UseShots

Hello,

You still have a spammy link in the footer section of web pages:

</footer><a href="hxxp://www.authenticflyersite[.]com/radko-gudas-jersey_c-503.html">Radko Gudas Womens Jersey</a>&nbsp;

Most likely it’s in the footer.php of the theme.

Hello,

That’s indeed because of the security hole in the older versions of WP-GDPR-COMPLIANCE. Hackers used it to change the siteurl setting of WordPress.

Here you can find the details
https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html
https://blog.sucuri.net/2018/11/hackers-change-wordpress-siteurl-to-pastebin.html

The first link has instructions on how to change the siteurl and what else you should check (e.g. fake admin users and changed default user role)

This article can also be helpful
https://codex.www.ads-software.com/Changing_The_Site_URL

Hello,

Logs show that hackers log into WordPress and install those two plugins. So changing WordPress passwords and checking for rogue users is a must.

Note, the plugins have code that makes them visible in the dashboard only when you provide a special parameter. So don’t rely on what you see in the dashboard – check wp-content/plugins directly on server.

• This reply was modified 7 years, 1 month ago by UseShots.

I saw this created by a fake plugin wordpress-admin-security

But it may also be in files. Scan them for
preg_replace("/.*/e"

@fretless I work with Yorman and just received your email.

A quick looks at the logs proved the initial Yorman’s guess – XML-RPC.

Here’s the log entry corresponding to the email alert that you posted here:

182.189.34.25 – – [05/Feb/2015:06:36:01 -0600] “POST /xmlrpc.php HTTP/1.1” 200 403 “-” “-“

Note the same IP address and the time (1 hour difference is probably the difference between the server time and your own time)

I can also see many XML-RPC requests from other IPs.

Such brute-force attacks are not new. We have an article about them
https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

I hope it explains what’s going on.

Thanks

P.S. I forwarded your email to Yorman.

If you reinstall everything then nothing will be corrupted (at least until reinfection).
You need to replace all WordPress core file (reinstalling WordPress will help here)
Then reinstall themes and plugins. Now they are clean too.

What left is
* Files in the wp-content/uploads (there are usually no PHP files there, unless plugins install them there – again addressed by plugin reinstallation)
* Some other directories in wp-content created by plugins (it depends :-/)
* wp-config.php – you need to clean this file manually. Or recreate it again.

Of course, if you had many custom PHP files and no backup for them, then restoring the site will be difficult.

P.S. By the way, there is an update https://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
On some sites, the MailPoet plugin was the point of penetration. And it seems like it’s not the only vulnerable plugin.

The best way to remove malicious code when hundreds of files are infected is replace then with clean files. Moreover, removing malware from a corrupted file (malware removes some legitimate code – hence errors) won’t make your site load.

That’s why we advise restoring the whole site from a backup – much faster and more accurate. And if you don’t have a backup then you can reinstall everything – WordPress sites rarely have really custom files that you can’t find anywhere else. So just reinstall WordPress, and then reinstall all themes and plugins.

Don’t forget to delete the rogue “no name” admin user.

P.S.And by the way, there is an update about that infection:
https://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

At least one of the penetration vectors was a vulnerable MailPoet plugin

Sucuri has an update about the MailPoet https://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

but I agree that it’s not the only penetration vector. I also saw infected sites that didn’t have MailPoet. Still investigating…

Do you mean this https://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html ?

This buggy malware corrupts lots of PHP files. The only good way to recover a site is to restore it from a clean backup or reinstall WordPress and all themes and plugins. And by the way, it installs a rogue admin user that has no name – it should be deleted.

Valentina, do you mean this issue https://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html ?

Download files using FTP and inspect them, or user FileManager in the Control Panel, or contact your host, or hire someone to help you (for example, that Sucuri article has a link to their malware removal service)

Yes it’s wide spread and on many sites we saw that hackers checked for vulnerable plugins (e.g. MailPoet or WPTouch) before trying to access their backdoors or logging into web sites.

By the way,are all those sites share the same server account? If yes, one vulnerable site is enough to compromise all the sites.

Many sites have been similarly hacked https://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html

I guess hackers use a vulnerability in some plugin to create that admin user.

By the way, do any of your blogs have open user registration?

Just reinstall WordPress to restore core files. Then disable all plugins by renaming the wp-content/plugins directory. FTP is enough for that.
At this point you should be able to login into WordPress.

Check for the malicious admin user (it has no name) and delete it.