• Resolved sharoncreech

    (@sharoncreech)


    I’m not sure where to start it. It is website from my client and seems to be ainfected more than years a go.

    Recently i’ve installed this great plugin, found a couple files and everything seems to be clean right now but site is still hacked.

    Actually they target Google. If Google visit then you can see link to hack page. If you visit as regular visitor then you do not see anything.

    I tried to search within MySql database but only what i have found there is Viagra from Definition of Gotmls.

    Really do not have any idea what to do. Within htaccess i have blocked terms viagra and cialis and placed 404 rules but i would like to clean
    hack which place hacking viagra link only to google.

    Any idea….

    https://wordpress.org/plugins/gotmls/

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Author Eli

    (@scheeeli)

    Does Google Webmaster Tools show that the site is still infected?

    Can you show me some of evidence of infection so that I can help you determine the source of the problem?

    Thread Starter sharoncreech

    (@sharoncreech)

    Eli thanks for reply.

    Google webmaster does not show anything special regarding infection.

    But here is evidence of infection:

    http://webcache.googleusercontent.com/search?q=cache:jKwnhIdIgiwJ:www.outdoorunlimited.nl/verhuur/+&cd=1&hl=en&ct=clnk (viagra link in footer)
    
    http://webcache.googleusercontent.com/search?q=cache:O321D9oGiPkJ:www.outdoorunlimited.nl/verhuur/attracties/+&cd=6&hl=en&ct=clnk
    (pfizer viagra 50 mg online link on right side)
    
    http://webcache.googleusercontent.com/search?q=cache:oG_FBZu9p6sJ:www.outdoorunlimited.nl/sitemap/+&cd=20&hl=en&ct=clnk

    (legal online viagra link near Exclusief link)
    And they are probably more pages (but not on every page)

    Through webmastertools when i chose fetch and render as Google i can see 2 examples. One is how Google see page (with hack link) and another one how visitors see it and it is without hacking link.

    I have also through your excellent plugin found a 3-4 more infected files (suspec and it like to me as infection) but if i clean that files
    then Google got unfinished redirection while visitor just see usually page.

    Thread Starter sharoncreech

    (@sharoncreech)

    This is for example sure infection public_html/wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/Storage/updater.php
    (suspect files):

    [ Malware code redacted, please do not post that in these forums ]

    And they are 3-4 more but when i clean that files then Google have unfinished redirection.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    @sharoncreech Please do not post that code here. If you need to share with the author the consider using pastebin.com and post the link instead.

    Plugin Author Eli

    (@scheeeli)

    http://webcache.googleusercontent.com/search?q=cache:jKwnhIdIgiwJ:www.outdoorunlimited.nl/verhuur/+&cd=1&hl=en&ct=clnk (viagra link in footer)

    http://webcache.googleusercontent.com/search?q=cache:O321D9oGiPkJ:www.outdoorunlimited.nl/verhuur/attracties/+&cd=6&hl=en&ct=clnk
    (pfizer viagra 50 mg online link on right side)

    http://webcache.googleusercontent.com/search?q=cache:oG_FBZu9p6sJ:www.outdoorunlimited.nl/sitemap/+&cd=20&hl=en&ct=clnk

    These were all cached by Google on March 7th and before.

    Do you have any examples of the malicious link showing on pages that were cached after your fixed the Known Threats?

    Thread Starter sharoncreech

    (@sharoncreech)

    Eli,

    That’s are same infected pages. I have show you cache because to see it you must fake your user agent from default to Googlebot 2.1.

    Take a look…

    If you are using Mozilla for example then install this add-ons:
    http://chrispederick.com/work/user-agent-switcher/

    Switch then your user agent to Search Robots – Googlebot 2.1

    Go to http://www.outdoorunlimited.nl/sitemap/ for example and you will see there somewhere link to Cialis or Viagra (this time it showed on another place below link Beroepsonderwijs)

    Then switch again to your defaults user agent and you will see clean page.

    Your plugin is great but unfortunately it did not cleaned up completely website from viagra and cialis hack.

    Thread Starter sharoncreech

    (@sharoncreech)

    Finally.

    I have found issue!!!

    They was inside map theme-compat another map .temp

    And inside were several files “0a13bd065ac3891143624e9662a1b249′
    with code such as:
    “.”

    etc….

    It was main problem. I’m glad that i have found it but not sure what to tell you for your definition to search.

    Maybe all maps and file which starts with .
    If there is for example .temp of .function.php then it is for sure something wrong.

    Thread Starter sharoncreech

    (@sharoncreech)

    And more information. They add inside wp-includes/pomo
    mo.php on line 12:

    require_once dirname(__FILE__) . ‘/configuration.php’;

    It is not integral file from WordPress. Inside configuration they made
    this:
    http://pastebin.com/HYtsGvc9

    Maybe it will be useful to you for making new definition and better Anit-Malware plugin.

    Thank you again.

    ps

    Definition where any files with .filename.php or .folder will be suspected, maybe checking for comparation between integral file and scanned files and maybe you can find something useful from
    http://pastebin.com/HYtsGvc9

    which is actually puur php code used for hacking.

    Thread Starter sharoncreech

    (@sharoncreech)

    Eli,

    If you are interested i have all files which definition did not detected or they gave suspect status.

    I can send you via email if you like.

    Let me know it.

    Cheers,
    Sharon

    Plugin Author Eli

    (@scheeeli)

    Yes please send me any infected files you have that were not detected by my current definitions and I will add them to my definition updates.

    eli AT gotmls DOT net

    Thread Starter sharoncreech

    (@sharoncreech)

    Just send to you.

    Plugin Author Eli

    (@scheeeli)

    Thanks for those files you sent to me. I added the new threats to my definition update.

    I also used the user-agent-switcher to Switch my user agent to Googlebot 2.1 and I don’t see those malicious link in the source code.

    Can you please confirm that you have gotten rid of the infection.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Viagra, Cialis hack’ is closed to new replies.