Support » Fixing WordPress » nav-menu.php HACKED

  • Hi everyone,

    I run around 30 or so wordpress websites on the same server and every now and then i get this strange hack that seems to infect the nav-menu.php file that changes the .htaccess permissions to 444. Each time it happens every site on my server gets infected which is really annoying. Its a fairly easy fix – 1. Re-install wordpress 2.change .htaccess to 644 and it runs fine until the next time…

    This time it has happened Ive tried to find the root cause and i have noticed every site with plugin ‘w3 total cache’ is the ones it infects first. Previous to this i have done the usual upgrade themes plugins etc but still keeps happening.

    My question is to all of you is has anyone had this issue before? know of any root causes? etc

    Any input would be greatly appreciated.

    Thank you in advanced

Viewing 15 replies - 1 through 15 (of 15 total)
  • Thread Starter snickersvickers

    (@snickersvickers)

    The infected line is at 487 nav-menu.php

    [ Malware redacted, please do not post that code in these forums ]

    Hi,

    i have the same problem. The effects are the same. But i don’t find the gateway. I don’t use the plugin ‘w3 total cache’.

    I changed alle passwords, delete the files was-wr.php and wpa-wr.php in wp-includes. I changed the wp-config Security-Keys. I also set the HTaccess and nav-menu.php on 444 but no effect.

    I have also do anything what preffered on this site: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

    Is there anybody out there, who knows with plugin or other stuff can be the gateway for this malware?

    Best regards
    Andreas

    Hi,

    I have exactly the same problem, and also looking for a solution! This is extremely frustrating.

    I would appreciate any pointers to finding a solution!

    Kind regards,
    Sasha

    i have installed wordfence and wp security. The last 5 days all ist fine. I hope it didn’t come back.

    Thread Starter snickersvickers

    (@snickersvickers)

    UPDATE: Ive recently separated all my domains to their own webspace and cpanel etc and moved hosts. The last thing i did to them prior to this was reintstall the core wordpress files (not overwriting but deleting wp-admin, wp-includes, root files then uploading a fresh copy)

    So far nothing has been infected but if one of them does ill post it up on here.

    My other suspicions is the host i was on (justhost) was being an easy target for their ip addresses and servers etc…. maybe i don’t know for sure.

    Following for updates…

    Thread Starter snickersvickers

    (@snickersvickers)

    UPDATE ———————-

    Since re-installing wordpress (not overwriting but deleting wp-admin, wp-includes, root files then uploading a fresh copy) and moving to a new server with separated cpanel accounts for each domain i have still not had any attacks. I must add i have done a few things on the server to harden the security within the apache module.

    On a side note it be useful for people to list their themes and plugins so i can cross reference them with my websites themes and plugins. Perhaps i can narrow it down to help others where the issue may be.

    iheartwine

    (@iheartwine)

    @snickersvickers did you ever use any nulled themes? I also have similiar number of wp sites on my hosting and also struggling with this issue. I have installed almost everywhere iThemes security + Sucuri security (I don’t know if this is a good team for fight – any advices would be appreciated). For couple of days id did the trick, but now it’s back again.

    I have installed super cache plugin, so I wouldn’t link the issue with w3.
    I can also give my brief updates about the fight with this scumbag πŸ˜‰

    iheartwine

    (@iheartwine)

    Guys, I found this article:
    http://securityaffairs.co/wordpress/35431/cyber-crime/revslider-plugin-vulnerable.html

    On my hosting two sites were using revolution slider, maybe that is te reason

    Thread Starter snickersvickers

    (@snickersvickers)

    Id certainly agree that rev slider is a potential culprit as nearly everyone of my sites had it installed.

    I also believe my users where using nulled theme and scripts too.

    Since Ive moved server and did what i mention earlier in the post ive not had any issues πŸ™‚

    This ‘teaserguide’ problem affects all sites hosted on my Bluehost cPanel account. It comes back about every 6 days. I manually remove the javascript from the header.php file and keep updating plugins, but it keeps coming back.

    I found a “payload” file mentioned in one of the logs so I searched the File Manager for “payload” and found many files in the root of “public_html”. They were a mix of .php files and .txt files. I deleted them, but I do not know to what effect.

    I also found a log in ‘tmp > slow_sql’ directory that mentioned Jetpack’s protect being changed to a “214” number. I’m assuming this may be a variation of how the hack is happening: one exploit changing another exploit.

    If I had to guess what is happening, something in cPanel is vulnerable and being exploited. Once exploited, a scan of all directories and users is done (I saw the userquota files), this creates a guide for the payloads. Then the payloads run.

    My next step is to call Bluehost’s security team and explain what I’ve found to see if they can find the Cpanel vulnerability.

    Following for updates…

    I’m having the same problems and even after installing wordfence, restoring all nav-menu and wp-settings files across each directory AND enabling cloudflare the files still got corrupted!

    It’s absolutely frustrating and I have no idea what the problem is

    Check out the comments on this thread for how to clean: https://wordpress.org/support/topic/js-injection-after-wp/page/2

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘nav-menu.php HACKED’ is closed to new replies.