Help removing site hack

  • A web site I’m working on is hacked with external links to pharmacy sites. This is not a hack I have seen before, and I have removed 15 or 20 in the past. I completely cannot find where this is coming from.

    The hacker is adding a big block of code between the <body> tag and the <div id=”wrap”> division. The code is a random paragraph containing 50 links to different URLs that sell pills. The code is only added for certain mobile or text-only referrers. The easiest way to see it is to look at the source code for Google’s cached version of this page:

    Carenet

    The site files contains no extra eval or base64_decode commands, written forwards or backwards. They are not in the database either. The file modification dates on the server all look correct. Obviously I have already changed every password, but the hack is still there and I need to remove it.

    Any advice?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter jimmycrackedcorn

    (@jimmycrackedcorn)

    I have also checked for added javascripts in site files and in the database and found none.

    The site is using the Organic Studio template, and I’m trying to get ahold of a fresh copy, but it’s not a free template.

    There’s probably a backdoor installed on your site.

    I would consider using a professional service such as Sucuri

    Thread Starter jimmycrackedcorn

    (@jimmycrackedcorn)

    Does Sucuri’s paid service do better than their free scan? Their free scan give my site the green light.

    @jimmycrackedcorn: you appear to be using a sketchy webhost; find a better one, as a good host is important for security. See Recommended WordPress Web Hosting

    I had an old site I’d forgotten about, and the free Sucuri didn’t work for me either. What did work was the free Anti-Malware (Get Off Malicious Scripts) plugin. It removed all the malware and the site worked fine after that. Be aware though that this plugin can edit your files in order to clean them up (including core files I believe). It worked a treat though!

    https://www.ads-software.com/plugins/gotmls/

    Thread Starter jimmycrackedcorn

    (@jimmycrackedcorn)

    @songdogtech

    Is GoDaddy a sketchy web host? This is where my client has this site.

    Thread Starter jimmycrackedcorn

    (@jimmycrackedcorn)

    Thanks all. I went with the paid Sucuri option and they fixed the site in about 1 hour. There was malicious code working together in a plugin folder, added to several theme files, include files, admin files. 9 files altogether were modified, and the server date was preserved on each of them.

    Is GoDaddy a sketchy web host?

    Search these forums for GoDaddy issues….

    I’m very glad that Sucuri was able to help you out. I have had some serious success with them. I have even spoken with one of the two founders (Tony Perez) at my city’s recent WordCamp.

    Very pleasant guy and great to talk to regarding security issues. I will always back them as they have provided some of the best help I can find for some of my clients.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Help removing site hack’ is closed to new replies.

Tags