Does this means someone hacked my passwords or it is coming from other things?

  • Resolved mllapan

    (@mllapan)


    1 year, 7 months ago

    I noticed pop-ups on my site, and I find code to be placed in wp-includes/template-loader.php

    <script type="text/javascript">
    document.cookie = "wp_was_visited=1;expires=Mon, 31 Aug 2030 00:00:00 GMT;path=/;domain=[DOMAIN];";
    document.cookie = "wp_was_visited=1;expires=Mon, 31 Aug 2030 00:00:00 GMT;path=/;domain=www.[DOMAIN];";
</script>
<meta http-equiv="cache-control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="Fri, 20 Mar 2014 00:00:00 GMT" />

<style>
    .ground567 {
        background-color: rgba(0,0,0,.85);
        width: 100%;
        height: 100%;
        position: fixed;
        top: 0;
        right: 0;
        bottom: 0;
        left: 0;
        z-index: 10000000000000000;
        display: flex;
        justify-content: center;
        align-items: center;
    }

    .main456 {
        border: none;
        z-index: 10000000000000001;
        border-radius: 24px;
        display: block;
    }
</style>

<div class="ground567" id="ground325" onclick='window.open("https://cryptomf.org/", "_blank");document.getElementById("ground325").style.display="none"'>

    How this happened that someone is editing my core files, does this means someone has my passwords or he did it on another way?
    It is inside all sites, all subdomains, all WordPress installations.

    • This topic was modified 1 year, 7 months ago by mllapan.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures

    https://www.ads-software.com/support/article/faq-my-site-was-hacked/

    https://www.ads-software.com/support/article/hardening-wordpress/

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter mllapan

    (@mllapan)

    Hi, @sterndata.

    I had a backup created earlier, I simply asked the hosting provider to reinstall hosting, restored a backup, and changed the passwords.
    I hope this will do the trick.

    I noticed it was a kind of malware that used GLOBAL function to reach htaccess.
    So, yeah, it probably reached my main htaccess in the server, and was able to change files from there.

    @mllapan

    Could you share your plugin list for the affected sites? Or do you know which plugin might’ve been the cause.

    We’ve seen an attack leading to the same spam popup and are wondering about the attack vector.

    I’m also seeing this same hack on 12 sites on the same IONOS 1&1 server. No themes or plugins in common across the site, so I suspect mllapan was right about them accessing the main htaccess in the server. Would be interested to know if anyone has pinned down a source!

    Thread Starter mllapan

    (@mllapan)

    I would have to admit that my infection came from nulled plugin.
    My habit was to test themes and plugins on testing.domain.com where I would use My Private Site plugin to keep site private, then I decide whether the theme or the plugin is good enough to spend money on.
    This is because many of those are not available for testing or have demos where you could login and actually test the functionality.

    I always thought it is fine to do this in online server and if it gets infected it will stay at particular subdomain, but seems it is not a case, at least not for us who have such a hosting which includes htaccess into main folder as well.

    Since this happened I just avoid every theme and every plugin that does not offer me fully testable demos, and I buy the ones that do.

    • This reply was modified 1 year, 5 months ago by mllapan.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Does this means someone hacked my passwords or it is coming from other things?’ is closed to new replies.