The MU forums have moved to WordPress.org

Site Hacked and redirected to Phishing Site (12 posts)

  1. hyperdry
    Member
    Posted 14 years ago #

    hi folks,

    i need some help to resolve an issue with my site. i'm not sure how it happened but the site now automatically redirects to a Phishing Site. i have have replaced the scripts to the latest stable version available and still it redirects.

    i think it started when i clicked the Automatic Upgrade button, it did not upgrade but i noticed a file was inserted which was identified by google as a phishing site. after i removed it, the redirect happens.

    is the redirect code in the scripts or on the database? need help pls.

  2. hyperdry
    Member
    Posted 14 years ago #

    can anyone help me pls?

    i was given only 72 hours to resolve the issue or my account will be banned.

  3. kgraeme
    Member
    Posted 14 years ago #

    Could be in a plugin. In a theme. In a .htaccess file (check for new ones as well as the existing one.) Could be in the database considering the last hack reported added some base64 content to people's site databases.

  4. SteveAtty
    Member
    Posted 14 years ago #

    Or is in your browser?

  5. DeannaS
    Member
    Posted 14 years ago #

    And, here's a really dumb question - did you check to make sure your domain didn't expire and get snapped up by someone else? (Seems silly - but I've seen it happen before.)

  6. kgraeme
    Member
    Posted 14 years ago #

    Some information on various hacks and cleaning wordpress.

    http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/

    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

    http://lorelle.wordpress.com/2008/06/11/wordpress-blogs-and-more-hacked-by-google-redirects/

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    That last one offers search terms for looking in the DB. The problem is that the newest round of hacks use base64 encoded stuff, so searching using the queries in the article won't work.

  7. hyperdry
    Member
    Posted 14 years ago #

    thanks for the suggestions, i will check them now.

    - domain is fine, i-replaced the index.php with an index.html and the index.html displayed properly. i was not redirect, which also means it is not a browser issue.

    i'll give u feedback in a short while regarding your other suggestions.

    thank you very much!

  8. hyperdry
    Member
    Posted 14 years ago #

    FYI. this issue has already been resolved.

    i found out that there were several files inserted in my mu-plugins folder which automatically loads whenever people access my site. the script automatically redirects the visitors to a phishing site.

    what i did was just to delete those files and the site now seems to be running just fine.

    thank you very much for all your help. cheers!!!

  9. andrea_r
    Moderator
    Posted 14 years ago #

    "there were several files inserted in my mu-plugins folder "

    You also need to figure out how that was done so it won't happen again. Check ownership and permissions on the folder.

  10. tim.moore
    Member
    Posted 14 years ago #

    You should also still clean out your database and check all of your files. If someone did it once, they could have left a backdoor somewhere other than the mu-plugins folder...

  11. SteveAtty
    Member
    Posted 14 years ago #

    certainly you should change your DB passwords.

  12. kgraeme
    Member
    Posted 14 years ago #

    Look at what plugins you use too. Contact Form 7 for instance may have vulnerabilities.

About this Topic

  • Started 14 years ago by hyperdry
  • Latest reply from kgraeme