Appears UM got hacked on my site

  • Earlier today the site I manage went down with an Error 500. I was given a Fatal Error in line 2 of the includes/core/class-cron.php file. When I went to inspect it against a clean version of your plugin, I found several extra lines of code before your code started.

    I’m not saying your plugin is at fault. Maybe a hacker got in another way. I do have the infected plugin zipped on my Dropbox if you want it.

    I figure it isn’t wise to make it public. Would you like to see the plugin to check for security flaws?

    Just offering and as I said, I am not blaming the plugin, but this is where I found the bad code

    Let me know what you want to do with it.

    Bryan

Viewing 2 replies - 16 through 17 (of 17 total)

  • @dadadourav or somebody else that’s facing the same problem of their WordPres site always redirecting to tuniaf[dot]com and tityx[com]

    —————-

    I faced the same problem 4 days ago, and this is how I fixed the issue about WordPress site always redirected to tuniaf[dot]com.

    If my explanation isn’t clear enough or you have something to ask, don’t hestitate.

    How to Clean your WordPress site:

    before you attempt to do number 2 and so on, I encourage you to install and use Visual Studio Code or Atom to help you find malicious code easier by searching on all folders and files inside your WordPress (and of course, download your sites folder by zipping it as one archive file and check it offline, and remember you will need it later)

    1. Delete permanent the ultimate-member plugin directory inside your wp-content/plugins/
    2. Follow the instruction inside the link above!
    – Delete all PHP Files inside wp-content/uploads/ultimatemember/temp/, and exclude this directory wp-content/uploads/ultimatemember/ and it subdirectories from PHP execution or if your web server / cpanel has AntiVirus, you can quarantine it.

    3. Inside your themes directory, search for _common.php (in my case, I found it under wp-content/themes/publisher/header/_common.php. (screenshot: https://ibb.co/nLg4yU)
    If you found the same code, it is safe to delete them all or delete the file

    4. Open your VS Code, -> Open Folder (choose your site folder), click on the ‘search’ icon at the left corner of your VS Code Tab. Type “var po”, You will find maybe hundreds of your jQuery or JavaScript files are infected. (screenshot: https://ibb.co/bE2Yxz) and search for “var need_t”. (var need_t is under var po), they are 2 lines on the top of your jQuery files.

    Codes var po = and var need_t = are placed on the top of your jQuery or JS Codes, remove them all, you can use VS Code to remove them in all jQuery files by using the Search built-in function by VS Code, or you can of course remove it one by one.

    5. Check your database as it might infected as well, export your database and have it open with VS Code, type for “db.allyouwant.online”, if you found them, it means your database got infected as well. (screenshot: https://ibb.co/jUCGHz)

    You can deleted them all by one or two click with VS Code Search built-in function, but before you do that, backup or duplicate your infected database.

    6. Be sure to clean your server too, if you are using managed or shared hosting, contact your hosting provider, if you are not, clean it yourself.

    Once all clean, archive your clean WordPress files and reupload it to your server using FTP Client or cPanel File Manager. Deleted your database and reupload the clean one.

    Thanks to Sucuri’s staff, who provides us helpful insights.

    Security plugins are a MUST. If your core files have been compromised, running a core file replacement will replace your compromised files with a new clean version from WordPress. This can be done quickly via wpcli if you have shell access. I’d recommend making a backup before doing so.

    This replaces just your core files, leaving everything else intact:
    https://developer.www.ads-software.com/cli/commands/core/

    Many of our clients use WP Cerber in place of WordFence and unlike most hosts, we do not actively recommend WordFence to our Customers: https://www.ads-software.com/plugins/wp-cerber/

    Our Statistics show that our clients using WP Cerber generally request assistance less often for WordPress security related and resource issues than our Clients using WordFence Security – take that as you will.

    Plugins like iThemes Security can easily find backdoors and then you can remove them manually.

    Our customers also use Site Lock website security. We provide this free of charge to our hosting customers but you can ask your current WebHost if that’s an option for you. It helps to layer your security from the ground up.

    Although we clean our customers websites for free, Sucuri has a really good guide on cleaning WordPress sites after a hack for those of you who have little support from your current Web Host: https://sucuri.net/guides/how-to-clean-hacked-wordpress

    They also have a free online malware website scanner: https://sitecheck.sucuri.net/

    After running a core file replacement, you will want to check your database to ensure there aren’t any suspicious entries. Most of the time they are quite obvious and you can manually remove them using PHPMyadmin. Aside from the obvious, look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

    The security layer model we recommend:

    Site Level
    – WordPress Backups
    – WordPress Security Plugins
    – .htaccess
    – Hide Your WordPress Login Page or Password Protect the Page

    Server/WebHost Level
    -website backup
    -database backup
    -firewall
    -mod security
    -anti virus

    Third Party
    -website security integration (Site Lock, Sucuri etc.)
    -Live Site Monitoring

    Good luck. Hope this helps.

Viewing 2 replies - 16 through 17 (of 17 total)
  • The topic ‘Appears UM got hacked on my site’ is closed to new replies.

Tags