Website hacked (55 posts)

  1. abwatson
    Posted 5 years ago #

    Hi there well my website has been hacked and it always seem to be in the same place. But I can't seem to figure out where this hack code is in my wordpress files. It seem to always be just after my image link. example below

    <img src="http://abwatson.com/wp-content/uploads/2011/02/5146515283_cce1a94b75_b.jpeg" <a href="http://basicpills.com/">buy prescription drugs online without prescription</a>  alt=”" title=”5146515283_cce1a94b75_b” width=”533″ height=”800″ class=”aligncenter size-full wp-image-680″ /><br />
    <img src="http://abwatson.com/wp-content/uploads/2011/02/Picture-1-556x370.png" alt="" title="Picture 1" width="556" height="370" class="aligncenter size-large wp-image-681" /><br />

    This hack has come up time and time again. I have updated wordpress, but still it came back. I reintalled wordpress from scrach, reinstalled plugins and reinstalled my database. Yet this hack still comes back. You can check out my website and see where it has been effects at abwatson.com came anyone help me out? Thanks

  2. abwatson
    Posted 5 years ago #

    I have just gone through my old theme files and there has been no changes to these files? So I'm complete lost where I should start looking.

    Does anyone know where the image placement function file is located?

  3. Roy
    Posted 5 years ago #

    Start with this and make sure to follow all the links in that FAQ too:

    When you've got a clean site again, read this:

    Make sure you don't use any plugins with security issues or a flawed theme.

    Also be aware that your own website can only be as safe as the least secure site on your shared server, the problem could be your host too.

  4. Daniel Cid
    Sucuri.net Support
    Posted 5 years ago #

    Those are added directly to the database, so you have to go post by post and remove them. Very annoying.

    Are you hosting on dreamhost?


  5. esmi
    Forum Moderator
    Posted 5 years ago #

  6. Daniel Cid
    Sucuri.net Support
    Posted 5 years ago #

    This kind of hack is a bit different and these instructions won't help much :)

    What we saw is that the shared server itself was compromised, allowing the attackers to inject links directly in the DB.

  7. swordof
    Posted 5 years ago #

    i have the same problem, have cleaned the all links from pages, it was more than 200 link
    do you have any solution for this?

  8. TiSiE
    Posted 5 years ago #

    They must have hacked a lot of shared servers...

    If you search "wordpress basicpills.com" in google you get a large list of compromised wordpress blogs.

    computereducationworld.com, copyrightfreecontent.com and ibotapps.com for example...

  9. sr123
    Posted 5 years ago #

    Seems to me that the website basicpills.com has some serious answering to do for this BS. How dare they and who do they think they are? Anyone have any thought on how to retaliate?

    They somehow completely replaced all the hrefs, including links and anchor text, in my posts with links back to their own site.

    They have clearly done this to a lot of other sites.

  10. spinorbinmusic
    Posted 5 years ago #

    My blog is experiencing a similar hack with basicpills.com links all over. I have manually deleted the links from the first 2 pages but this is not the solution. Can anyone help? Much appreciated!

    Blog link: http://www.spinorbinmusic.com

  11. pubblivori
    Posted 5 years ago #

    Seems not aproblem of template... since we had more than 25 blogs haked with this damdn site!
    We have different version of wp on those site so I don't think is a wp problem but a plugin problem..
    For some we have backups but for others not :(((
    Anyone has has some sql to execute to clean this damn dirty?

  12. Daniel Cid
    Sucuri.net Support
    Posted 5 years ago #

    pubblivori: We have some SQL code to clean it out, basically it infects all posts in the database.

    This is what we noticed on the infected sites that we analyzed:

    1-The DB user/pass was stolen (somehow). Generally bad permissions of the wp-config.php.
    2-All were on shared servers.
    3-A new admin user name was created.

    So, the first step is to change the DB user/pass, check for malicious users and fix permissions.

    Then worry about cleaning up the spam, otherwise they will just add those again.


  13. spinorbinmusic
    Posted 5 years ago #

    I have just changed the passwords. How do i clean up the spam? Thanks much

  14. Daniel Cid
    Sucuri.net Support
    Posted 5 years ago #

    I did a quick post explaining it... We are seeing A LOT of infected sites:


    Still trying to track how they got access to the database. Can anyone affected tell us:

    -Where they are hosting
    -WP version
    -List of used plugins


  15. spinorbinmusic
    Posted 5 years ago #

    I'm currently using wordpress 3.1 but the blog was infected when before the upgrade (i.e. 3.0)

    Plugins used:
    1. Advanced Excerpt
    2. Advanced Permalinks
    3. Akismet
    4. IFRAME Embed For YouTube
    5. Image Widget
    6. ShareThis
    7. WP to Twitter

    Hope it helps! Let me know if you need more information. Thanks!

  16. spinorbinmusic
    Posted 5 years ago #

    Further info:

    Looks like changing the password doesn't help at all. The latest blog entries got infected as well.

  17. pubblivori
    Posted 5 years ago #

    We have many plugins installed but the only one in common with spinorbinmusic is only the Akismet (so i think they went in in another way).
    dd@sucuri.net do you think the used some hack to arrive to the mysql via wp or just they attached the mysql server?
    The strange thing is that all the wp sites in a shared server were infected (but they are mounted each with its own username and password like differentusers, no one can't access to other space data (we decided iin this way to avoid things like that). Impossible they discovered 25 different passwords so any idea?

  18. sr123
    Posted 5 years ago #

    I have no idea how they could have gotten access to my database, but going to try to harden things. This is definitely a clever hack. We should continue to try to figure out how it was done.

    The sons of bitches managed to hit every wordpress 3+ site on my server but interestingly not some older wordpress-version sites.

    While I would like to repair the sites, I am wondering if anyone here wants to take some kind of action against the owner of basicpills.com. Can we take legal action? Or how about a DDoS in response? I don't know, I just think they shouldn't be allowed to get away with it.

  19. pubblivori
    Posted 5 years ago #

    I'vew sent a complain to the abuse hosting comany. If i don't get enay answer I'll forward the email to spamlist to take some action.
    About sites.... we have many version of wp...so I don't think is a version problem.
    I thought also to a ddos if the hoster doesn't take action on that.
    if all the sites infected will do a ddos on their full subnet the next time thye will red the email. I'll keep u informed on that.

  20. spinorbinmusic
    Posted 5 years ago #

    My ultimate concern now is the remove all the spams starting from the 1st blog post and then making sure the 'virus' do not infect the rest of the posts.

    I have tried removing the links manually but it doesn't solve the problem. The 'virus' is still there, somewhere.

    Appreciate much if someone will help. Thanks!

  21. sabinou
    Posted 5 years ago #

    @Spinorbinmusic : backup your DB first of course, if you need an automated removal method, I'd suggest this :


    This works ONLY for updating the contents of the posts, not other database fields, I've been using it for two years now.

    It works in my personal case for replacing ../ with the absolute url of my blog (relative URLs are old enemies of mine), however, frank disclaimer, I never tried to replace actual source code with html tags, you may try to experiment to be sure it also works.

  22. pubblivori
    Posted 5 years ago #

    Ye, this could be a way.... the fact is that must be changed all the enries of teh spam server (we have found that they used some combination of words).
    Another way I'm thinking of using is to export the posts into xml file.... and afte rusing a perl miniscript to pars eit and than clear all posts and reimport the file.
    ALternatively for not perl addicted you can edit the xml with notapad and use search and replace.

    Mr securi has surelly a mysql statement to clean the dirt but they do it fo job so i don't think they will share it or free, don't they (Mr securi try to think to do a more cheap account price list, no everyone can spend all those $ for the service....ost of all if the blogs he has are free to friends ;-D)

  23. Daniel Cid
    Sucuri.net Support
    Posted 5 years ago #

    Btw, the real actions to take against them is the following:

    1-Report to Google. They do that for SEO reasons. If Google blocks them, they lose.

    2-The best way to report is to ping http://twitter.com/mattcutts on Twitter (works at Google). If more people sent him this thread and this post: http://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html they might do something.

    3-I wish I could share a clean up script, but it is integrated with our package (since it needs access to the db, has a bunch of variations, etc), and I can't share everything... Sharing only that part won't work as well because of the dependencies.

    *btw, if you can't clean up, I suggest just restoring all posts to a previous version (using the revision option).

  24. pubblivori
    Posted 5 years ago #

    3) Working to a clean script... probably it will not work at 100% but surelly will clean 99,9%
    I'll post tomorrow for free LOL :P

  25. pubblivori
    Posted 5 years ago #

    ok, here we go.
    I?ve cleaned yet 20 of our 25 sites...
    as said. it cleans about 99,8% of **it. If you run it... i don't get any responsability on that, you know! SO is you own risk!
    Better would be to make it as a mysql script to execute on server... but since is a lot of time that I don't do it... was better for me... to do it in perl and manage the xml.
    So you need to have perl installed to run it.

    1)as suggested check the config permission (or the server will be hacked again). Change your password.
    2)Export with the wp (tools export) to a xml file. Download it locally.
    (supposed the scrept name is cleaner.pl)

    linux/*nix machine
    cat dirty.xml | perl cleaner.pl > cleaned.xml

    dos/wndows box

    type dirty.xml | c:\perl\bin\perl cleaner.pl > cleaned.xml

    after that i suggest you to open the new file and inspect it manually to see if some references of "buy" "viagra" or others are still there. You can add those key into script and run it again or you manually cancel them.

    Once done.... return to wp.
    Delete all your posts (manually or with a plugin called mass post manager


    and now import the xml (tools, import, and choose the last entry, worpress xml file).
    Now you should have all you post cleaned and site like before.

    In the next post I'll post the script.

    Some thoughts:

    1)is better for you to install a plugin that does the backup (weekly) and send it to you via email (we were installed it in some site the day before that happened..so we had only some backups).

    2)the script could be written more short less rendundant and so on.
    I've chosen the LONG way because I had not time to make all tries...needed so... was faster to add the key. I've tried a generic clean with a short script but found he mistaked som eways cutting also good links..so was safer this way.

    Hoping tha'ts. Help.
    If you find it usefull...write me in private and as "$" i ask you to send me apostcard from your city.... with your thanks, I'll send my address.

  26. pubblivori - Please post that script somewhere else (like Pastebin or your own site) and LINK to it :)

  27. pubblivori
    Posted 5 years ago #

    Here, but can I ask why?


  28. liam_cs
    Posted 5 years ago #

    We are also having this issue with some of our client sites.

    This is what i've noticed:

    Affects these versions: 2.9.2, 3.0, 3.1

    Eeven sites that dont get indexed by google and no one is linking to are still getting hit.

    One way we replicated these sites was to use the same wordpress files, if these files had been compromised could this explain why non-linked and non-indexable blogs were getting hit?

    Here is a list of plugins that all our site sthat have been hit have:

    Contact 7,
    Hello Dolly,
    Really Simple Captcha,
    User Avatar,
    WP Post Thumbnail,
    Nextgen Gallery

    Hopesomeone can help.

    I'll keep you updated on our progress as we try various fixes


  29. pubblivori - Cause it blew up this thread, code wise. Also, we just don't like huge code chunks in the forum. :)

    liam_cs - To me that looks like a SERVER level hack, versus a hole in WP, as it were.

    As dd@sucuri.net said:

    What we saw is that the shared server itself was compromised, allowing the attackers to inject links directly in the DB.

    Which means there is a LOT of DB cleaning to be done :/

  30. pubblivori
    Posted 5 years ago #

    update... after cleaning and securing sites with password change, database password change , right on file changes...this morning we have been "infected" again....
    so seems or a mysql problem... or a plugin problem... there is not other way to access..... to the table...
    :( any idea?

Topic Closed

This topic has been closed to new replies.

About this Topic