Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator James Huff

    (@macmanx)

    That sounds like the hacker may have infected a file or .htaccess with a redirect. What is the contents of your .htaccess file?

    Also, do you have any other index files in the same directory as wp-login.php, besides WordPress’s index.php file?

    Moderator Marius L. J.

    (@clorith)

    Hiya,

    It seems you’ve been hit with a fun one, and it seems to resemble one I had to deal with not long ago my self.

    What was happening in my case was that the WordPress core files had been replaced by malicious users, so whenever I looked over my theme and plugin files everything seemed okay.

    What you’ll want to do it redeploy, that means you’ll want to download fresh copies of WordPress, as well as your theme and plugins, delete everything except wp-content/uploads (you’ll want to keep your files) and wp-config.php (so you don’t have to set up everything all over).

    Once you’ve redeployed, install https://www.ads-software.com/plugins/sucuri-scanner/ and run a scan just to make sure there’s nothing else hiding away somewhere that you might have missed.

    Thread Starter ProblemSolved

    (@problemsolved)

    Thanks for the advice. I’ll look to replace everything as suggested. Kinda had a feeling that would be the case.

    Moderator James Huff

    (@macmanx)

    Excellent, please let us know how it goes!

    Thread Starter ProblemSolved

    (@problemsolved)

    Replaced all the files other than /wp-content/uploads with fresh ones, re-ran wp-activate.php and it appears the infected files are gone and the URLs it’d created are dead.

    Thanks so much for the help guys!

    Moderator James Huff

    (@macmanx)

    Awesome, I’m glad that worked out for you!

    I ran across this problem recently – whatever got in left behind a telltale footprint:

    <?php eval(gzinflate(base64_decode( at the beginning of the first line. Once I removed the entire line, googlebot user agents were then able to correctly parse the page. In some instances, I had over 100 files affected.

    If you have shell access to your WordPress host, the following commands may be helpful:

    To find all the affected files:
    find /path/to/wordpress -name \*.php -print0 | xargs -0 grep -l 'php eval(gzinflate(base64_decode('

    To clean all the files:
    find /path/to/wordpress -name \*.php -print0 | xargs -0 sed -i -e '/php eval(gzinflate(base64_decode/d'

    Standard disclaimers of “no warranty” apply. Always make backups.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Page Only Googlebot Can See After A Hack’ is closed to new replies.