Site hacked – nemonn tag infected with scam description

danihunt
(@danihunt)

11 years, 4 months ago

Hi & thank you for your help. I understand basic html & css but am no guru so please keep it simple if possible 🙂

I have 2 sites running on wordpress… frances-hunt.com & danihunt.com. They are on the same server. Both sites have been hacked. Basically, a ‘nemonn’ tag has been added, with scam text about money loaning. This is now showing up as the site description when I post to sites like Facebook. I’m eager to get rid of it!

If you visit the sites and click ‘view source’ you can see the problem half way down. I have opened up every file I can in search of the text but can’t find it anywhere to delete it. How can I find it and remove it?

Just a quick note too that I went to great length to make the log-in secure, installing wp-admin in a secondary folder and creating secure passwords, so I think this code was added without hacking in using logins and passwords. Any idea how I can prevent it in the future?

Thank you so much for your time and brains! Dani.

Viewing 15 replies - 1 through 15 (of 22 total)

1 2 →

WPyogi
(@wpyogi)

11 years, 4 months ago

Interesting as I saw another site with the same hack yesterday on here… but it showed clean on Securi. These are the usual suggested resources:
Resources:

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://codex.wordpress.org/Hardening_WordPress
http://www.studiopress.com/tips/wordpress-site-security.htm

kennyknapp
(@kennyknapp)

11 years, 4 months ago

just wanted to chime in and say I was having the same problem. still working on a solution.

Mark Ratledge
(@songdogtech)

11 years, 4 months ago

@danihunt and @kennyknapp:

It probably has a lot to do with GoDaddy. Shared hosts can allow hack vectors from other insecure shared accounts on the same server. GoDaddy is not generally considered to be a secure host.

kennyknapp
(@kennyknapp)

11 years, 4 months ago

fixed it:

Looks like the spam-bot (or whatever) added the code to the header.php file of the active theme. It was no big deal to remove everything between the tags:  and  right before the <body> tag.

@songdogtech – yep, shared hosting can be a treacherous place but, to my knowledge, my client’s site is not hosted on GoDaddy or anywhere in their upstream (WildWestDomains, etc.); just fyi.

Mark Ratledge
(@songdogtech)

11 years, 4 months ago

@kennyknapp: @danihunt is on GoDaddy. And “WildWestDomains” sounds about as reliable as GoDaddy. If you only removed that spam link, you haven’t done a complete job of cleaning the hack.

kennyknapp
(@kennyknapp)

11 years, 4 months ago

@songdogtech: after removing the injected code, there doesn’t appear to be any residual problem in any theme functions.php file and I’ve also re-installed the WP 3.4.2 files. We’re going to follow the additional recommendations at http://codex.wordpress.org/FAQ_My_site_was_hacked. What other resources do you advise for securing a WP installation?

Mark Ratledge
(@songdogtech)

11 years, 4 months ago

Read the standard links that we all recommend, like WPyogi posted above.

Bev
(@bstofko)

11 years, 4 months ago

I got this hack as well with Netfirms hosting.

WPyogi
(@wpyogi)

11 years, 4 months ago

Same advice applies — hacks are not always limited to one host by any means, though it’s common for them to affect multiple sites on shared servers.

Bev
(@bstofko)

11 years, 4 months ago

More info on this hack can be found here: http://wordpress.org/support/topic/hackedmalware-need-help-please

GranPaSmurf
(@granpasmurf)

11 years, 4 months ago

Me too. I have about a dozen sites on GoDaddy. I thought they were pretty reliable at preventing cross server hacks. I guess I got the wrong memo.
The hacked site has the ‘nemonn’ verbage. I can’t tell if it’s a phishing site, but makes no diff, I need to cure it. I am working through the instructions posted here, so far the scanners are not catching it.
I am confounded by Secret Security Keys. Never heard of them and don’t yet know what to do about them.

willt87
(@willt87)

11 years, 4 months ago

A client of mine was hacked with ‘neonmm’ in recent days on GoDaddy hosting.

I found a base64_decode file called upgrade-merrili-janean.php in the core wp-admin directory, which I’m pretty sure is connected.

Hope this helps someone.

willt87
(@willt87)

11 years, 4 months ago

This is what I have found out about “nemonn”

Just removing the obfuscated javascript from the header will not work permanently.

There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

Just updating / reinstalling WordPress from the admin won’t remove this file.

Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

Mark Ratledge
(@songdogtech)

11 years, 4 months ago

@willt87 said:

Just removing the obfuscated javascript from the header will not work permanently.

Yes, one needs to read all the links posted by @wpyogi above to completely clean the hack.

Bev
(@bstofko)

11 years, 4 months ago

FWIW – my base64 backdoor was named weather-de.php and was found under “plugins”.