Help needed for hacked site

  • Resolved PL

    (@paris3)


    8 years, 2 months ago

    My site has been hacked and my hosting company keeps telling me it’s perfectly fine and won’t help just because nothing shows up on Sucuri Site Check. Wordfence has found all these new issues, including back door and various infections. I just realized the hacker deleted my Yoast SEO plug in and the problem list includes plugins I don’t have/never installed. I see that there are things whitelisted in Wordfence that I never approved either. Even things that I don’t even use on my site and never have. I have no idea how to fix any of this myself. I’ve taken all the security measures that everyone says to do to secure a site from the beginning and yet this is happening. Here are the issues Wordfence is showing:

    File appears to be malicious: wp-includes/js/jquery/ui/dirs58.php
    Filename: wp-includes/js/jquery/ui/dirs58.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘m7f2ce’][75].$GLOBALS[‘m7f2ce’][55].$GLOBALS[‘m7f2ce’][72]”. The infection type is: supp2 infection
    Tools:View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

    File appears to be malicious: wp-content/wflogs/error.php
    Filename: wp-content/wflogs/error.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “$yjr=$_COOKIE; $xib=$yjr[jctc]; if($xib){ $pdzcp=$xib($yjr[pbaq]);$ustr=$xib($yjr[mxrs]);$voup=$pdzcp(“”,$ustr);$voup(“. The infection type is: G212 – variation 2

    Tools:View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

    File appears to be malicious: wp-content/plugins/wordpress-seo/wp-seo.php
    Filename: wp-content/plugins/wordpress-seo/wp-seo.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($b5196aa[$j24c0b1c3[‘ye46ba088’][27”. The infection type is: Backdoor

    Tools:View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

    File appears to be malicious: wp-content/plugins/wordpress-seo/frontend/search70.php
    Filename: wp-content/plugins/wordpress-seo/frontend/search70.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘oe4bbc9’][26].$GLOBALS[‘oe4bbc9’][63].$GLOBALS[‘oe4bbc9’][69]”. The infection type is: supp2 infection

    Tools:View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

    File appears to be malicious: wp-content/plugins/wordfence/lib/menu_whois.php
    Filename: wp-content/plugins/wordfence/lib/menu_whois.php
    File type: Plugin
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($g889c997[$r2d67ab[‘v899ef’][24”. The infection type is: Backdoor

    Tools:View the file. Restore the original version of this file. See how the file has changed.
    Select for bulk repair
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

    File appears to be malicious: wp-content/plugins/mojo-marketplace-wp-plugin/tests/title.php
    Filename: wp-content/plugins/mojo-marketplace-wp-plugin/tests/title.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘db2524928’][95].$GLOBALS[‘db2524928’][32].$GLOBALS[‘db2524928’][78]”. The infection type is: supp2 infection

    Tools:View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

    File appears to be malicious: wp-content/plugins/jetpack/class.frame-nonce-preview.php
    Filename: wp-content/plugins/jetpack/class.frame-nonce-preview.php
    File type: Plugin
    Issue first detected: 10 secs ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($qd23264[$lbef4fa8c[‘of4d4eaf7’][3”. The infection type is: Backdoor

    Tools:View the file. Restore the original version of this file. See how the file has changed.
    Select for bulk repair
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
    Unknown file in WordPress core: wp-includes/js/jquery/ui/dirs58.php

    Filename: wp-includes/js/jquery/ui/dirs58.php
    File type: Core
    Issue first detected: 31 secs ago.
    Severity: Warning
    Status New
    This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.

    Tools:View the file. Delete this file (can’t be undone).
    Select for bulk delete
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
    Modified plugin file: wp-content/plugins/wordfence/lib/menu_whois.php

    Filename: wp-content/plugins/wordfence/lib/menu_whois.php
    File type: Plugin
    Issue first detected: 1 min ago.
    Severity: Warning
    Status New
    This file belongs to plugin “Wordfence Security” version “6.1.17” and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

    Tools:View the file. Restore the original version of this file. See how the file has changed.
    Select for bulk repair
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
    Modified plugin file: wp-content/plugins/jetpack/class.frame-nonce-preview.php

    Filename: wp-content/plugins/jetpack/class.frame-nonce-preview.php
    File type: Plugin
    Issue first detected: 1 min ago.
    Severity: Warning
    Status New
    This file belongs to plugin “Jetpack by WordPress.com” version “4.3.1” and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

    Tools:View the file. Restore the original version of this file. See how the file has changed.
    Select for bulk repair
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
    Modified plugin file: wp-content/plugins/analytics-counter/readme.txt

    Filename: wp-content/plugins/analytics-counter/readme.txt
    File type: Plugin
    Issue first detected: 1 min ago.
    Severity: Warning
    Status New
    This file belongs to plugin “Google Analytics Counter Tracker” version “3.3.0” and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

    Tools:View the file. Restore the original version of this file. See how the file has changed.
    Select for bulk repair
    Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

Viewing 8 replies - 1 through 8 (of 8 total)

  • You will need to work through this resource:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    And then once you site is clean work through this:
    https://codex.www.ads-software.com/Hardening_WordPress

    You also have the alternative of restoring your site from a known clean backup of your site files and database (safely pre-hack) and then changing all your user names and passwords (WordPress/cPanel/database/FTP), conducting an audit of your plugins/theme and do the hardening steps linked to above. This can be a much less painful process than cleaning the site if you have that good backup.

    Good luck!

    Thread Starter PL

    (@paris3)

    Thank you for the reply and links. I’m trying to figure out which option is best to fix this. Does anyone know where in the Wordfence options can I find what IP addresses are white listed? There is a suspicious IP I can’t block because I get a pop-up saying that it’s whitelisted and I can change that in the WordFence Options, but I can’t find exactly where in the options section this IP would be listed.

    I’m not familiar with the Wordfence GUI. You could just block the IP(s) manually in the .htaccess file. e.g.

    
order deny,allow
deny from 12.45.567.90
deny from 23.456.789.45
allow from all

    Hi @paris3
    This IP may have been whitelisted in (Wordfence > Options => Other Options => Whitelisted IP addresses that bypass all rules)

    Also, please check this article regarding “How to Clean a Hacked WordPress Site using Wordfence” along with the links provided by @pidengmor!

    Thanks.

    • This reply was modified 8 years, 2 months ago by wfalaa.
    • This reply was modified 8 years, 2 months ago by wfalaa.

    How did you solve this problem. I have the same. All wordpress sites on my hosting are affected and once I clean all sites with Wordfence they are ok, but after some time, they become affected again.

    I can’t find the hole or the reason why someone can insert files and malicious code on my sites.
    Any kind of help would be really appreciated.

    go to the wordfence->scan and click on the options page. See if the hack has inserted any pages into exclusion list. also enable all the scan options (external, images, high sensitivity), scan again.

    Look for files that seem like wordpress files but are not ( ie. wp-rss2.php, wp-atom.php )

    -chuck

    We are facing the same issue. I have no way to clean my wordpress.
    I clean it and then 1 week ago it infect the website again every week

    i’ve the same problem, every week i have to clean the site, i’ve also reset a few time ft and mysql password.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Help needed for hacked site’ is closed to new replies.