February 5, 2015 at 3:57 pm #1063
My site has been hacked and I think it is the Pharma hack. From what I have read about this hack it infects the theme and/or plugins (in my case its the functions.php file) and also creates a backdoor to the database. There may also be a backdoor to allow remote access?
Your plugin identified the infection in functions.php but fixing just that file won’t eliminate the entire issue. Can you provide any assistance in removing the unwanted database entries?
Also, if I use the “fix this problem” button does that delete the entire file or repair it?
Thanks for any help.February 5, 2015 at 4:06 pm #1064
The Automatic Fix button will remove the malicious code from the file, not delete the file.
If there is content defacement in the DB then you should be able to remove that pretty easily with the Page/Post editor. If it not that simple please describe the extent of the content corruption.February 5, 2015 at 5:17 pm #1065
The pages/post look fine in the editor. If you google my site using the “site:fuller-grp.com” you will see pages of foreign language drug related sales for viagra, etc.. This hack seems to be generating some kind of links to my site.
From what I have read there are usually entries in the DB as well as the functions.php that allow this to happen. Have you dealt with something like this before?
I also checked a backup of the site I have on my compter and it contains a folder of files that have unreadable code like “MzB8fHxrYW1hZ3JhIGJlb29yZGVsaW5nfHx8PCFE…”. I assume that is being generated by the malicious code.February 6, 2015 at 7:32 am #1066
Actually I have seen this exact this thing many times. Your database is clean and the search results you are seeing are just cached pages from January when your site was infected. My plugin fixed this infection when it cleaned the functions.php file so you just need to go to your Google Webmaster Tool and Request a Review of your site to get rid of all those cached pages that are no longer infected.
As for this folder of files that have unreadable code, can you tell me more about that? What folder is it? What are some of the file name? Can you send me a couple of those files so I can examine the contents?February 6, 2015 at 8:09 am #1067
My domain host did a scan of my site last night and sent me this email. I ended up purchasing Sitelock so they would not shut down my site. This is just a partial list of the files they say were infected:
“A scan of your account has found the following malicious or infected files present
wp-content/plugins/revslider/general.php: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL FOUND wp-content/plugins/revslider/temp/index_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/contact-form-7/general.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/cats-jobsite/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/bwp-google-xml-sitemaps/load.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/lib/Microsoft/Http/Response/Stream_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/lib/W3/Cdn/Base_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/inc/options/support/select_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/ini/s3-sample-policy_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/wordpress-seo/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/underconstruction/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL FOUND wp-content/plugins/quick-pagepost-redirect-plugin/locale.php: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL FOUND
/home/users/web/b741/ipg.fullergrpcom/2014/wp-content/uploads/quarantine/F25NS.F25NS.L2hlcm1lcy9ib3NvcmF3ZWIxNTUvYjc0MS9pcGcuZnVsbGVyZ3JwY29tLzIwMTQvd3AtY29udGVudC90aGVtZXMvYXR0aXR1ZGUtcHJvLTEuN25ldy9mdW5jdGlvbnMucGhw1.GOTMLS: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL FOUND /home/users/web/b741/ipg.fullergrpcom/2014/wp-content/uploads/quarantine/F15Ji.F15Ji.L2hlcm1lcy9ib3NvcmF3ZWIxNTUvYjc0MS9pcGcuZnVsbGVyZ3JwY29tLzIwMTQvd3AtY29udGVudC90aGVtZXMvYXR0aXR1ZGUtcHJvLW9sZDIwMTQvZnVuY3Rpb25zLnBocA3.GOTMLS: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL FOUND wp-admin/media-upload_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/admin-media.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-admin/js/gallery_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/includes/template_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/includes/class-wp-locale.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/css/color-picker-rtl_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/user/user-edit_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND
Due to the potential for abuse in this malware, and to protect your site content from further damage, we will have to suspend website services for your account, if this is not addressed within 24 hours. Please remove/replace the malicious files as appropriate, through FTP or the file manager. I would recommend deleting and republishing your entire site from a clean copy; this should then erase any other code which may have been injected into your pages to allow ‘back-door’ access by unauthorized people. Most importantly, you need to make sure any applications in your account are completely up-to-date as far as versions, security patches, etc. are concerned. This applies not just to the core application, but also plugins, themes, modules, etc. ** If this is not done, your account will remain vulnerable to future attacks of this kind. ** In addition, you should immediately change your password through the control panel for the account. You should choose a ‘strong’ password, which includes upper- and lower-case letters, numbers and special characters such as hyphens, and is at least eight characters long. This will help reduce the chance of this happening again. Other possible causes include - a computer infected by viruses, which is controlled by hackers. In this situation, your uploads may also get infected. - poor scripts and/or applications, which allow hackers to insert various malformed queries to remotely execute code - Virus effected theme selection for applications - Installing applications, add-ons or modules which are downloaded form third-party locations and may be infected. Please let us know when you have addressed the malicious files.”
I can see where your plugin quarantined the two files listed as PHP Injector. I was wondering whether the rest of the files were false positives or if they were really infected? I assume Sitelock has cleaned these files now.
If you can show me how to attach a file I can send the one you requested. Hopefully the issue has been resolved.February 6, 2015 at 9:00 am #1068
You can delete the two files in the Anti-Malware Quarantine ut the other temp files in the RevSlider directory may still be a problem.
If you want to email me your FTP login I can check those out and make sure it’s all clean.
You must be logged in to reply to this topic.