Hack suspicion

I’m sorry to hear that your site was hacked. The good news is that the damage is limited to just one of your sites!

When you did the clean installation, did you delete everything in public_html or did you overwrite the existing installation? Overwriting would have left any files added during the hack. Did you carefully check your database for dangerous code?

Use all the server side malware plugins you can find. There are many fine malware scanners but each one may not find every added or modified file.

Do you have a malware free back up? Even if it is very old. Trying to find and remove every bad file is not an easy task.

Here are some resources for you to look at:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Good luck with your repairs.

Hi

I removed everything in the folder when I did the clean installation, all new files.

I have (I think) very carefully checked my database for dangerous code. There was one line in the .htaccess file that I removed and was suspicious.

Is there a name for this kind of hack ? The site is ok and does not look like it has malicious code on it… but this is just some attack on the site with search queries.

I missed your point about search queries versus outbound links, sorry. That does make me scratch my head. Is the server still crashing? Do you think the volume of search traffic is taking the server down? Have you looked at your server logs versus Webmaster Tools to see where the traffic is coming from?

Have you tried the plugin from WP Antivirus Site Protection (by SiteGuarding.com)? They have a free trial version. Let me know how many bad files it thinks it finds. If it finds anything, I can help you work through them quickly.

Do you mind posting the URL for your problem site? If you prefer to not publish the site’s name, try a search for site:yoursite.com porn or any of the search terms you are finding in the logs, including the URL you mention above.

Names for hacks are not necessarily reliable or beneficial for making any kind of repairs. As I know more, I may be able to give you a name…

The problem is that I can not scan this site because the server crashes when I put it back up.

What I’m doing now is resetting all plugins and the latest version of the theme to the site to try and see if that changes anything. I had previously scanned the theme and plugins for malicious code and found nothing.

I can’t figure out where this traffic is coming from. In the webmaster tools I can see all these unrelated search words and URL’s.

Resetting all plugins and the theme did not change anything. When I set the site back up live everything went down…
How can I see where this traffic is coming from ?

Have you looked at your error log to determine why the server is crashing? If you don’t know how to get this info, maybe your hosting company will be helpful. They should be able to tell you why your server is crashing.

They may also be able to help you get the site running. Obviously, you can’t troubleshoot the site if it kills the server.

Well the thing is I’m working at the hosting company and I’m quite familiar with how things are working on the server. What happens when the site is enabled the idle process goes down to 0% and there is nothing you can do.

Can I send the error log to you? I do not want to post it in here. Well maby one line is ok, here is an example, the log is full of things like this

Gee, what a mess! ?? Is the IP shown one of yours (Mileweb)? Is index.php located in the the root? Is ‘/var/www/html/bb/ the proper path for your set up?

In an effort to get the script to run (or at least not kill the server) try this set up:WordPress core installed, no plugins and no theme. Does it stop the server? If yes, disconnect the database (remove any one piece of DB info around lines 18-29 of wp-config.php). Does it still kill the server?

What do you mean by IP shown one of yours (Mileweb) ? ? I don’t know this IP address and they are all different from one another in the access log.

index.php is located in the root when the WP is set up and the path is the proper path for my set up. The folder was originally not named bb, I changed it some days ago.

I have set up a clean WP with the plugins and themes folder empty and the server is working ok. What should I try next ? Installing the theme again ?

Sorry, I spoke too soon. In my db I had the domain name set to https://bb.endor.is and when I changed it to https://www.bokabeitan.is the server went down immediatly.

The plugins and themes folders are empty, just a clean WP installation on the server in the bb folder.

just a clean WP installation on the server in the bb folder

It really and truly sounds like it’s your web server that’s been compromised. Or your directories have hidden hacks in them (it’s easy to miss).

Edit: I’m sad to say it but you really do need to go through those links posted above about delousing your site.

Well there are many WP sites on this server and finding this hidden hacks in one of them might be very difficult.

But I guess I just need to start with scanning everything on every site.

Hi, I think a server wide scan would be a good idea.

When you say you have many WP sites on the server, do you mean this is a shared server or do you mean that there are a number of “add on” WP sites running on the same account (sharing the same root and cPanel)? Or both?

I understand in your last test that the site with no plugins or theme ran fine until you made a change in the database. You mentioned two domain names which leads me to believe the database you are talking about is something you use for hosting versus the MySQL DB for the problem site. Or does your setup require the domain name be added instead of localhost? Or?

This is a shared hosting server.

When I took the infected site down (www.bokabeitan.is) I tried setting it up with another URL (bb.endor.is) to see if the attacks would stop, that is why I changed the site url in the DB. Then this morning when I was testing it again everything was ok until I manually changed the site URL in the DB. So maby the URL https://www.bokabeitan.is is the main reason for these attacks ?

But anyway, I have started to scan all the sites on the server and harden even more these installations.