Business Think I've Been Hacked - Need Help & Advice - GoFuckYourself.com

Smack dat · 03-23-2017, 02:45 PM

So I think one of my websites has been hacked.

When you go to the home URL it opens some random site that's not mine which then redirects about 4 times before finishing on a random advert that changes each time.

I can still login via FTP and everything seems normal there.
Other sites I run hosted on the same server are unaffected.

The site runs on Wordpress. What is the quickest and easiest way to locate the hack and remove it?

Smack dat · 03-23-2017, 02:47 PM

It seems like it's something to do with a domain hack rather than server side. I initially thought my domain had expired but there is a year to run yet.

Coup · 03-23-2017, 02:48 PM

Burn everything and salt the earth. Only then will you be cleansed of the evil that has cursed you.

j3rkules · 03-23-2017, 02:49 PM

First thing, change all the passwords (vps, login into site et cetera).

Klen · 03-23-2017, 02:51 PM

Step 1
Delete wordpress
Step 2
That's it.

Fetish Gimp · 03-23-2017, 02:52 PM

Quote:

Originally Posted by Smack dat

The site runs on Wordpress. What is the quickest and easiest way to locate the hack and remove it?

First you need to determine what is causing the redirect.

Is it happening due to javascript being injected in your hompage (check the HTML of the page), or because of a hacked .htaccess file?

Once you figure out how the redirect is happening, you can try and figure out what is causing it and plan how to deal with it.

Smack dat · 03-23-2017, 02:57 PM

Quote:

Originally Posted by Fetish Gimp

First you need to determine what is causing the redirect.

Is it happening due to javascript being injected in your hompage (check the HTML of the page), or because of a hacked .htaccess file?

Once you figure out how the redirect is happening, you can try and figure out what is causing it and plan how to deal with it.

The .htaccess was the first file I checked but it's fine.

I just did a who.is on the domain and it's still showing my details but the site status shows as inactive whatever that means.

I have looked through a few files (index.php, home.php, footer.php) and can't find anything strange.

Also, all the files (within the themes folder) all show as last modified at some point last year.

Smack dat · 03-23-2017, 03:00 PM

This is the first page that loads hstraffa.com

Smack dat · 03-23-2017, 03:17 PM

Is it domain name injection?

Looking though my pages on Google I have come across a Russian page within the /videos folder.

Smack dat · 03-23-2017, 03:20 PM

Now found 30 of the damn Ruskie pages.

Freedom6995 · 03-23-2017, 03:49 PM

Quote:

Originally Posted by Smack dat

The .htaccess was the first file I checked but it's fine.

which .htaccess file? You should have one in your wp-admin folder that only allows your IP.

Smack dat · 03-23-2017, 03:59 PM

Quote:

Originally Posted by Freedom6995

which .htaccess file? You should have one in your wp-admin folder that only allows your IP.

I don't have a .htaccess in the /wp-admin folder. Just in the root directory.

Smack dat · 03-23-2017, 04:02 PM

So, from the looks of it all these pages that have been created are from the same folder /video directory.
I thought, sweet delete the directory and problem solved.

The trouble is I can't find this directory through FTP so I can only presume it's a category??
Does anyone know how to view categories in phpmyadmin so I can delete this /video folder.

Freedom6995 · 03-23-2017, 04:05 PM

Quote:

Originally Posted by Smack dat

I don't have a .htaccess in the /wp-admin folder. Just in the root directory.

I would like to hope that in the next 15 minutes that you do. ;)

Order allow,deny
Allow from (your IP here)

Bladewire · 03-23-2017, 04:21 PM

Quote:

Originally Posted by Smack dat

I don't have a .htaccess in the /wp-admin folder. Just in the root directory.

Then add this to your root directory htaccess and change 123\.123\.123\.123 to your IP address

Code:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Smack dat · 03-23-2017, 04:21 PM

Quote:

Originally Posted by Freedom6995

I would like to hope that in the next 15 minutes that you do. ;)

Order allow,deny
Allow from (your IP here)

Well yeah. If I ever get my site back.

tokmansta · 03-23-2017, 04:49 PM

These guys always place backdoors. scan your server with https://ispprotect.com/ if it's a linux box.

Fetish Gimp · 03-23-2017, 06:22 PM

Quote:

Originally Posted by Smack dat

So, from the looks of it all these pages that have been created are from the same folder /video directory.
I thought, sweet delete the directory and problem solved.

The trouble is I can't find this directory through FTP so I can only presume it's a category??
Does anyone know how to view categories in phpmyadmin so I can delete this /video folder.

There's three tables that hold WP's category info: wp_terms, wp_term_relationships, wp_term_taxonomy.

https://codex.wordpress.org/WordPress_Taxonomy

Freedom6995 · 03-24-2017, 07:07 AM

Quote:

Originally Posted by Smack dat

Well yeah. If I ever get my site back.

Only need to ftp in to set that up. Good place to start...

Smack dat · 03-24-2017, 10:32 AM

Still need help.

The content generated that is probably causing the issue is from a directory called "video" however I can find no video directory using FTP.
I then thought maybe it's a video category but I can't find one of them either.

I have even gone into phpmyadmin and been through all the posts and I can't find any of the posts Google says I have.

Anyone any ideas?

Bladewire · 03-24-2017, 10:45 AM

Quote:

Originally Posted by Smack dat

Still need help.

The content generated that is probably causing the issue is from a directory called "video" however I can find no video directory using FTP.
I then thought maybe it's a video category but I can't find one of them either.

I have even gone into phpmyadmin and been through all the posts and I can't find any of the posts Google says I have.

Anyone any ideas?

Dude just pull your backup from a week ago and restore

Freedom6995 · 03-24-2017, 11:41 AM

Quote:

Originally Posted by Bladewire

Dude just pull your backup from a week ago and restore

Backup? Wtf is a backup?

Smack dat · 03-24-2017, 03:16 PM

Quote:

Originally Posted by Freedom6995

Backup? Wtf is a backup?

Those were my exact words.

I didn't touch the site for nearly 2 years.

03-23-2017, 02:45 PM	#1
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	Think I've Been Hacked - Need Help & Advice So I think one of my websites has been hacked. When you go to the home URL it opens some random site that's not mine which then redirects about 4 times before finishing on a random advert that changes each time. I can still login via FTP and everything seems normal there. Other sites I run hosted on the same server are unaffected. The site runs on Wordpress. What is the quickest and easiest way to locate the hack and remove it?

03-23-2017, 02:49 PM	#4
j3rkules VIP Industry Role: Join Date: Jul 2013 Posts: 22,104	First thing, change all the passwords (vps, login into site et cetera). __________________ How To Build A Porn Site And Make Money \| My Best $$$ Cam Sponsor 3 Top Adult Hosting Providers

03-23-2017, 02:51 PM	#5
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,234	Step 1 Delete wordpress Step 2 That's it. __________________ For GFY administration inquiries- email info at gfy.com or send PM. For advertising inquiries - email marketing at gfy.com Inquiries which are not related to administration or advertising on GFY wont be processed.

03-23-2017, 02:47 PM	#2
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	It seems like it's something to do with a domain hack rather than server side. I initially thought my domain had expired but there is a year to run yet.

03-23-2017, 02:48 PM	#3
Coup 🚨 PBBC International 🚨 Industry Role: Join Date: Apr 2010 Location: /👁\ Posts: 9,932	Burn everything and salt the earth. Only then will you be cleansed of the evil that has cursed you.

03-23-2017, 03:00 PM	#8
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	This is the first page that loads hstraffa.com

03-23-2017, 03:17 PM	#9
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	Is it domain name injection? Looking though my pages on Google I have come across a Russian page within the /videos folder.

03-23-2017, 03:20 PM	#10
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	Now found 30 of the damn Ruskie pages.

03-23-2017, 04:02 PM	#13
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	So, from the looks of it all these pages that have been created are from the same folder /video directory. I thought, sweet delete the directory and problem solved. The trouble is I can't find this directory through FTP so I can only presume it's a category?? Does anyone know how to view categories in phpmyadmin so I can delete this /video folder.

03-23-2017, 04:49 PM	#17
tokmansta Confirmed User Industry Role: Join Date: Jan 2013 Posts: 566	These guys always place backdoors. scan your server with https://ispprotect.com/ if it's a linux box.

03-24-2017, 10:32 AM	#20
Smack dat So Fucking Banned Industry Role: Join Date: Jul 2016 Posts: 4,613	Still need help. The content generated that is probably causing the issue is from a directory called "video" however I can find no video directory using FTP. I then thought maybe it's a video category but I can't find one of them either. I have even gone into phpmyadmin and been through all the posts and I can't find any of the posts Google says I have. Anyone any ideas?