Pharma hack and 403 error admin-ajax.php

Did you look at the htaccess? Have you cleaned your hack yet?

Hi Stef

I have inspected htaccess and it only contains this, which I surmise is normal.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Sorry, was viewing without my glasses on and now I’m in front of main computer. Good. Yeah that’s correct.

Have you run a grep looking for the main leak of the virus?

Thanks Stef, I’m on Windows so I will attempt to do Select-String in Powershell. I’ve downloaded all of the files from my host. Hopefully this can reveal some clues as to where the hack is hiding out.

Oooooo! I like how you roll ??????????

Pharma hacks like JS files the most, header files and index files.

Best of luck

Somewhat surprisingly I was unable to find anything at all related to the hack in my files. I could find no mention of the destination of the redirect anywhere. I had expected to find “something” in the theme php files, scripts, etc. but no luck. I also didn’t see any unusual encoded PHP blocks or additions to the htaccess file. Everything looks exactly as it should… I’m really puzzled at this point.

I also checked everything at the host level just to make sure that wasn’t the source of the problem but everything looks fine.

Curiously I contacted my host about the 403 error on admin-ajax.php and they say everything is configured exactly as it should be and they have no idea why I’m getting the permission error. This is a real mess.

Let’s start over.

Issue 1:
403 Forbidden Forbidden You don’t have permission to access /wp-admin/admin-ajax.php on this server.

What brought you to or how did you come about receiving /admin-ajax.php ??

If I goto https://partnerfirst.biz/wp-admin I’m good. I get the login page. Is it after you get in that your URL changes over to /admin-ajax.php?

What brought you to or how did you come about receiving /admin-ajax.php ??

If I goto https://partnerfirst.biz/wp-admin I’m good. I get the login page. Is it after you get in that your URL changes over to /admin-ajax.php?

I see the /admin-ajax.php 403 error anytime I try to update a theme, plugin, or delete a plugin. None of those things are possible.

A few updates…

My hosting service ‘scanned’ my site and identified several files which may have been compromised. I removed all of the files via FTP but the problem persists.

As of now the site is still redirecting to the pharma site. I don’t really know what else to try other than a complete reinstall.

Carefully follow this guide.

When you’re done, you may want to implement some (if not all) of the recommended security measures found here

• This reply was modified 5 years, 6 months ago by Stef.

I have the same issue… Any updates on this?

Hey Ryan

I eventually got it fixed by doing several things…
– disabled all plugins
– deleted unused non-essential plugins
– my host scanned the files and found some encoded php and malicious files I had to cleanup manually via FTP

At this point I was able to start scanning the site via WP plugins (I used a few). There was a cascade of issues for a little while but eventually it got cleared up.

Sometimes, the 403 Forbidden error to access /wp-admin/admin-ajax.php is caused from the server configuration.

In case you can admin your server, if you have Mod Security enabled, try to disable it temporaly. Hopefully, you will be able to send your webform successfully. After that, you can enable it again.

This is happening to me when changing the settings in several plugins.

Having the same issue with a pharma-hack. Can’t install WordFence. How did you get around the 403 error in order to delete your plugins?

Hey @stjason can you give us the file names and maybe code samples of the malicious code your host found?
That would be of great help to others encountering the same hack.