Support » Fixing WordPress » wordpress exploit, site hacked [newportalse.com]

  • my site is trying to redirect to newportalse.com and google chrome is flagging it as hacked. anyone know how to fix this issue? I found a few possible fixes, but none for this specific one.

    I had my site locked down really well, so I’m confused how it got hacked. they are injecting php and javascript. here is what a malware scanner returned:

    Malware found on javascript file:
    http://www.domain.com/wp-includes/js/l10n.js?ver=20101110

    [Code moderated as per the Forum Rules. Please use the pastebin]

Viewing 15 replies - 46 through 60 (of 66 total)
  • I’ve been hacked by this nonsense as well. I’ve deleted several malicious code and I was locked out of my wordpress dashboard on one computer because of the warnings. However on my computer I can access it. (btw secrui scan says I’m clean but I found bad code even after that). I have no idea if my site is clean or not, but I feel like it isn’t still because I’m not that code/wordpress savvy.

    It seems now the only safest bet is for me to delete and start over. This is probably a very silly question but I’m not exactly sure how to exactly go about it correctly. I just started wordpress.org last month so I’m very green. Any help is much much appreciated I’ve been stressed about this for days.

      What exactly do I delete and where do I delete it from? (I use bluehost)
      I have my original wordpress.com xml from about a month ago.
      I also have several exported versions of my wordpress.org site via the dashboard > tools > export > export all, include any of the bad malware from the plugins and theme?
      Is the database download from that or something I download on my cPanel (probably another very silly question)

    Any suggestions for some really good and either free for reasonably priced anti virus plugins/software for wordpress?

    Thanks SOOOO much!

    I wonder if a WordPress update will be out soon to save us all from this nasty and other like it.

    I’d be interested if anyone continues to get flags for this hack after dealing with the Javascript file mentioned. Good luck folks.

    I have, but I’m going to follow Ipstenu’s advice and delete everything except wp-content/uploads, do a fresh install and change all passwords.

    We will see if that works.

    Strange thing is, the Sucuri scan says my site is clean, but I got a email warning from their service?

    I also don’t see any of the files supposed to be there from this guide: http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

    …after I re-installed WordPress, but I’m going to delete everything and do another fresh install anyway.

    I signed up with secrui’s service. Do you think if I don’t get a warning email from them, then my site is clean?

    Again I’m new to wordpress so I’m hestitant on deleting everything because I’m nervous I may mess something up.

    What exactly do I delete and where do I delete it from? (I use bluehost)
    I have my original wordpress.com xml from about a month ago.
    I also have several exported versions of my wordpress.org site via the dashboard > tools > export > export all, include any of the bad malware from the plugins and theme?
    Is the database download from that or something I download on my cPanel (probably another very silly question)

    I’ve followed Ipstenu’s advice to a T and it has been working so far, just keep your hand steady and stay away from wp-content/uploads 😉

    That seems to be where all of your content is, the rest can be easily replaced if it gets deleted (just plugins and things like that, reinstall your theme as well).

    I’m doing this from my FTP client.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    That seems to be where all of your content is

    Exactly, Ciotti 🙂 That’s where your media is.

    Your posts etc are store in the database which, thank GOD, has thus far been unaffected.

    However. The reason I tell you to change your SQL password is that if the hackers have read your wp-config.php file, then they know that user ID and password.

    Best practice: Make a special ID for SQL (or for WordPress SQL itself) and use that in your wp-config, which a password ONLY used for that ID.

    @ Ciotti

    I’ve followed Ipstenu’s advice to a T and it has been working so far, just keep your hand steady and stay away from wp-content/uploads 😉

    That seems to be where all of your content is, the rest can be easily replaced if it gets deleted (just plugins and things like that, reinstall your theme as well).

    Because of this, hackers know that you will most likely not overwrite/replace this directory. It may or may not be the source for this most recent widespread attack, but it would be worth your while to examine every file in you uploads directory, wherever it may be.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    it would be worth your while to examine every file in you uploads directory

    Those files will NORMALLY be images and videos. NOT .php files.

    They’re also not CALLED files (in the way that any .js or .php is called by WP), they’re displayed, so they’re … safe(r). But yes, scan the wp-content/uploads folders for anything hinky.

    They’re also not CALLED files (in the way that any .js or .php is called by WP), they’re displayed, so they’re … safe(r). But yes, scan the wp-content/uploads folders for anything hinky.

    Yes, but what about themes and plugins? Do they all work the same?
    What about tmp and cache directories? Is it not possible for a script to be executed (or by any other function) from these directories?

    Done, just want to let everybody know that the recommended course of action worked for me.

    READ THIS POST: http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

    It goes over some more files that need to be deleted, which in all honestly, should be everything, as stated before in this thread.

    However, some of the files in that post are in the wp-content/uploads file, SO MAKE SURE YOU CHECK IT!

    I have been troubleshooting several sites that have been hit with this attack. I notice 2 major hacks going around over the past few days. Once you have updated your theme and removed timthumb (or updated it), here is some info on how to help clean up your site.

    If you have already been hit, then the first thing you should do is open wp-config.php and look for any suspicious code. Generally, you should delete everything after:

    require_once(ABSPATH . ‘wp-settings.php’);

    Check for suspicious whitespace as well. In one of the attacks, hundreds of lines of white space is been added to try and mask the malicious code.

    Next open index.php and delete everything between:

    require(‘./wp-blog-header.php’);

    ?>

    After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as http://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.

    Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It’s also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don’t have any timthumb.php files laying around.

    READ THIS POST: http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/

    That site also suggests blocking the referer by putting this in your .htaccess file:
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain.com
    deny from superpuperdomain2.com
    allow from all

    These lines may not work for everyone:
    deny from superpuperdomain.com
    deny from superpuperdomain2.com

    Deny based on remote hostname will only work on a server that has reverse-DNS lookups enabled (some don’t).

    Better to use SetEnvIfNoCase Referer. Something like this:
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain\.com ban
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2\.com ban
    deny from env=ban

    So:
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain\.com ban
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2\.com ban
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from env=ban
    allow from all

    Or better yet:
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2?\.com ban
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from env=ban
    allow from all

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    Yes, but what about themes and plugins? Do they all work the same?

    Themes and plugins have files that are .js and .php and those can be called by WordPress. It’s sorta … how they work.

    What I mean by called is that they have code in them that is used.

    A png does NOT. 😀

    Themes and plugins have files that are .js and .php and those can be called by WordPress. It’s sorta … how they work.

    What I mean by called is that they have code in them that is used.

    A png does NOT. 😀

    Oh, I see.

    I have another question, .png, .jpg, .gif are just file extensions. If I have a script written in .php or .js and rename the file extension to .png, .jpg, or .gif, does WordPress know that it’s not an image file? Will the theme and/or plugin not acknowledge it as well? For example, on Windows if you rename a .jpg file to say, .xxx, Microsoft Paint will still open it. (This is an analogy using Windows 🙁 , but I hope you can see where I’m coming from.)

    can i just do a FRESH INSTALL of wordpress at other folder and then, copy and overwrite the WP-CONTENTS/UPLOAD at the new folder?

    Will these restore all my post, media and comments?

Viewing 15 replies - 46 through 60 (of 66 total)
  • The topic ‘wordpress exploit, site hacked [newportalse.com]’ is closed to new replies.