Be careful! This plugin is with dangerous bugs, which allows injection for redirecting your site to dangerous infected site.
In the one of database table “pts_tables” in column “html” is injected this code with hidden charcode link redirection:
And nobody does anything about it.
]]>The Plugin loads new Posts into the page and the links of the new posts won’t get a leave notice.
I’ve tried adding the class “external” to all new anchors added in the click-event, but it doesn’t affect them anyway.
Have you similar problems anywhere? Or a solution instead?
thanks,
Harry
PM for link of website
]]>The hack redirects me to another website also it constantly inserts the Adblock Blocker in admin and show up after a few seconds.
The script in admin is loaded externally from atlantai.site
First thing first, I am not giving you or providing you a complete solution nor am claiming my method would fix the problems arising from hacks. I accept no responsibility whatsoever for any damage you may bring to your site following my method in full or partially. Be advised that this method is written to give the reader an idea on how to clean up a hacked installation. Be very careful, do your research and ask for professional help if needed.
Recently I had come up with a chain of attacks to sites from those hackers who specially operate by the way of using backdoors to upload, amend and delete files.
They put files or codes into folders or databases. Then they are call automatically in a loop to inject and modify the core files in case to achieve their ill intention. Even if you find a file and delete it, the infection would not be cured because there are a lot more inside your account to re-start the process of the hacking.
Make sure that your PC or Laptop is clean and don’t use infected local copy of any installation of file/folder.
For beginning, hope you have a clean backup already, you might need it to start a clean installation which I would not recommend. Clean installation would not cure the infection, nor would eliminate any threat hidden inside database/tables.
Making clean backups in a regular basis is a must and it would be a good idea to start doing it after cleaning the database, folders and files though.
1. Change all the passwords associated with your website. The passwords for Control Panel (CP), database users and WordPress installation(s) must be changed to a much more complicated ones, different from each other.
2. Put your website into “Maintenance” mode (use plugin if required) to inform your visitors about the work being carried out. This will give them assurance too.
3. Go to your CP and analyse the LOG files. You will see batch of IP numbers attempting to access admin, upload and/or content, include and update/upgrade sections of the site. They are trying to gain control. Make a list of those IPs and ban them (.htaccess would be good). Ask for your providers to do it if you are not familiar with the process. Bear in mind that most of the IPs are at the same range, it would be good to ban the in this format: 123.456.*.*
4. From WordPress admin area update installations (main, sub folders) including themes and plugins. Delete those themes or plugins you don’t use.
5. Install scanning and protection plugins (such as Exploit Scanner, Sucuri Security, BulletProof Security) and do a deep scan. Study the results, delete suspected files or modify them accordingly.
6. Injected codes are hidden out of your sight. When opening a file in your editor scan the whole page, not only the visible part. Use right-left and up-down buttons to access the whole page.
7. The hard part, start looking into every folder (use FTP or directly from CP) and see if there are unknown files exist in folders. Delete them immediately. You could find files imitating the WordPress naming like wp-setup-admin.php etc. and delete them right away. Some image, java or html files are also being uploaded by hackers, delete them too.
8. Go to the CP and open your phpMyAdmin and look for the database and table names. Some of them are not associated with any of you live installations, delete them.
9. In every single database, search for “base” and “base24” and at the result page delete all those entries containing these terms. Be aware that some themes or plugins may use these terms, do not delete any of these if you are not sure. Check with the authors, or search the internet to see if they are legitimate.
10. Wait for few hours, check the log files again. If everything looks fine then contact the search engines or ISPs who have put your site in their black list (hope they haven’t)
11. To stop being hacked again, you can’t do much because it is a fight between providers and hackers. You sometimes get hacked by other accounts in a shared hosting (where caging is not in use or is breached).
You would be better off by keeping your installations up-to-date and by not installing any third-party applications which are not legitimate or hasn’t proven to be safe. The rest is up to the providers and their security.
]]>site is lifelinelab.in
One of my WordPress installations appears to be continually hacked. Core WordPress files are being modified and changed. The PHP code is actually being changed. New PHP code is being injected into specific files. I have no idea how this is happening. It appears to be some kind of exploit directed specifically at a plugin or something else.
For example, the following code was somehow added into
wp-admin/network/settings.php:
[ Malware deleted ]
I installed WordFence to identify changes to files because my server was being added to blacklists from spam originating from Base64 encoded php files in random wordpress directories. It’s only happening to this installation of WordPress. This installation belongs to one of my clients on my shared server. I have already changed the MySQL and main admin logins and passwords, cleaned it up originally using WordFence, and now it’s back today.
Any idea what I should do? I have already updated WordPress to the latest version, all of the plugins to the latest version, and all of the themes as well to the latest version. Whatever exploit they are using, I have no idea.
This installation is running the following activated plugins:
- Disable XML-RPC
- Gallery by BestWebSoft
- Wordfence Security
Can anyone help?
]]>All my websites from the server are compromised. The virus injected files like index123.php, malicious code in files, and he change permission from 644 to 600 to all js files from server. I change passwords, reinstall wordpress, themes, plugins… I don’t know what to do next…
One of them is www.lnphotography.ro ]]>
Replaced both files and within 24 hours sometimes less, here it is again.
Can anybody work out what is actually does and where it might be comming from?
All scans says site is clean. and server logs are not helping me.
https://www.ads-software.com/plugins/wordfence/
]]>Your 1&1 hosting account has been attacked via an insecure PHP script you installed on your webspace. You will find an analysis of the attack and instructions on how to secure your webspace against future attacks in this e-mail.
1. Analysis of the attack
1.1 Your following software allowed hackers to misuse your webspace: /kunden/homepages/21/d335407014/htdocs/dancemagic/wp-content/themes/InStyle/epanel/page_templates/js/fancybox/jquery.fancybox-1.3.4.pack.js
1.2 In order to impede further attacks, we have disabled these files. Please note that part of your websites may be impaired.
1.3 You will find information on the technique the hackers used on:
https://en.wikipedia.org/wiki/Remote_File_Inclusion
https://en.wikipedia.org/wiki/Code_injection#Include File Injection
2. Required measures
In order to reactivate your websites and re-establish the security of your 1&1 account, replace your following software with an updated and secured version: > You will further information on:
Please note: Hackers will very probably return to your website. This means that the attack will reoccur as long as this piece of software is not updated.
IMPORTANT: Such attacks represent a serious danger for your webspace. In the future, please check the websites of your software vendor for security alerts and update notifications on a regular basis.
PLEASE HELP!
I have completely emptied my root directory and reinstalled from a known clean back up and yet when scanning the website it still shows that I have malware and injected code from using something called IFRAME.
I am not a newbie in terms of web development but in dealing with something like this I have little to no experience.
Any advice would be welcome.
Thank you for your time
]]>I have noticed that when I search my website in google I get alot of crap that comes up, with the following:
WOW Gold,Fashion CIEE,Fashion Bags,Health Tips,Fashion Clothing,Fashion Costumes,Study
However my website has nothing to do with this! I keep getting emails from people saying that they are getting warning from their Anti-wire programs that when trying to access my website it says there is malware detected.
How can I diagnose this and find out where the problem is?
Thank you!
]]>