I’m pretty keen to resolve this with the help of the community. Any assistance will be greatly appreciated!

Cheers!

Thanks to Wordfence, I found the guilty PHP that the hackers had installed that injected spammy content and redirects for google to find — which of course they did, which is how if found out.

Here’s a list of what I’ve done:
1) Installed Wordfence Premium, adjusted firewall settings and scanned repeatedly to delete two nasty PHPs, including one called compartmentalize-casements.php, which apparently is what pulled the spam from offsite.
2) Reinstalled pre-hack backup data, plugin and other files via UpdraftPlus.
3) Tested, tested and retested the site.

My problem? The site now doesn’t feed spam, and still runs fine to the viewer. But crawlers like googlebot and bing can’t see the pages or read my robots.txt files, because something is still installed trying to send them to the offsite spam-feeder.

Here’s a transcript from the Bingbot:

TTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 29 Feb 2016 23:09:04 GMT
Keep-Alive: timeout=5, max=100
Content-Length: 413
Content-Type: text/html; charset=iso-8859-1
Server: Apache

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /compartmentalize-casements.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache Server at phineasswann.com Port 80</address>
</body></html>

Anyone have any ideas of where I might find the code that’s generating this? I’m not a PHP programmer, so I don’t know if it might be somewhere in a CSS stylesheet or somewhere else.

Word fence scans are telling me I’m clean, but clearly there’s something still left behind that’s directing the crawlers away from the true page content.

https://www.ads-software.com/plugins/wordfence/

Then the other day I decided to check all the pages, and sure enough, the code appears on all of them. This prompted me to check the footer.php file, but the code isn’t there either.

Here’s the code in question:

/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementsByTagName("a"),t=document.createElement("textarea");for(i=0;l.length-i;i++){try{a=l[i].getAttribute("href");if(a&&a.indexOf("/cdn-cgi/l/email-protection") > -1  && (a.length > 28)){s='';j=27+ 1 + a.indexOf("/cdn-cgi/l/email-protection");if (a.length > j) {r=parseInt(a.substr(j,2),16);for(j+=2;a.length>j&&a.substr(j,1)!='X';j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}j+=1;s+=a.substr(j,a.length-j);}t.innerHTML=s.replace(/</g,"<").replace(/>/g,">");l[i].setAttribute("href","mailto:"+t.value);}}catch(e){}}}catch(e){}})();
/* ]]> */

The result is that when someone plugs information into the form, that information is erased (or sent somewhere else, which is even worse, since it could potentially capture private information), and the user is bumped back to the home page of the site.

So my question is, does this plugin work on code like this, and will it restore my site’s original functionality? I’d rather not download and install the plugin only to find out I’ve wasted my time.

Thanks.

https://www.ads-software.com/plugins/wordfence/

My website went to a other site [removed] screen all of a sudden. My host put malware on all my files on the root. I’m trying to figure out, as a non expert, where and what the hell is ff’ing about with my website.

Any suggestions on how to tackle this? Is there a way for me Clean my site again

My site btw is: www.waftb.com it seams to work on a pc, not on a
apple phone

Hope you guys can shine light on this dark matter! Thanks in advance!

Claus

I’ve had notifications on two of my clients’ websites to advise of an admin login, using my user account but from another country on a date and time that I didn’t login.

I’ve since checked the sites, carried out a Wordfence scan which identified an altered/unknown file in the theme, deleted it and then re-scanned to make sure that nothing else was found.

On one of the websites, I decided to add a new admin user account for me to use but when I tried to delete my original user account it led to a 500 error that affected all of the admin pages but not the front end of the site.

I haven’t tried this with the second site, as yet, but thought I’d ask here, first.

Any ideas as to what has happened and what I need to do about it?

Thanks in advance for any help.

Regards,

Steve Bimpson

https://www.ads-software.com/plugins/wordfence/

I’m sure this topic has been covered dozens of times, but–I’m quite sure a client of mine had one of his sites hacked and after doing regular security scans, we come up with nearly 200 potentially malicious files. I’ve been in touch with others about what to do and how to clean up, replace, delete etc. but I’ve only gotten so far.

One immediate question I have is: should there be ANY .php files in my uploads folder? If not, am I safe to delete?

Thanks in advance for your responses

Dane

I cannot access the site now and am presented with a dialogue box asking me to choose a language when I visit the site URL.

The URL for the site is https://www.juneahrens.com.

The malicious file in question is described below.

###

File appears to be malicious: wp-config.php

Filename: wp-config.php
File type: Not a core, theme or plugin file.
Issue first detected: 10 hours 15 mins ago.
Severity: Critical
Status New

This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “\x65\x76\x61\x6C\x28”.

###

Any help would be greatly appreciated!

https://www.ads-software.com/plugins/wordfence/

my site https://www.sarkarijobsresult.com

that showing unwanted popup and it’s address is “https://www.adcash.com/script/packcpm.php?r=36910”

this is a address that show when we click on my site any link and after some time this address redirect to another web address

so now please tell me some one how can face this problem

thank you

Is there anyway you guys could point me in the right direction on this?

my site: https://www.simplefix.net funny because its an IT site for computer repair but I’m totally stumped. My google page speed insights shows 86/100 for desktop and 58/100 for mobile. https://developers.google.com/speed/pagespeed/insights/?url=http%3A%2F%2Fsimplefix.net&tab=mobile

Any ideas?

Thanks!