Viagra Hack on Church Site

crossview
(@crossview)

11 years, 7 months ago

So, I volunteered to manage a site for our church, and it has now been hacked with VIAGRA ads. I have read everything I can find in the forums and support articles. I don’t have a decent backup of the site from before it was hacked as it has only been up and running for a few weeks and we have been continually tweaking things. I didn’t want to make a backup until it was relatively finished…I know, I know.

Anyway, the good news is that since we are using a custom theme from Themeforest the malicious code doesn’t display on our site due to it being masked by the custom header graphic. The bad news is that it affects the snippet that it displayed in our Google search results. Causing our search results to look like this “Get FREE Viagra. Crossview Community Church.” While you and I might think that is hilarious, and might in fact increase church attendance, I don’t think my church’s leadership will agree.

The site url is http://www.crossviewcommunity.com

But like I said you can’t really see the problem there. Running the following google search is much more enlightening: Viagra site: http://www.crossviewcommunity.com

You will see that the various Viagra ads are injected into the snippet.

Any help would be greatly appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

11 years, 7 months ago

While you and I might think that is hilarious, and might in fact increase church attendance, I don’t think my church’s leadership will agree.

While the juvenile sense of humor in my is inclined to reply, I’ll just let that one pass…

That site comes up clean in the Sucuri SiteCheck but that’s not always 100% indicative of a hack.

http://sitecheck.sucuri.net/results/www.crossviewcommunity.com/

Unmask Parasites does confirm what you’ve mentioned.

http://www.unmaskparasites.com/security-report/

It could be your .htaccess file. Check your .htaccess file for anything that you don’t recognize. Post it to pastebin,com, provide us the link and we can take a look.

Thread Starter crossview
(@crossview)

11 years, 7 months ago

I haven’t used pastebin before so I hope I’m doing this right…
http://pastebin.com/raw.php?i=ipPgMcnD

There isn’t much in my .htaccess file. Certainly nothing that looks suspicious to my eyes.

Thanks Jan for looking at this with me.

Thread Starter crossview
(@crossview)

11 years, 7 months ago

Update…I have installed the Wordfence plugin and it revealed several core files that had been suspiciously modified as well as some added files that didn’t belong to any theme or plugin. There was also a suspected “Shell Attack” whatever that is… anyway I either reverted to the original core file or deleted the suspicious file and my site appears to be clean for now.

I ran the sitecheck and unmaskparasites scans above and both show no indications of compromise. Is there anyway to be sure that it is gone?

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Viagra Hack on Church Site’ is closed to new replies.

Viagra Hack on Church Site

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics