Hacked site: intermittent new tab advertising

  • Been pulling my hair out over this hack: I’m trying to fix a site that intermittently opens a new tab displaying advertising.
    Website: https://www.hatcourses.com It often only happens after being on the site for some time and clicking on lots of different pages.

    The site appears to be inserting several scripts (that are not in header.php, index.php, footer.php, or any of the template php files that I can find):

    [ Spammy ad links redacted, you do not need to share those ]

    I’ve been through all the FAQs and advice threads but to no avail.
    I’ve run malware scans on all of the major plugins: Anti-malware security, AWP antivirus, Quttera Web Malware Scanner, Sucuri Security, WP Doctor… but none have found anything of any use. Exploit Scanner plugin has also failed to find anything that (to my limited eyes) seems malicious. When I started the troubleshooting for this website, two ‘subscriber’ accounts appear to have been created – that I have now deleted. Admin passwords now also changed.

    Plugins have been updated.

    I beg the wise WordPress community for its esteemed wisdom!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I’ve been through all the FAQs and advice threads but to no avail.

    What have you tried specifically? Did you do the “slash and burn to the ground” approach?

    Thread Starter realdoctorstu

    (@realdoctorstu)

    No, I haven’t done that one. It’s not my site, so I would rather try to avoid that approach.

    I’ve followed the advice in the WordPress FAQ, and the associated links. Also read a handful of additional posts (can’t remember them all – but will get a list if you want) that have been suggested from similar threads.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    It might be worth letting your hosting providers know this is happening

    Thread Starter realdoctorstu

    (@realdoctorstu)

    Ok, I can try that.

    Thread Starter realdoctorstu

    (@realdoctorstu)

    The hosting providers got back to me and came up with what I have found:

    “I have had a further look into this and unfortunately, I was not able to find where the redirects are coming from in the site this time around, do you know when the site was last working correctly before this started redirecting?

    I ran a few searches for the links which seemed to have come up empty and only false positives being flagged up when searching for other typical malware.”

    I have found that two scripts are running on the site: apu.php and banners.js – but both of which are not on the server, but are being run from another site (“go.onclasrv.com/apu.php?zoneid=676655” and “eclkmpsa.com/adServe/banners?tid=79479_131506_0&tagid=2”) You can see the code for these by following the inks.

    I can’t believe I am the first person to encounter this problem…?

    The source page for website looks fine, try switching to different theme and see if the issue persists. Didn’t your hosting service provider give any malware files scan list?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hacked site: intermittent new tab advertising’ is closed to new replies.