Malware Links Injected database with latest WordPress version

khurramar
(@khurramar)

7 years, 6 months ago
In the morning today when I got up, I saw that that my website is redirecting to some unknown urls randomly. Whether I request a frontend URL or even a backend one. Reviewing the http response source code, I could see an unknown domain xxxxxxxxxxx.com with a js file as xxxxxxxxxxx.com/script.js?somecrap# was coming up in window._wpemojiSettings = {} code in plain text. No base64, no nothing, just plain text.

(not exposing the actual redirecting domain to prevent backtrack. I may provide in private though)

As I couldn’t even access the /wp-admin/ I had to rename the plugins folder and put a new empty plugins folder with index.php.
This didn’t stop redirection. Likewise changing theme or even replacing all WordPress core didn’t help either.

So lastly it was database remaining to check. There I found that the same link xxxxxxxxxxxx.com/script.js?somecrap# was set as the siteurl in wp_options. That was probably redirecting the whole site. But in addition the wp_options was filled up with the same link in various other entries multiple times (16164 occurences to be exact) in around 14 entries.

In addition to main site settings with siteurl, following three kind of entries were found to have those occurrences more than once.
option_name “redux_builder_amp” – probably the Google AMP plugin
option_name “woocommerce_store_address” – I never used it, option left in db for years
most of occurrences were in the entries with option_name “_transient_yst_sm_attachment_2:4YZwc_4ZMrM”. option_values were starting with “C:24:\”WPSEO_Sitemap_Cache_Data\”:”

Looking at those occurrences, I figured that the attempt only changed my site’s domain name with their link “redirectingdomain.com/script.js?somecrap#”. So I just replaced them all in one hit.

The redirection stopped but I am not sure what vulnerability could cause this injection.

– I am running “woohoo” theme for over a year that I just thought yesterday to change.
– Following is the list of plugins which were active. The two with “0-tpro-” are my own and they are not publicly available

View post on imgur.com
- This topic was modified 7 years, 6 months ago by khurramar.
- This topic was modified 7 years, 6 months ago by Jan Dembowski.

Viewing 2 replies - 1 through 2 (of 2 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

7 years, 6 months ago

Moved to Fixing WordPress, this is not an Everything else topic.

You need to delouse your site. Give this a good read a couple of times and make sure you have full backups of your files and database as a safety net.

https://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

Thread Starter khurramar
(@khurramar)

7 years, 6 months ago

Thanks for moving it.

And yes I am reading that article you linked above

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Malware Links Injected database with latest WordPress version’ is closed to new replies.

Malware Links Injected database with latest WordPress version

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics