WordPress gambling redirect hack

  • Resolved 1clickmedia

    (@1clickmedia)


    11 years, 4 months ago

    Pre-amble:
    My site was hacked, email spam was being sent from the server, the homepage was replaced with a “Under Construction” page. My host informed me of the hack and told me that TinyMCE was the culprit. They removed a bunch of malicious files and we disabled TinyMCE. I have no knowledge of what they removed or what caused the issue.

    I am running WordPress 3.7.1 and the following plugins:
    – Admin Menu Editor Pro v1.91
    – Advanced Custom Fields v4.3.0
    – Advanced Custom Fields – Taxonomy Field add-on v1.4
    – Advanced Custom Fields: Gallery Field v1.1.0
    – Advanced Custom Fields: Options Page v1.1.0
    – Advanced Custom Fields: Repeater Field v1.1.0
    – AJAX Thumbnail Rebuild v1.09
    – Akismet v2.5.9
    – Backup Scheduler v1.4.4
    – Category Order and Taxonomy Terms Order v1.3.4
    – Codepress Admin Columns v2.0.2
    – Form Manager v1.6.41
    – Redirection v2.3.4
    – Relevanssi v3.1.9
    – Reveal IDs v1.4.5
    – Rewrite Rules Inspector v1.2.1
    – Simple Page Ordering v2.1.2

    So, onto the actual problem..
    The site works great, no issues on the site itself. I am using “Post Name” as the Permalinks Common Settings so all URLs on the site are https://domain.com/page-name/

    When I search for the website name in Google, the sitelinks show a ton of links to a gambling site. [redacted]

    The URL structure for all of the links that show up in Google look like this:

    https://www.domain.com/?p=XX (where XX is a number from 1 to 296)

    If you click on any link from Google it takes me to a page with a FRAMESET that points to:

    http:[redacted]

    This is a link to the Grand Parker Casino.

    I could also manually type any URL https://www.domain.com/?p=XX (where XX is a number from 1 to 296) and I get the same end result.

    The links ONLY show up in Google, they don’t appear anywhere on my site (that I found).

    The solution

    That’s right, I fixed the problem, but when I was looking online for a solution, none were found so I figured I’d share my experience in case anyone has the same issue.

    So.. I searched high and low, the theme, plugins, uploads, everywhere.

    I found:
    – A malicious php file called “b377f.php” in the uploads directory. I noticed the last modified date for /wp-content/uploads/2013/02 was September, not February, so I checked and found the newly uploaded file. It was a phishing file that provided any WordPress passwords among other things. I deleted this.
    – A malicious line in the wp-config.php file:
    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    It’s a HEX encoded line that was further encoded using Base64. I used programming to decode it and it pointed to a directory that had been created deep in some old directories/files on my server. This would be a unique directory on your server, but mine was called “…../donaven/cache/”

    In that directory there was about 30 hidden files with alphanumeric character names like:

    .%828E%0013%B8F3%BC1B%B22B%4F57

    I deleted them, the directory, and the malicious line of code from wp-config.php.

    Removing this instantly stopped the redirects from happening in Google. I’m hoping two things will now happen:
    1) Google will remove the broken links, cause they no longer work
    2) The hole that caused the issue has been fixed

    Again, I don’t know how this was caused, but I do know that the redirects are no longer happening. I’ll post here if there are any other updates.

    If you are experiencing this yourself, good luck!

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘WordPress gambling redirect hack’ is closed to new replies.