Site Hack or Exploit: links to italian PDFs on WP sites

Additional note – this exploit is pointing to PDFs pulled form my site such as [ redacted ] but I can’t locate that in the root folder or anywhere else on the server… Any clues where that might be hidden?

I seem to have found a resolution, so I will document it here for the benefit of anybody else facing the same issue. I overwrote the entire WP-admin folder, and this flushed the issue out (i.e. these are not links in the WP database, but somehow fed in via js or some other method.) I have backed up the old set of files and will do a comparison to see if I can spot the exploit.

Sorry: correction that should be the WP-includes folder. Not the WP-admin one.

… I overwrote the entire WP-admin folder, and this flushed the issue out

That is not a complete fix. Carefully follow FAQ My site was hacked – WordPress Codex or you will likely be hacked again.

Then take a look at the recommended security measures in Hardening WordPress – WordPress Codex and Brute Force Attacks – WordPress Codex

Hi Mark, you are correct. The issue reappeared a few hours later. Also the XML site map is compromised in a major way. This seems quite a widespread attack on many WP sites. I am surprised not to find any others documenting this issue, but maybe I am just not finding it?

Thanks for the links – it does look like an overhaul of the accounts, and a fresh install might be the logical way to go.

Ugh.

@frasermarlow Please do not open the same topic multiple times. Those get deleted or closed when found.

How far did you get with Mark’s links above?

OK, thanks and understood.
I followed Mark’s notes, purged the entire site, changed all passwords (WP-admin and FTP), I reinstalled WP from the GoDaddy console, Reintalled the Theme from new. The only files I brought back from the original install was the uploads folder (which contains only images) and then I reloaded the database from an SQL export.

A couple of hours after I complete the reinstall, the same hack reappeared.

This said I have a second instance of WordPress running on the same server for another project and that one has not been compromised.

So to pick up from my duplicate post, I am curious to get pointers on how this hack can reference PDFs listed on my server (ostensibly) such as [ redacted ] when I can’t locate any of these may PDFs in my file system and the .htaccess file looks clean.

Thanks

Additional note: besides restricting FTP access to one user and changing the password to a long randomly generated one, I have changed the log-in on the WP install to only using CLEF, so those two doors are fairly well secured. I must still have a window open somewhere.

OK, one final post on this subject (I hope). Somehow, mysteriously while I was working on a second WP setup to do some testing, the exploit on my main WP site disappeared.

Now I am not one to jump to conclusions and blame the hosting company, but I do know the site is on an older (not WordPress dedicated) hosting environment, and as I mentioned @godaddy in the thread, I am wondering if my speculation wasn’t correct: the issue was with the shared server and quietly got fixed.

This would make sense since you would need higher level access to the server to exploit the root-folder of the various domains.

This said, I would love to get back my two days of billable time and all the files I purged off my server as I worked round the clock to tackle this issue :-/