Site has been compromized

  • Dear wordpress users,

    My website has been compromized with some kind of malware. Malicious links are poping up in scripts daily. Google has notified me by email and blocked my adwords.

    The script that is been popued up is being inserted to the contact form 7 script i think. It looks like this (click link);malicious code in html – the malicious link the code is “https://www.wp6.xyz/jquery.min.js”

    My hostingprovider hasn’t got a backup from before the problems began.

    Steps i’ve taken so far (which didnt helped)

    1. Replace wordpress core files
    2. Delete and reinstall plugins (including contact form 7)
    3. Scans with Sucuri and Wordfence – nothing found
    4. Updating theme files
    6. Replaced secret keys in wordpress
    7. Deleted cache plugins and cloudflare caches
    8. Searched through the database on the malicous link finding it in the table wp_options (drifferent prefix) in the option_name wordpress-https_unsecure_external_urls

    with the code database code with malicous link dropping this line doesnt make any difference.

    Still the problems exists costing me alot of money.

    What are the next steps to take?

    Thanks for your help!
    Kind regards
    Ruben

Viewing 15 replies - 1 through 15 (of 17 total)

  • Sounds like you’ve taken lots of logical steps there. I would also suggest that you:

    • scan your local machine both with a local and online scanner
    • change all passwords (WordPress/cPanel/database/FTP)
    • check the database for unknown users with admin rights
    • talk to your host if on a shared hosting (there could be others infected on the server)
    • install and scan your site with GOTMLS
    • check your .htaccess file
    • upload your site to Virus Total for analysis
    • review the WordPress codex on being hacked

    Good luck!

    Thread Starter Zentyth

    (@zentyth)

    thanks for your reply!

    * local machine is fine
    * all passwords are changed
    * no other users in wordpress database
    * allready checked with the host who said he run a viruscheck nothing there
    * i’ve allready reviewed the wordpress codex

    Now im scanning with GOTMLS, see some thinks coming up including contactform 7 js script that is being flagged, will post the details after scan completion

    I’ve got the identical problem Zentyth and just can’t figure out how to remove the script. Did a scan with GOTMLS and nothing came up as malware. Just commenting to see if you manage to solve it. Will report back if I’ve been able to

    Think I might have isolated the issue to a plugin called ‘Go – Responsive Pricing & Compare Tables’. Link seems to have disappeared from various pages on my site, after I disabled this plugin.

    Hi Guys,
    Same issue – adwords account site blocked today with malicious code “https://www.wp6.xyz/jquery.min.js”.

    Still trying to isolate the issue, will post back if i have any news.

    Hi Guys,

    To add some notes…

    I have also noticed in addition to the original URL posted, “https://www.wpsource.org/jquery.js” is in some pages.

    We use cloudflare for all our page caching – after clearing the cache on ‘infected’ pages, the page comes good on a refresh.

    Cleared the whole cache to test, still no good, seems that 50% of my pages have the bad url to jquery.js

    Hi Guys,

    Just so you know i was able to fix this problem.

    Using the String Locator to find the bad strings
    https://www.ads-software.com/plugins/string-locator/

    Either disable or remove the bad strings.

    Also, for reference
    https://blog.sucuri.net/2015/05/fake-jquery-scripts-in-nulled-wordpress-pugins.html

    Hope this helps

    I just did a new definition update and it should find this fake jquery code now.

    Nattheman,

    Can you tell me what words you used in String Locator to locate the fake script? I’m having the same problem, but I can not find and remove the script.

    Thanks for your help.

    Hi Vini,

    I would suggest you first install and do a full scan with Eli’s plugin

    https://www.ads-software.com/plugins/gotmls/

    Just make sure you register the plugin first and then download the latest definitions.

    Do a full site scan to see if any threats are detected.

    If this doesn’t work, scan your site using the String locator for “wp_func_jquery”

    Hi Nattheman, thank you very much! I’ll try the gotmls plugin ??

    Hi Nattheman and Eli!

    GOTMLS works! Easy! Thank you very much!

    hehe, no problem – you should credit a review to GOTMLS plugin though ??
    Eli was very responsive to me when i first had this issue yesterday.

    Hi Guys,

    I have the exact same problem. At first, I thought it was the cached files stored on my server. I deleted all of them and disabled the W3 total cache plugin. Now, since I have been using WP Fastest Cache the problem returns.

    I am using premium plugins and a premium theme. I used the GOTMLS plugin to scan my website, and yes it has found “potential threats”. The point is, GOTLS is directing me to this piece of code (for example):

    eval(‘(‘ + text + ‘)’);

    In my opinion, this isn’t a threat.

    I Contacted Google Adwords, but unfortunately they cannot/won’t put me through with their technical department. The reason why is:

    I scanned my site with 2 premium anti malware software programs, with 7 online software, my hosting provider searched my site and I downloaded my website and scanned it with Notepad++ for several ‘malicious code’. Nothing came up.

    I hope Google will give my website a green light or else I haven’t got a clue what I should do next.

    Hi Timmiieehh,

    It’s highly likely that this problem has nothing to do with the caching plugin you are using (unless the plugin you’re using has compromised code in it).

    Best way to test would be to disable the caching plugins and then check 5 – 10 random pages/posts on your site to see if there malicious code is still visible.

    If this doesn’t work, disable all plugins and enable them one by one checking 5 – 10 random pages each time you enable a plugin to try and find the bad plugin.

    When checking pages also ensure that you’re not logged in as an admin – my suggestion is to use Firefox or Chrome incognito mode.

    If you’re using GOTMLS, ensure you’re registered the plugin and downloaded the latest updates before scanning.

    Personally i used String Locator https://www.ads-software.com/plugins/string-locator/ and searched for the string wp_func_jquery

    Hope this helps.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Site has been compromized’ is closed to new replies.