Dealing with recurring Hack

eiwebdesign
(@eiwebdesign)

8 years, 1 month ago
I am currently trying to resolve a problem for a client whose site has been hacked. Initially the hack redirected all links. I removed the obvious issues and it went away after republishing all pages.
A few days later the issue returned and this time additional code was found, removed and all pages republished, The issue went away…for a few days…
The next time the hack re-appeared it did not create link redirection by changing links, but some javascript had been inserted that caused popunders to typical betting and other dubious sites — between 1 to 3 popunders with any link on the site clicked.
After removing a suspicious file and re-publishing…again this went away!….For a few days…
The javascript now returned and so too the popunders, but now it is better ‘established’ and does not disappear with republishing pages –it can be seen in the Source Code but not easy to find where or what is inserting it. The hosting company has scanned the site and cannot locate an issue.
We currently have Sucuri and Wordfence plugins onboard and Sucuri states ‘site clean’ — which it obviously is not!
This has been frustrating and time consuming and the site, though small at present being only launched a month ago and not currently used for more than the businesses pages, naturally has all the hundreds of files/folders and so on that WP combined with Divi theme seems to ‘require’!
Which brings me to my question, besides asking any general advice from anyone who has dealt with this particular type of issue before…
Whilst browsing (using developer tool) some aspects of the page code just now, I noticed reference to Dashicons… and also saw that the reference to the Dashicon elements included the beginning of a long string of Base 64 code… I know from previous experience that this can sometimes hide ‘infected material’ and wanted to know if Dashicons files actually do contain base 64 code normally…or if anyone else is aware of Dashicons being used in hacking events to obfuscate injected code?
Thanks for any constructive thoughts or ideas! 🙂
- This topic was modified 8 years, 1 month ago by eiwebdesign.
- This topic was modified 8 years, 1 month ago by eiwebdesign.

Viewing 2 replies - 1 through 2 (of 2 total)

Moderator t-p
(@t-p)

8 years, 1 month ago
You need to start working your way through the resources on this page.

Other things you should do:
- Change passwords for all users, especially Administrators and Editors.
- If you upload files to your site via FTP, change your FTP password.
- Re-install the latest version of WordPress.
- Make sure all of your plugins and themes are up-to-date.
- Update your security keys.
Additional Resources:
http://ottopress.com/2009/hacked-wordpress-backdoors/
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.
te_taipo
(@te_taipo)

8 years, 1 month ago

There are two methods attackers use to inject code into webpages, first is via faulty code within the web application itself, i.e in the core code or in a plugin, the other is at a server level intrusion or incorrect server settings.

If you have checked your website over using the above suggestions, then please come back and let us know. It is important for you to fix this, but also for us developers to address these issues if they can be addressed at a plugin level.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Dealing with recurring Hack’ is closed to new replies.

Dealing with recurring Hack

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics