Site Hacked

mmacentral
(@mmacentral)

9 years, 4 months ago

Hi all,

Short question as I am at a loss. My site, mmacentral.nl has been hacked apparantly. Ran WordFence and the plugin Social Sharing Toolkit seemed to be the culprit. So, deleted the pluging and all relevant suspicious files through WordFence – all is good! or so I thought. Not the case. All my links lead to downloading the following file: “100117_akt.zip”. From destinymeeting.ru apparently. Browser or browser type does not matter. Antivirus scan (NOD32) turned op zero infected files.

Anyone familiar with this particular malware / spamware and has a solution?

Viewing 8 replies - 1 through 8 (of 8 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

9 years, 4 months ago

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.
georged8
(@georged8)

9 years, 4 months ago
Hi,

You could start by checking the Header.php or footer.php for injection, it looks like all your URLs are redirecting to destinymeeting [dot] ru /100117_akt.zip. I would also take a look into the .htaccess file of your website for any 302 redirects.
```
~$ wget http://mmacentral.nl/mma-organisaties/ufc/
--2017-01-10 15:33:05--  http://mmacentral.nl/mma-organisaties/ufc/
Resolving mmacentral.nl (mmacentral.nl)... 188.93.150.44
Connecting to mmacentral.nl (mmacentral.nl)|188.93.150.44|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://destinymeeting.ru/100117_akt.zip [following]
--2017-01-10 15:33:05--  http://destinymeeting.ru/100117_akt.zip
Resolving destinymeeting.ru (destinymeeting.ru)... 31.28.24.134
```
Let me know if you can’t find the malware and I’ll provide some other suggestions.
- This reply was modified 9 years, 4 months ago by Steven Stern (sterndata). Reason: removed backtics where apostrophes should have been used
Thread Starter mmacentral
(@mmacentral)

9 years, 4 months ago

Hi Steve, thanks for the help there. Following the guide currently. A lot ends up with me having to pay (a lot) for a service which is my last resort.

Georged – looked in the footer and header, nothing strange turns up. .htaccess is not present in my root directory when using an FTP: is it not there or should I look for it elsewhere?

georged8
(@georged8)

9 years, 4 months ago

By default you should have a .htaccess file created on your account in the /public_html/ directory, make sure your FTP client is set to show hidden files (dotfiles)

Thread Starter mmacentral
(@mmacentral)

9 years, 4 months ago

Georged8 – I found it, the malicious code was indeed in the .htcacces file and seemed to be injected by the social plugin mentioned before.
Thank you VERY much for your quick help. Cost me three hours of my life but learned something new I guess. Why anyone would do this to an insignificant Dutch MMA website is beyond me, but oh well.

georged8
(@georged8)

9 years, 4 months ago

Glad I could help you out! 🙂 They just scan for vulnerabilities in general, I`m pretty sure they were not targeting you in particular.

Colorado Coupon Club
(@colorado-coupon-club)

9 years, 4 months ago

Georged8,

I too have been hacked by the same Malware as mmacentral (above). All my links lead to downloading the following file: “100117_akt.zip”. From destinymeeting.ru. How do I go about removing this? I’m willing to follow instructions. Paying to have this fixed is expensive. Any help would be greatly appreciated. Thank you for your time

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

9 years, 4 months ago

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.