagra</a> opiates can result of the. Low testosterone levels hypogonadism usually end with enough stimulation Buy Cialis Viagra <a href="" title="Buy Cialis Viagra">Buy Cialis Viagra</a> to erectile dysfunctionmen who lose their lifetime. Physical examination in at nyu urology erectile dysfunction Viagra Online <a href="" title="Viagra Online">Viagra Online</a> include the issuance of the. Remand as intermittent claudication in treating Viagra <a href="" title="Viagra">Viagra</a> male sexual functioning apparent? Without in some others their profits on not required Cialis <a href="" title="Cialis">Cialis</a> where there has gained popularity of penile. Dp reasoned the record shows or Viagra 100mg <a href="" title="Viagra 100mg">Viagra 100mg</a> aggravated by cad in.</p><!--end-add-div-content--><div id="header">  			
              <div id="headerpages">				
                <div class="wrapper1">
                  <div id="someunknownrapper">
                    <div class="someunknownrapperl">
                      <div id="headernavigation1">

    That features on the majority of our pages. We had this happen 2 years ago but it was plugin related, removing it fixed it instantly. However, we’ve not added a plugin in recent weeks and this stuff hit the website yesterday.

    Any help on how to remove it, and how it got there, would be very much appreciated.

Viewing 15 replies - 1 through 15 (of 21 total)
  • I would start by asking host if they have a backup from prior to the hacker text being added, then recover to that.

    In addition to the backup notes, I recommend you change all your passwords, and make sure to set only one person as Administrator just in case.

    One of the sites I’m working on was just hacked as well, and had the same “nemonn” class in the header. I deleted the theme folder and re-uploaded the local version and that did the trick, for now. I backed up the hacked theme folder so I can do a little more digging.

    I found this as well on a slew of sites that are on a shared server.

    I think the real culprit was a new file that was inserted into the core, wp-rss3.php.

    I’d gotten a notice from the hosting provider that this was a potential security risk. When I edited it I found a script with resetting this parameter $_8b7b.

    Here’s an interesting post on it.

    This post is way more interesting…

    Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    I find the non-printable version of that web page to be much more easier to read, even with the pagination but to each there own.

    I think the real culprit was a new file that was inserted into the core, wp-rss3.php.

    I think you may want to generalize that some more as “the real culprit was that Very Bad People™ were able to write to my blog’s file system.”

    It’s why the file permission section of Hardening WordPress is often a good read after you’ve deloused an infected installation/server.

    Thanks Jan, the hardening wordpress article is a great resource.

    This article really identifies the issue.

    There couldn’t be much of a better write up.

    The hack must have been placed by someone with shell or FTP access. This is a general PHP hack, and not limited in anyway to wordpress.

    It’s a nasty one. I hope this research helped.

    I have installed the Sucuri plugin, and even ran the scanner on those sites mentioned above. Everything came up clean. But I’m seeing this file in the wp-admin folder (thanks to another poster on here)


    Is this the malicious file? If so, how do I properly remove it? Do I just delete it? I want to make sure to do this right so I don’t mess up the functionality of this site.

    That is almost certainly the file! But it’s possible that there are others. Delete it and change all your passwords (FTP, database, wordpress admin).

    This is what I have found out about “nemonn”

    Just removing the obfuscated javascript from the header will not work permanently.

    There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

    Just updating / reinstalling WordPress from the admin won’t remove this file.

    Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

    I seem to have been a victim of the malware, albeit in a very strange way–I am the admin on a forum hosted at GoDaddy; the site seems to work perfectly normally. However, when I link to it in Google+ or Facebook, the preview shows the “Mayan Viagra spam”. Poking around the site [ Link removed ] (you can see it here) with firebug, I found that <p class=”nemonn”> with all the junk has been inserted on every page; however, it doesn’t show on the page.

    I am not really qualified to deal with this–so any advice for a complete newbie would be appreciated. I am running WP 3.4.2, BBpress 2.2.2, and using the latest version of the Graphene theme. I have a number of plugins installed–if it is helpful, I can list them.

    Any help will be much appreciated.


    p.s. A bit of extra information which may or may not be useful: If I select and copy the whole page into apple’s textedit app, then the spam is visible at the top of the page.

    Warning, the url linked in two replies by “zotsf” on this thread has been flagged by Avast! Antivirus as infected:

    Infection Details
    Process:	D:\Mozilla Firefox\firefox.exe
    Infection:	PHP:Shell-AU [Trj]


    A client of mine recently purchased “Sucuri”, which is $89 for one site, and $189 for 2-5. We thought we had cleaned out all the files, but when Sucuri went in, they were able to find and clean things we missed.

    I don’t know how anyone feels about premium plugins, but it sure was worth the money in the long run.

    Just a thought.

    I found the culprit file in the /wp-admin/includes folder

    What is the file called Jay?

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘Hacked/Malware, need help please’ is closed to new replies.