WordPress.org

Forums

[closed] Pharma Hack Attack? (14 posts)

  1. CB12061977
    Blocked
    Posted 1 year ago #

    This all happened before I upgraded to WP 3.8.1, at which time I wasn't exploited... but basically... I have a lot of WordPress POSTS that now have hidden code leading to pharmacy and porn ads. The code starts with "<div style="display: none;">" and then goes on quite a while, and it has affected THOUSANDS of posts.

    Is there something I can do by searching SQL, or a plug-in, that can remove these codes all at once, or do I have to go through every post manually?

    It appears the data relating to photos that I uploaded prior to January 15 also have this problem. Sadly, it's not the same code everywhere either, but it's always a string at the top of my post data.

    The sooner I can find a fix, the better. Google hasn't slapped me yet.

  2. Pioneer Web Design
    Member
    Posted 1 year ago #

  3. CB12061977
    Blocked
    Posted 1 year ago #

    Thank you very much. I've looked into several of those links that you shared already, but the thing I am trying to figure out is how to clean up the old posts that were affected. I have asked my web hosts if anything is backed up, but beyond that, I'm frustrated.

    Sucuri scanner isn't coming up with any of it at all, for some reason :(

  4. Pioneer Web Design
    Member
    Posted 1 year ago #

    Sucuri scanner isn't coming up with any of it at all, for some reason

    They are not the only ones who can provide such. That said, without a link to your site that may be pure conjecture.

  5. CB12061977
    Blocked
    Posted 1 year ago #

    The Unmaskparasites link you shared with me did yield some matches when I typed in an exact URL and not the home page. But, there's still no way to know how to clean up the posts that are there, to get rid of everything between the <div style="display: none;"> and the other "div"

  6. Pioneer Web Design
    Member
    Posted 1 year ago #

    I suggest you study each of the links above. The fix will not take 15 minutes. If you cannot resolve it, hire an expert.

  7. CB12061977
    Blocked
    Posted 1 year ago #

    You are awfully condescending to a first time poster.

    I have checked those links. They don't answer my questions.

    I asked a VERY simple question, that you've ignored twice. It shouldn't require an "expert." You say I can find the answer within 15 minutes. Guess what? I can't. So I came here to ask for help.

    Can someone else help me since you clearly are not interested?

  8. Pioneer Web Design
    Member
    Posted 1 year ago #

    Each & every moderator here would point you to same advise. You are not the first to post of such issues and surely not the last to look for a magical solution. Please review this forum for such and you will see that this is the best advise we can give you.

  9. CB12061977
    Blocked
    Posted 1 year ago #

    If this is a problem that many people have had, there should be a solution that we're told should work, here.

    I don't understand technical issues. I just know that I'm facing something scary, and you're acting all superior rather than offering to be helpful. If there are solutions? Point me to them. But NONE of those links you gave me, told me anything I didn't see or know before I came here. I know what I need to do for security, but my question (which again, you ignored) is how do I clean up the problems I had before. I wouldn't come here and ask a question unless I hadn't exhausted every single thing that I checked out.

  10. Pioneer Web Design
    Member
    Posted 1 year ago #

    The help has been given. I am sorry that you do not understand it. Again, please consult an expert.

  11. You are awfully condescending to a first time poster.

    I've deleted the argumentative posts including the ones from 1cliquemedia. Please keep support on track and don't make personal attacks like that.

    Is there something I can do by searching SQL, or a plug-in, that can remove these codes all at once, or do I have to go through every post manually?

    It may be possible to do a global search and replace in mysql but I'm not aware of a plugin to do that. Also the inserted codes in that post would have to be 100% identical for that to work.

    http://wordpress.org/plugins/search.php?q=search+and+replace

    Make sure you have a good backup of your files and database. Search and replace like that can seriously make things worse if you're not sure what you are doing.

    http://codex.wordpress.org/WordPress_Backups
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    If this is a problem that many people have had, there should be a solution that we're told should work, here.

    There's no easy way to fix it and your WordPress installation was compromised. That's not a WordPress issue it's a problem with your installation.

    I have checked those links. They don't answer my questions.

    They answer the question that you didn't ask which was "How can I prevent this from happening again?" and that's really critical. If you just remove the code but do not do anything to close the door that was exploited then you'll just have to deal with this all over again.

    That's why that boiler plate list of articles are posted. Yes, it is copy and paste but the list is good and again there is no quick and easy way to fix your problem.

    I know you are not technical (your words) but you have a technical problem that requires a technical solution. Those articles can be tricky for some people and there's no shame or harm in seeking professional help to delouse your installation.

  12. A link everyone forgot about pharma is this one: http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

    Please note how they say searching for those entities in the database should work. Should is the key word. Most of the time they do, but I deal with hacked sites every day, and they don't always work. So it's going to be a mix of manual and searches and manual following up and it totally absolutely sucks to the nth degree. I hate DB hacks.

  13. CB12061977
    Blocked
    Posted 1 year ago #

    Fair that you deleted argumentative posts, but I see all of the snide comments from "Pioneer Valley Web Design" -- making me look like a total idiot -- remain. I've searched this forum and seen that he's done this to many people. It's really frustrating and disappointing, but I'm so glad more people have chimed in.

    I didn't mention it in my OP, but I have taken many of the steps to prevent this from happening again, so I feel that aspect of things seems to be taken care of. (Knock on wood) That's why I didn't ask. The real question that I had and I still have is still what to do with the old posts. Additionally, I've seen a lot of these posts mentioning corrupt or changed php files; in this case, my individual posts prior to 1/15 seem to have all been edited, which is something I haven't seen a lot of talk about in any of the many pages I've checked on this.

    Ipstenu, I appreciate that link you shared. I did find "ftp_credentials" within my wp_options which I wouldn't have noticed to look for without your link, so thank you.

    Perhaps you are right, Jan, that I should look into a professional for help on this (and being nice about it). I do have my web hosting people on it to look for solutions, but I know I may have to go elsewhere for the root of the problem. I still have additional worries there, including cost or trustworthiness of the person doing the fix, so, of course, there are associated worries there. But thank you both for giving me some helpful tips.

  14. Pioneer Valley Web - Stop posting in this thread. You're meaning well, but you're not communicating clearly and making the situation worse. Your posts have been deleted.

    CB12061977 - Don't call him names. That doesn't help and you know that too.

    BACK ON TOPIC

    The real question that I had and I still have is still what to do with the old posts. [...] in this case, my individual posts prior to 1/15 seem to have all been edited

    You'll have to edit them and fix them, or get a restore of yoru DB if your host has one. Many keep them for 30 days (I make my own as well because I'm a tinfoil hat person).

    Basically the content was edited directly so it has to be fixed directly :(

Topic Closed

This topic has been closed to new replies.

About this Topic