Site hacked despite Wordfence

  • Hi,

    My site is hacked this weekend despite I use Wordfence.
    It is damaged so bad that I can’t even access the administrator entry. wp-admin will forward to forwardmytraffic.com.

    I already disabled all plugins thru FTP.

    Please help!

    The page I need help with: [log in to see the link]

Viewing 15 replies - 16 through 30 (of 44 total)

  • I got this message when I used @empowersource’s mysql-script

    #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'src=’https://forwardmytraffic.com/ad.js?port=5′ type=’text/javascript’><' at line 1

    How can I fix this error?

    @saitou-sei: the command will only work if the bad script is exactly the same. Can you post the URL, so I can check for the actual script on your page?

    • This reply was modified 6 years, 3 months ago by empowersource.

    Hey guys!

    The last days I cleaned up some infected WordPress Websites.

    You have to search for forwardmytraffic.com with phpmyadmin or manual SQL-Queries. In my case there were 4 entries in the wp_options table.
    Then just replace the URLs in every entry with your own Website-URL. Be careful if there are multiple occurrences.
    After that you may have to delete the cache. If you have no access to the admin-backend, you can try to rename the cache folder within your wordpress installation. You can delete the folder if it works.

    Dear Empowersource,

    Could you tell me which script would work in my page?

    https://www.puremana.hu

    Thank you!

    @empowersource please take a look https://saitousei.com

    Thanks!

    I too have been hacked in the same way. The curious difference being that I have 8 domains registered by my host, and 6 of them use their servers, only those 6 have been infected… I am not a tech savvy website builder, the sites are ‘simple’, and being a cynic by nature, my primary question is can/would the host servers risk an infection of my sites in order to charge me a lot of money to repair them? Those far more tech savvy than myself could surely ‘bring down’ a company that was possibly doing such a thing? They have threatened to shut my sites down tonight if the infections are not removed and I subscribe to their own site security package…

    Hey !
    I’ve been hacked as well. Probably through the GDPR plugin. I can’t access to wp-admin, it’s redirected to “https://blueeyeswebsite.com/ad.js?ldp111#/wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2F&#8221;
    I have tried to remove manually the plugin, update wordpress manually.
    I want to clean the malware script from my site but I don’t know how since I can’t access to my admin dashboard.
    Any idea of where I could find the script to remove?
    Thanks

    Hi levelocipediste,

    The redirect can probably fixed by editing the first line of wp_options in the database. After fixing this and updating the gdpr plugin I had no further redirects, so it seems no other fixes are necessary.
    See also my contribution further above.
    Hope it helps!

    I also have blueeyeswebsite.com/ad.js script on almost all of my site’s pages – 2 websites on the same hosting account, even if I’ve restored it from a previous backup.

    How can I clear this malicious code?

    @empowersource I have tried to copy-paste the sql script but it doesn’t work for me. Also, how do I delete the code from Information Schema Database?

    @vmiki96 Did you mess with your database? It seems to be gone completely so there’s nothing to check. Maybe load a backup and feel free to ask again once the website is up again.

    @saitou-sei This should work for you. I guess, you copied the line right out of my post? Unfortunatelly, the forum must have messed up the quotation marks. Just use the command from my post and fill in the proper script from your own page. That should to the trick.

    @steveb366 I doubt that a host would deliberately let their hosted sites get infected. Greed is a great motivator though, so there is no quarantee. However, threatening to remove your sites if you don’t upgrade your package is unacceptable. This infection does not compromise their server security and even if it did, it would be their own fault. You have used your account in a manner that they allowed in the first place and if this leads to an infection, then it is in their responsibility not to let it spread. Furthermore, a site forwarding script is no serious security risk for anyone.
    I would therefore recommend to switch hosting services asap.

    @levelocipediste If you can access your database via phpMyAdmin, maybe my script from the first page of this thread might help.

    @cva183 Hi there. Do you get an error message when you use the script? It could have to do with the quotation marks. As described in my answer to @saitou-sei, you should fill in the original script from your site instead.

    I’m pretty much a noob myself, but as I understand it, information_schema is read only. The UPDATE command that I used should clean every part of the database that needs to be cleaned.

    • This reply was modified 6 years, 3 months ago by empowersource.
Viewing 15 replies - 16 through 30 (of 44 total)
  • The topic ‘Site hacked despite Wordfence’ is closed to new replies.

Tags