stjason

Ah, sometimes the simplest answers are what we miss. ?? Thank you!

Thank you Tobias, I’ve set up some test data that is exhibiting the problem.

https://partnerfirst.biz/wp-login.php
login: testuser
pass: Test1234

I’ve turned off most of the plugins for now but I think you are correct in that CSS from elsewhere is interfering.

I’ve tried targeting the tr element directly but while this does seem to affect the first table’s header the others are not affected. Thanks for your help!

.tablepress thead tr {
	color: red !important;
        height: 90px !important;
}

Hey Ryan

I eventually got it fixed by doing several things…
– disabled all plugins
– deleted unused non-essential plugins
– my host scanned the files and found some encoded php and malicious files I had to cleanup manually via FTP

At this point I was able to start scanning the site via WP plugins (I used a few). There was a cascade of issues for a little while but eventually it got cleared up.

What brought you to or how did you come about receiving /admin-ajax.php ??

If I goto https://partnerfirst.biz/wp-admin I’m good. I get the login page. Is it after you get in that your URL changes over to /admin-ajax.php?

I see the /admin-ajax.php 403 error anytime I try to update a theme, plugin, or delete a plugin. None of those things are possible.

A few updates…

My hosting service ‘scanned’ my site and identified several files which may have been compromised. I removed all of the files via FTP but the problem persists.

As of now the site is still redirecting to the pharma site. I don’t really know what else to try other than a complete reinstall.

Somewhat surprisingly I was unable to find anything at all related to the hack in my files. I could find no mention of the destination of the redirect anywhere. I had expected to find “something” in the theme php files, scripts, etc. but no luck. I also didn’t see any unusual encoded PHP blocks or additions to the htaccess file. Everything looks exactly as it should… I’m really puzzled at this point.

I also checked everything at the host level just to make sure that wasn’t the source of the problem but everything looks fine.

Curiously I contacted my host about the 403 error on admin-ajax.php and they say everything is configured exactly as it should be and they have no idea why I’m getting the permission error. This is a real mess.

Thanks Stef, I’m on Windows so I will attempt to do Select-String in Powershell. I’ve downloaded all of the files from my host. Hopefully this can reveal some clues as to where the hack is hiding out.

Hi Stef

I have inspected htaccess and it only contains this, which I surmise is normal.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

I was able to solve this. The file to edit is here (use a child theme):

Mesmerize: information.php (inc/header-options/navigation-options/top-bar/content-types/information.php)

You can insert this code around line 149 after $text is set.

`if(filter_var($text, FILTER_VALIDATE_EMAIL)) {
$text = “<a href=’mailto:” . $text . “‘>” . $text . “</a>”;
}`

• This reply was modified 7 years, 2 months ago by stjason.