catppe
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: All my sites (6) hackedRegarding 122.155.168.105/ads/inpage/pub/collect.js.
We are infected with this script, too. From first investigation, it seems is using same penetration way as soaksoak.ru, since we found a file in /revslider/temp/update_extract/ that looks to be the one used to hack the sites. The file was created after we cleaned up the soaksoak infection. The code seems to parse all wordpress files and replaces the header closing tag </head> string with a script string calling the above script. Because we found infected files even in themes that are not active, I think is scanning all existing folders it gets access. The call to collect.js returned 404 in our case which made the affected pages to load slow. When we investigated the slowness we saw the call to the script.Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] MW:SPAM:SEO spam problemWe were infected with this script, too. From first investigation it seems is using same penetration way as soaksoak.ru since we found a file in /revslider/temp/update_extract/ that looks to be the one used to hack the sites. Seems that goes through wordpress files and replaces the header closing tag </head> string with a script string that calls the above string. Because we found infected files even in themes that are not active I think it scanning all existing folders it gets access. The call to collect.js returned 404 in our case which made the affected pages to load slow. When we investigated the slowness we saw the call to the script.