My website redirects to Braffic.com & Motometalrims.org ?

I dont have that plugin, no.
Still havent found a solution

gschaefer: no man I don’t have that plugin too, I was wondering have you rebuilt your website and sill having the issue or what? Because I was thinking to do the same!

yes and I moved the domain to its own cpanel account as well and started from scratch again by installing a clean copy of WordPress and re-installing all the same plugins and widgets and imported my posts and pages but had to do all the rest manually..it took me 2 solid days !! Thankfully i had saved all my CSS changes to my theme !!

I also installed the WP Better Security plugin and followed ALL their recommendations and did a few other things on my hosting account as well with the help of my ISP.

https://bit51.com/software/better-wp-security/

So far so good and no signs of the same hacking problems.

Great job man good luck, but excuse my naiveness again what do you mean by moved the domain to it’s own cpanel? And how did you import your posts if I may ask?

i had exported my posts and pages from WordPress admin using the default import/export plugin them before i torched my infected site.

Ask your web host to explain how to isolate a website, will depend on your hosting account etc.

I found some code injected in a php-file called “TipTour.class.php”. This file is included in the plugin “Uber Menu”.

In the file, a function named wp__head() was injected which injects some javascript into the <head> of your page.

If any of you need a hand removing the injected code, I will gladly do this for a minimal fee. I can be contacted on the [moderated – please do not use these forums to solicit work ]

Lars,

Could you tell us what the code snippet was? I’ve downloaded the WP folders of all my sites to my local PC and can do a *.* search within the files to find where it’s infected for my scenario and will gladly post instructions for the rest of the community to do the same!

Thanks!

Wesley,

You should look for a function named “wp__head” (in my case).
It uses cURL to query the website “jqury.net”, so you should be able to search for that.

In my case, it was only the “TipTour.class.php”-file that was infected.

There is really no point doing that, finding the malicious code and then just removing it. What will that do?

Removing the code will stop your site from redirecting. How the code got there is another matter though. It could be a vulnerability in the specific file or plugin, or it could be related to the massive botnet that’s been trying to bruteforce passwords WordPress “admin” accounts lately.

Well considering I’ve taken every other above-mentioned precaution, I should assume that I’ve secured my sites to my best ability from further infringement?

If I can remove the infringing code that is injecting the nonsense into the <head> I believe I will have fended off the attack.

Please by all means explain why you believe this is wrong, as I would love to learn?

Removing the code doesnt prevent the code from being injected again. But it will help with the redirection-issue (unless the code is re-injected).

Do you by any chance use the username “admin” on your site?

Nope, I use very randomly generated username and passoword. It seems this particular attack either targets a WP vulnerability or a server side vulnerability.

Again, I have WP sites hosted with different hosts in different countries, they’re all hit!

I have WP sites hosted with different hosts in different countries, they’re all hit!

Looks like you are specifically targeted by the attacker and all your sites were attacked, though they were with different hosts in different countries. It is understandable if they were with the same host and in most such cases in the same server.

Sorry, what you post here is highly unlikely and misleading. Such info will not help anyone but only lead to more confusion.

Krishna, I take quite a bit of offense to your response.

As unlikely as it may seem (to you) I can assure you it is the case.

I have nothing to gain by fabricating this? I’m merely trying to contribute and help find a solution to this problem, and quite frankly your response is extremely unhelpful.

Please advise how my info leads to more confusion, and I will elaborate as necessary to clarify.