Unknown PDF file links are appearing on my sites

Hi,

Most likely, there is a vulnerability in a theme or plugin on your site. Delete any unused themes and plugins and then update all remaining themes and plugins. Also, since you are on a shared host, the possibility exists that vulnerability is elsewhere on the server in another hosting account. You could alert your host to that possibility.

Thanks,
Brian

I have the same problem, here are some of links

https://themealeniumproject.com/How-the-Faith-Is-Protected.pdf
https://themealeniumproject.com/Vom-Verh-Ltni-Der-Electricit-T-Zum-Magnetismus—.pdf
https://themealeniumproject.com/Select-Discourses-by-John-Smith–To-Which-Is-Added-a-Sermon-Preached-at-the-Author-s-Funeral–1859-.pdf

hundreds of theses unknown pdf links.. might even be thousands.

It’s nowhere to be found on ftp folders and I already installed wordfence, did the scan but these links, hundreds of them are still showing up and bugging down my server. Help please!

if you didn’t fix this malware yet, check the last line of wp-includes/random_compat/random_int.php. You can find some malicious php file added. Also, remove the php file that is being referred to and you may find a folder called .X1-unix or something filled with viruses.

/problemsolvr/ You da man!

/problemsolvr/ Shit! the PDF links are back again. They went away for couple hrs though.

I have had the same issue on a shared server and all my wordpress sites have been affected with this SEO spam PDF links.. So I have had to purchase a new server and created all the sites again from scratch! Taking me months..

I would love any advice as to how you think they might have got in?

found this line code in wp-includes/random_compat/random_int.php.

?><?php @include_once(“/homepages/29/d169973226/htdocs/wp-content/plugins/fusion-core/admin/page-builder/assets/js/palette.php”); ?><?php @include_once(“/homepages/29/d169973226/htdocs/wp-content/plugins/LayerSlider/static/codemirror/mode/htmlembedded/htmlembedded.php”); ?>

over 20,000 links to PDFs

Hello,

Kinda interesting that even with thousands of infected websites, there isn’t much published about this issue.

Just do a Google search with “.X1-unix” … Really interesting to see all infected websites in the results !

So far I found that you need to remove the include once clauses at the end of this file : public_html/wp-includes/random_compat/random_int.php

You also need to remove the random .php file created in the same directory where you will find the .X1-unix directory.

You also need to remove the .X1-unix directory.

Now I need to find how they managed to write in random_int.php

Hello,

Thanks for all of your helpful tips in this discussion.

I’d just like to add:
1. A random PHP file in the plugin directory was duplicated. Delete the one that has a .php.php extension.
2. In addition to the malicious code the simon5 identified, I also found the same code in wp-includes/random_compact/random_bytes_mcrypt.php
3. I found exclusions set in Wordfence’s options so Wordfence wouldn’t scan the .x1-unix directory!

Well often it’s a .php.php but sometimes the infection won’t find a .php file to infect, so you will get a jpg.php or a css.php or a png.php or else.

Just to add another hint to this diagnosis.

Hey Everyone,

It may be of some comfort to you all that I appear to have beaten this once and for all. Below are the steps that I took. Note that some of these steps are a bit technical and will require FTP and/or SSH access.

1. Delete any WordPress installations that are no longer in use. In my case, the vulnerability appears to have come from an old demo WP site that had not been used in many years.
2. Upgrade any themes and plugins that are out of date.
3. Delete any themes and plugins which are no longer being used.
4. Create a Virtual Machine in VirtualBox. This is probably not necessary but it was a good fail safe just in case.
5. Download and install the free version of Avast!
6. Create an empty "sitemap.xml" in the root of each site in the server; take away all permissions for these files so they cannot be altered or overwritten. Again, possibly not necessary but in my case I was receiving massive bills from my hosting company because Google was indexing all of the PDF files and it was using major resources.
7. Create a "filename filter" in Filezilla for directories that contain ".x1-Unix". See this forum discussion for instructions https://forum.filezilla-project.org/viewtopic.php?t=30014. I’m sure this can be done in other FTP programs too.
8. Download the entire contents of your server. This may take some time so you may want to grab a cup of coffee while you wait.
9. Scan the contents of your server which you just downloaded with Avast!
10. Evaluate each of the problems that Avast! finds. Some files may be completely malicious – for example the ".php.php" and ".jpg.php" files. Others may have a piece of harmful code inserted into them, for example some of my wpconfig files had code added to them. In some circumstances it may be simpler to do a manual re-install of WordPress if there are many WordPress Core Files affected.
11. Run an ssh command to find and delete all instances of ".x1-Unix". If you do not have access to SSH, you may want to contact your hosting provider and see if they can do this for you or you can do a search using your preferred FTP program and then delete the results, it will just take a little longer. If you do have to use FTP to do this, don’t forget to remove the filename filter you created earlier otherwise your search will come up empty.
12. Delete the dummy sitemap files if you created them.
13. Monitor your server for a week or so to make sure you are completely clean. Then go through the process of restoring your reputation through Google Search Console.
14. Grab another cup of coffee.

I also strongly suggest you go through the My Site Wass Hacked FAQ page and in particular, change your secret keys.

I hope this process can be of help to you. My server has now been clean for over a month!

Matthew

• This reply was modified 8 years, 1 month ago by matthewjamesgibson.

And got another infection 3 months later.

Just checking if there’s new knowledge on the issue ?

Thanks !

• This reply was modified 7 years, 12 months ago by simon5.

any updates?

still clean? With regards to sitemap.xml did you set this to 444?