Removing a Phishing Link placed by hacker

  • I *think* I researched this enough before giving up and posting, so here goes.

    I have my WordPress site hosted through GoDaddy, and I hadn’t logged in for a LONG time. When I recently tried to gain access to my www.remarpro.com account, someone had hacked it and changed the email/password. They inserted a hyperlink into my page (which is now broken)to some “payday loan” scam site. I used to have my site in ‘under construction’ mode so that all you saw when you visited my domains was a white page with text explaining that the site wasn’t complete. The hacker inserted the link onto that page specifically, and it still shows.

    I have since removed the WordPress database associated with the compromised account through my GoDaddy administrative account – and made an entirely new www.remarpro.com account – but the code that was injected into my website has been saved/backed up. I am using the ProPhoto 3 plugin, but I don’t think that has anything to do with it….

    This brings me to the question, how in the hell do I find where to remove this HTML tag/link that was maliciously inserted? It shows up in the top lefthand corner of my site now, and I literally can’t understand how to access the HTML that puts it there.

    Here is my site: https://kwestphotography.net

    Can anyone help me out with this one?

Viewing 6 replies - 1 through 6 (of 6 total)

  • If this is the only site you have there at your host and removing (deleting) its database and making a new WordPress installation has not solved the problem, I would ask my host to “nuke” (completely reset) my hosting account and do a new installation. I once had some odd things going on when I first got started and even my host thought that was a good idea.

    Thread Starter kwestphoto

    (@kwestphoto)

    If that’s the case, then I’m questioning the access point the hacker used. I mean, I was able to login to my hosting account, just not the www.remarpro.com account… I’m puzzled as to how something would have been done from the hosting end of things if that account at least didn’t seem to be compromised. If anyone has any thoughts on that as well, I’d be curious to know them.

    Thread Starter kwestphoto

    (@kwestphoto)

    Okay, here’s a clarification of my question, and an update.

    I’ve contacted GoDaddy support, but they weren’t able to be super helpful. The support tech essentially told me that the code would have to be somewhere in the webroot file, but I cannot find the actual code for the static homepage I have setup. I can, however, find things like my uploaded image files. Unfortunately the tech said she could not assist with coding questions like this.

    I’m using WordPress as an application on my host GoDaddy, and I use the ProPhoto 3 plugin to build my pages – I don’t do the coding myself. Does anyone know where this application stores its HTML files?

    I’m puzzled as to how something would have been done from the hosting end of things if that account at least didn’t seem to be compromised.

    Some hackers spray graffiti from the outside and others plant smoke bombs in the basement.

    I cannot find the actual code for the static homepage I have setup.

    That is likely in your database and can only be pulled from there and sent out by WordPress.

    I use the ProPhoto 3 plugin to build my pages… Does anyone know where this application stores its HTML files?

    The coding for the pages will be in the database, but your photos will likely be somewhere inside the wp-content folder in this general area:
    home(root)/~~~/public_html/wordpress/wp-content/uploads

    Go to your hosting account and use whatever file manager might be available there for having a look. But as to your pages, that will likely require repairing WordPress in order to get them out of the database.

    Thread Starter kwestphoto

    (@kwestphoto)

    Maybe after talking to GoDaddy I will eventually find a way into the databases, but for now I have at least set up a 2-step login involving a text-message validation code to that account. Here’s the thing though:

    I wiped WordPress AND all databases from my hosting account entirely last night, even from GoDaddy’s tech support end, and reinstalled it all.

    The malicious link remains, so I am starting to suspect ProPhoto 3.

    Here’s the other thing: after reinstalling everything, I am of course still able to find old image files that were uploaded years ago to my hosting account. Is it possible that, even though WordPress stores the HTML files in the database, perhaps the malicious code is lurking as a file that isn’t an HTML document in my file-manager? I am wondering if I should just clean out my file manager but am scared of deleting something important.

    Other things that are perhaps noteworthy: when examining files in my file manager, there is a webroot folder but no public_html folder. There is, however, a wp-content folder and such where it has those photos and so on stored. Just no HTML files in sight.

    Thread Starter kwestphoto

    (@kwestphoto)

    Just noticed something after peering into the file manager again: the original install of ProPhoto3 and the original zip folder was still there.

    Scrapped it and reinstalled from original zip…. will report back to let you know if that fixed it.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Removing a Phishing Link placed by hacker’ is closed to new replies.