Site hacked with redirect scripts

  • smemma

    (@modula)


    9 years, 3 months ago

    When the hacks all happened the other week, one of my sites got hit. This particular hack adds a redirect script to every single page, post and image in the media library, so any link you click on opens up new tabs taking you to spammy sites. Here’s the code:

    [ Redacted, don’t post that code here ]

    There’s clearly still some backdoor of some description, as if I go through and delete all these scripts, they re-appear, roughly 12 hours later.

    I’ve got WP, the theme and plugins all up to date; I’ve run wordfence scans, sucuri scans, set up security on the site (using Wordfence and iThemes Security) and it just keeps coming back. I’ve been through all the steps and procedures that WordPress suggest and I’ve even rolled the site back to a Duplicator backup from late January (before any signs of the hack showed up) and changed all user logins and even the FTP password; and still, no joy.

    Before I go and have to pay for professionals to dig into this, I was wondering if anyone had any suggestions please? I would be eternally grateful…

    • This topic was modified 9 years, 3 months ago by Jan Dembowski. Reason: Removed malware code
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter smemma

    (@modula)

    9 years, 3 months ago

    One thing I’ve just found is an odd looking script in my site’s head, which I’ve removed. This has only just been done so can’t say if it’s worked or not, but it doesn’t seem to have affected the site since deleting it…

    It is as follows:

    <div id="fb-root"></div>
<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>

    Looked a bit odd, as I say, plus when I google that script the search results are…. well, very weird – including a VERY bizarre video on Youtube. On the other hand it appears it could be some kind of comments script for Facebook integration?! Still, nothing’s broken since removing it so no harm done!

    I’ve only just removed this so can’t say whether or not it’s the source of all my woes (it’ll be a while before the redirect scripts are due to show up again), but still wanted to run this past the community to see if anyone much smarter than me can shed any light on things. I’ve spent SO much time trying to fix this…

    And to reiterate, I’ve gone through the FAQ My Site Was Hacked procedures and have really tightened security on the site.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    9 years, 3 months ago

    Please do not post malware code in these forums. The code really does not matter, what matters is that the attacker was able to post that in the first place.

    If you’ve already gone through this resource then there’s not much to add to that here.

    https://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

    As you’ve found out cleaning out files isn’t enough. Have you also hardened your installation?

    https://codex.ww.wp.xz.cn/Hardening_WordPress

    Thread Starter smemma

    (@modula)

    9 years, 3 months ago

    Apologies. Yes I have gone through all the Hardening WordPress processes too.

    Never mind, I’ll have to get a pro to fix it then

    Thanks anyway

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Site hacked with redirect scripts’ is closed to new replies.