WordPress.org

Support

Support » Plugins and Hacks » Search Hacked

Search Hacked

  • Our WP install was hacked and the hosting company caught it and deleted the files (see below).

    The site looks to function normally apart from Google Custom Search which shows some search results for Viagra/Cyalis etc – but when you click on the link it takes you to the regular content which appears as normal (presumably the hack would have redirected the click through to another site had the files not been deleted)

    Any suggestions for a solution apart from not using the plugin?

    A routine security check on the server found that your account - sitename.org - was being actively exploited.
    
    The malicious files:
    
    /home/sitename/public_html/auth.php: PUA.HTML.Crypt-8 FOUND
    /home/sitename/public_html/.smileys/hash_keyword.php: PUA.HTML.Crypt-8 FOUND
    
    was found to exist on your account. Due to the nature of these files, these have been removed from your hosting account.
    
    Additionally, the following malicious files were also found on your account:
    
    /home/sitename/public_html/phplist/admin/lan/pl/checkbouncerules.php: PUA.HTML.Crypt-8 FOUND
    
    base64.inject.unclassed.7 : /home/sitename/public_html/wp/wp-content/themes/weaver-ii-pro/includes/admin-advancedopts.php
    base64.inject.unclassed.7 : /home/sitename/public_html/wp/wp-content/plugins/events-planner-pro1.2.14/application/controllers/epl-form-manager.php
    base64.inject.unclassed.7 : /home/sitename/public_html/wp/wp-content/plugins/jetpack/modules/comments/base.php
    gzbase64.inject.unclassed.14 : /home/sitename/public_html/wp/wp-content/plugins/cforms/js/include/lib_database_getentries.php
    base64.inject.unclassed.7 : /home/sitename/public_html/federation/simapi-1.0.0/sampleStore/order-privacy.php
    gzbase64.inject.unclassed.14 : /home/sitename/public_html/federation/donate.php
    gzbase64.inject.unclassed.14 : /home/sitename/public_html/zencart/zc_admin/includes/modules/newsletters/product_notification.php
    php.exe.globals.4707 : /home/sitename/public_html/zencart/images/f0969.php
    php.exe.globals.4707 : /home/sitename/public_html/zencart/images/eddea.php
    php.exe.globals.4707 : /home/sitename/public_html/zencart/images/fbd79.php
    base64.inject.unclassed.7 : /home/sitename/public_html/zencart/includes/languages/english/extra_definitions/product_music.php
    base64.inject.unclassed.7 : /home/sitename/public_html/zencart/includes/modules/category_icon_display.php
    base64.inject.unclassed.7 : /home/sitename/public_html/zencart/includes/modules/sideboxes/document_categories.php
    base64.inject.unclassed.7 : /home/sitename/public_html/phplist/admin/lan/nl/generatebouncerules.php
    gzbase64.inject.unclassed.14 : /home/sitename/public_html/wiki/lib/plugins/config/lang/ko/lang.php
    base64.inject.unclassed.7 : /home/sitename/public_html/wiki/lib/exe/xmlrpc.php
    base64.inject.unclassed.7 : /home/sitename/public_html/com_civicrm/civicrm/packages/DB/sqlite.php
    base64.inject.unclassed.7 : /home/sitename/public_html/com_civicrm/civicrm/packages/htmlpurifier/library/HTMLPurifier/HTMLModule/Target.php
    base64.inject.unclassed.7 : /home/sitename/public_html/com_civicrm/civicrm/CRM/Project/BAO/TaskStatus.php
    
    Investigating this found that the file - /home/sitename/public_html/logout.class.php - which looks to have been the cause of a lot of these exploits - was uploaded via FTP to your account.

    http://wordpress.org/extend/plugins/google-custom-search/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Search Hacked’ is closed to new replies.