Support » Fixing WordPress » Malware Found – Injected Script

  • Hello,

    My site was hacked.

    The website SUCURI.NET found a malware, like this:

    My WP Forum is down, and I have problems with displays.

    What do now?
    What is the source of hacking?

    Do you have any information about this, perhaps a similar case?

    Thank you to those who will give me their time.
    L.

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Hello @streetlc,

    Hope you’re doing good. The source of hijacking could be many. It could be a plugin, theme or a corrupted WordPress installation. The steps you can take right now is to disable all the plugins and see if that helps you. And if it does then enable them one by one and analyze which plugin is causing it.

    Otherwise, make a fresh installation of WordPress and import the data to the new installation.

    Additionally, use some security plugins and a CDN with security enabled (CloudFlare is free and also gives security when in attack). I’m linking down some plugins that that might help you to increase the security of the website.

    https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
    https://wordpress.org/plugins/wordfence/
    https://wordpress.org/plugins/better-wp-security/

    [ Signature moderated ]

    • This reply was modified 3 months, 1 week ago by abhishek6262.
    • This reply was modified 3 months, 1 week ago by Steve Stern.
    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    @sebot34

    ‘ve deleted your offer to login to your user’s site. I’m am 100% sure you mean well but please never ask for credentials on these forums.

    https://wordpress.org/support/guidelines/#the-bad-stuff

    Now for the why: The internet is a wonderful place full of very nice people and a few very bad ones. I’m sure everyone here is very nice however, by giving some ones keys to your house you are trusting they wont steal anything. Likewise the person who takes the keys is now responsible for the house FOREVER.

    If something was to go wrong, then you the author may well legally become liable for damages, which they would not normally have been as their software is provided without warranty.

    Please be aware that repeatedly asking for credentials will result in us blocking your account.

    It’s never necessary to do that. Here’s why.

    There are many ways to get information you need and accessing the user’s site is not one of them. That’s going too far.

    • Ask the user to create and post a link to their phpinfo(); output.
    • Walk the user through basic troubleshooting steps such and disabling all other plugins, clear their cache and cookies and try again.
    • Ask the user for the step-by-step on how they can reproduce the problem.

    You get the idea.

    Volunteer support is not easy. But these forums need to a safe place for all users, experienced or new. Accessing their system that way is a short cut that will get you into real trouble in these forums.

    • This reply was modified 3 months, 1 week ago by Steve Stern.

    index.php
    wp-content/index.php
    and 444 .js files are infected.

    My theme is : “TheFox”.

    My plugins list :

    AffiliateWP
    AutomateWoo
    Clicky Analytics
    Contact Form 7
    Custom Category Templates
    Disable Gutenberg
    Easy Table of Contents
    Facebook for WooCommerce
    GDPR Cookie Consent
    Google Analytics Dashboard pour WP (GADWP)
    Hero Menu
    Loco Translate
    MC4WP: Mailchimp for WordPres
    No CAPTCHA reCAPTCHA
    OneSignal Push Notifications
    Postman SMTP
    Quick Page/Post Redirect Plugin
    Random Banner
    Simple Author Box
    SIP Reviews Shortcode for WooCommerce
    SSL Insecure Content Fixer
    TheFox Custom Post
    TinyMCE Advanced
    UpdraftPlus – Sauvegarde/Restauration
    WeSecur Security
    WooCommerce
    AffiliateWP – WooCommerce Redirect Affiliates
    WooCommerce Customer/Order CSV Export
    WooCommerce Give Products
    WooCommerce Order Status Control
    WooCommerce PDF Invoices
    WooCommerce Shortcodes
    WooCommerce Stripe Gateway
    Wordfence Security
    WP 404 Auto Redirect to Similar Post
    WP Force SSL
    WP PDF Stamper
    WP Rocket
    WP User Avatar
    wpDiscuz
    wpForo
    Yoast SEO
    Éditeur de page

    The plugin WEBSECUR allows me to repair the injected files but I dare not use this option, i fear lose my data. What do you think ?

    • This reply was modified 3 months, 1 week ago by streetlc.
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    *Raises hands*

    A few things: don’t post malware samples or links on this site, those get deleted when found.

    @streetlc Please remain calm and give this a good read.

    https://wordpress.org/support/article/faq-my-site-was-hacked/

    When you have successfully deloused your site then consider giving this a read too.

    https://wordpress.org/support/article/hardening-wordpress/

    I have archived all of the other replies. If you need support then per the forum guidelines please start your own topic.

    https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

    You can do so here.

    https://wordpress.org/support/forum/how-to-and-troubleshooting/#new-post

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    What interests me more than anything now is to know which plugin or update was responsible.

    My webmaster is removing malicious code on the site.

    But we still do not know the flaw that allowed this injection.

    If anyone found, do not hesitate to let us know.

    That probably wasn’t part of any update but resulted from an actual hack though it might have been hidden in something else for a time.

    I have seen those kinds of problems sneak in on a nulled theme or plugin.

    Follow through with the hardening process and you’ll have gone a long way toward stopping most of these attacks.

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    Referring to Jan’s post at https://wordpress.org/support/topic/malware-found-injected-script/#post-12108627, it’s time to close this topic.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    Note: Please don’t report this post.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Malware Found – Injected Script’ is closed to new replies.