Support » Fixing WordPress » site hacked. help please?

  • My client’s website has been hacked. A few pages of the site have “cialis” titles in google, and display “cialis” info when you paste a link to the page into facebook. One visitor was actually served a spam “cialis for order” page when visiting the site and sent a screenshot, but I cannot recreate that issue. The problem can be seen here: hacked and here’s a screenshot of what one visitor saw: screenshot

    It appears to be some version of the “pharma” hack, but I’ve searched through every folder/file on the server and I can’t find anything that looks suspicious. The code on all the pages looks fine – there are no visible links or redirects. htaccess is fine. I’ve looked for the files listed here and searched the database for these entries: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php and didn’t find anything. I’ve spent the last few hours doing a directory comparison with the original install files and didn’t find anything awry.

    Does anyone have any info on how to find and fix this? Any help is appreciated.

Viewing 15 replies - 1 through 15 (of 21 total)
  • Have you confirmed that the theme files do not contain base_64 code that might look something like:
    [Code removed]

    There’s nothing like that in any of the theme files. I checked the child theme and genesis, just checked the inactive 2013 theme files (holy crap, there are a lot of them…) and I had already deleted the other inactive themes. :/

    I was looking through all of the wp_option names in the database and found “rewrite_rules” in there. I don’t see that listed in the codex option reference. Could that be it?

    Update: when I run the site through http://sitecheck.sucuri.net/ it comes back clean. When I use the “fetch as google” tool, I see the correct page info. I asked the hosting company to check through the files and they couldn’t find anything either. Clearly there is an issue as the titles are all still showing up with “cialis” info in search results.

    Does anyone have any thoughts on how to resolve this? I feel terrible – this site is for a non-profit kids/education related organization.

    Does this happen across all browsers?

    Check your site from a different computer or web browser.

    It is possible your browser is infected with a local malware… which can often display this type of behavior.

    I’ve already changed all of the passwords, secret keys and checked the htaccess files, and I’ve literally opened and scanned through every theme php file and I’ve done a directory comparison through EVERYTHING and there are no “extra” files anywhere. None of the wp_options rows listed as the problem are in the database. But thanks for the links, Esmi. I’ve gone through most of them, but there are a couple I haven’t seen, so I’ll check those out.

    Yes, Josh, I see the altered titles in google on Chrome, Firefox and IE. Initially I thought the user that was served the “cialis” page had a virus or malware as I cannot recreate the issue of actually seeing the “cialis” page: Screenshot from other person . But since I’m seeing altered info in google and yahoo I don’t think it’s a computer issue.

    Have you tried using another computer?

    You mentioned checking files but you didn’t say anything about checking your database…

    Yes, when I do a google site search on my android phone, I get “cialis” page titles. If I click on them, it takes me to the correct site and everything looks just fine.

    I searched through wp_options in the database and didn’t find any of the names the help files said to delete. I actually printed out all of the rows in wp_options and started going through them one by one to make sure they all belong. So far the only questionable entry was rewrite_rules.

    May I suggest that you try looking through the wp_posts table?

    Browse through the “Posts” table within the database, check to see if you can spot something malicious there.

    What should I look for in wp_posts?

    I did see one user without an email address in the db, which seems odd, but they’re only a subscriber. I’m not sure how to check to see if that user has changed/added anything?

    What should I look for in wp_posts?

    You need to actually look at the post titles and content to see if any links have been inserted into the database itself.

    I did see one user without an email address in the db, which seems odd,

    That’s more than odd. That’s downright seriously suspicious! WordPress will never allow anyone to register on a site without an email address. Remove that user.

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘site hacked. help please?’ is closed to new replies.