watershawl
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: nav-menu.php HACKEDCheck out the comments on this thread for how to clean: https://wordpress.org/support/topic/js-injection-after-wp/page/2
Forum: Fixing WordPress
In reply to: JS Injection After WP 4.3.1 Upgradegrowstudiomx, no the problem is not just with HostGator, but seems to be associated with hosts that use cPanel. I use Bluehost, which also use cPanel, but my websites on 1and1 and Godaddy were not affected.
willf, header.php is where the symptoms show up, but the cause is elsewhere. Check all of these locations in your /public_html/[domain folder]/ for files:
.htaccess
/cgi/ <- look for a .js file here – this directory should be blank
/wp-admin/css/colors/ocean/sql.php
/wp-content/uploads/title.php
/wp-includes/default-filters.php
/wp-content/themes/[theme name]/footer.php
/wp-content/themes/[theme name]/header.phpAlso check your / (root) folder (the folder above “public_html”) for “payload” files, consider deleting any backups created while you were infected, and consider clearing out any cache plugins you are using.
Forum: Fixing WordPress
In reply to: JS Injection After WP 4.3.1 UpgradeHere’s an update from the cleanup service at my webhost:
Here are some examples of files that were removed or cleaned:
/public_html/[domain directory]/wp-admin/css/colors/ocean/sql.php
/public_html/[domain directory]/wp-content/uploads/title.php
/public_html/[domain directory]/wp-includes/default-filters.phpHope this helps other people clean up their systems.
And to others point that it may be a local computer malware infection problem, they also said, “I would also suggest to check any PC that connects to your account here for malware, such as password stealing keyloggers or other malware and to change your main Cpanel password as well as those for any FTP accounts you have created and to remove those you are no longer using from within your cpanel.”
Forum: Fixing WordPress
In reply to: JS Injection After WP 4.3.1 UpgradeI believe this problem is possibly cPanel related. Both ddmcleod’s Hostgator and my Bluehost account use cPanel, but my other hosts, 1and1 and Godaddy, do not.
It could be that the cPanel login is getting exposed through some vulnerability. Jetpack had a cross-site vulnerability they patched 6 days ago. I’m not sure.
Forum: Fixing WordPress
In reply to: JS Injection After WP 4.3.1 UpgradeRednas_N, if all you did is clean up the header.php file, that’s not enough. That’s just the symptom, not the cause.
Were you running Jetpack? It had a cross-site bug that was fixed 6 days ago. That could have been what let the hack in.
My web host did a virus scan on my account, found malware, and locked my site down. The malware was in many, many files.
Forum: Fixing WordPress
In reply to: JS Injection After WP 4.3.1 UpgradeI believe these posts about computers infecting their hosting accounts have it backwards. Visiting their infected websites has infected their computers, not the other way around.
I believe this problem is not related to a vulnerability in WordPress, but in cPanel. WordPress is just a platform that is infected because of this vulnerability.
The vulnerability copies “payload” files onto the root of the cPanel’s file structure that is then executed. Search your File Manager for “payload” and you might find .php and .txt.
I am using Genesis theme on all of my sites so index.php and footer.php weren’t affected, but the header.php file was always affected. I have been manually cleaning it.
I’ve ordered a manual virus scan from my web host, Bluehost, to see if they can find anything on my account. If they find anything, they’ll quarantine my account.
It could be that the problem is actually happening on someone else’s account that is infecting your account, but this is pure speculation at this point.
Sorry, I said the payload files were in public_html, but they were level above that in root. Is there any software you have that can do a malware scan at the root level of a cPanel hosting account? Or is that something only the web host can do?
One other thing I noticed was that I use the plugin “BackupWordpress” and there is a “backupwordpress” folder on the root of cPanel’s File Manager. I don’t think the plugin of a WordPress site should have the ability to write to that directory.
Does iThemesSecurity have the ability to scan files at the root level? I have this same problem and found “payload” files in my public_html root and edits made to my Jetpack SQL file that removed the ‘protect’ value in its table. I think it’s a cPanel vulnerability.
Forum: Fixing WordPress
In reply to: nav-menu.php HACKEDThis ‘teaserguide’ problem affects all sites hosted on my Bluehost cPanel account. It comes back about every 6 days. I manually remove the javascript from the header.php file and keep updating plugins, but it keeps coming back.
I found a “payload” file mentioned in one of the logs so I searched the File Manager for “payload” and found many files in the root of “public_html”. They were a mix of .php files and .txt files. I deleted them, but I do not know to what effect.
I also found a log in ‘tmp > slow_sql’ directory that mentioned Jetpack’s protect being changed to a “214” number. I’m assuming this may be a variation of how the hack is happening: one exploit changing another exploit.
If I had to guess what is happening, something in cPanel is vulnerable and being exploited. Once exploited, a scan of all directories and users is done (I saw the userquota files), this creates a guide for the payloads. Then the payloads run.
My next step is to call Bluehost’s security team and explain what I’ve found to see if they can find the Cpanel vulnerability.
Solution: The “From:” AND “To:” fields both have to be valid Bluehost email accounts for Contact Form 7 or CformsII to work.
This caused an additional problem for me since Bluehost email forwarding services are blocked by Gmail as spam so I have to either create an email account on Bluehost to send the email to and then check it by POP from a program like Outlook/Thunderbird or check it with pop from Gmail – OR – setup Google Apps on the domain. I found that the “To:” address can be a Google Apps account on that domain as long as the domain is hosted with Bluehost – it doesn’t work otherwise.
This is not an issue with 1and1.
Backstory: After reviewing forums and communicating with Bluehost Support, I found that the “From:” email address has to be a valid Bluehost email, but what I had to figure out for myself was that the “To:” email address also had to be a valid Bluehost email or a Google Apps email on a domain hosted with Bluehost.
Forum: Fixing WordPress
In reply to: RSS feed’s not workingTHANK YOU JSPOON: This helped me figure out what was going on:
My site only has pages and no posts and if you dont have posts then your rss feed will show up page not found.
Forum: Fixing WordPress
In reply to: Display list of links to posts of Tag in Archive.phpWow, that was 2 hours of learning. Why is it that after you post things to a forum, your brain is freed to find the answer sometimes?
All I had to do was repeat the wordpress loop and only list the title and permalink, not the content.
<?php /* If this is a tag archive */ } elseif( is_tag() ) { ?> <h2 class="pagetitle"><strong>Baked <?php single_tag_title(); ?> Recipes</strong></h2> <?php if (have_posts()) : while (have_posts()) : the_post(); ?><ul> <li><a href="<?php the_permalink(); ?>" class="title"><?php the_title(); ?></a></li> <?php endwhile; endif; ?></ul>Forum: Themes and Templates
In reply to: Index Posts link to Archive page instead of Single PageTry http://www.domain.com/permalink-structure/category/category-name
So if the following information is true:
domain: google
permalink-structure: blog/
category-name: soupIt would be http://www.google.com/blog/category/soup
Zack Preble has figured out how to do this.
Forum: Plugins
In reply to: Excerpt Editor Plugin… What The …?It only works if/when “the excerpt()” code is used. I use a custom WordPress loop on my home page to show latest posts from an author named Zac:
<?php query_posts("author_name=Zac&showposts=1"); while (have_posts()) : the_post(); the_excerpt(); endwhile; ?>The excerpt code can be inserted in any template page such as index.php, page.php, search.php, etc.