Admin – Search Plugin page – hacked/exploited

  • I have a problem. I think i was SQL injected somehow and i can not figure out where the redirect is.

    How it happens. If you are in the admin module and go to /wp-admin/plugin-install.php and click on any link it takes me to this page wp-admin/plugin-install.php?tab=search&type=tag&s=admin which if i click on anything redirects me off my site to https://generation-internet.ru/pcollection/index.php?tab=dashboard which is a virus!

    Has anyone had this happen before. i’ve deleted/restored everything and narrowed it down to the database but i cant find how they encrypted the string. Any ideas?

Viewing 15 replies - 1 through 15 (of 28 total)

  • I have the same problem. Additional also our frontend-users are sporadically redirected to the russian URL named above which is fatal.

    Our server was attacked this afternoon by several foreign computers (checked logfile). All of them tried to upload files named sm3.php in the theme-directory of our active theme. Possibly malware was injected through thumb.php used by our theme for image-resizing.

    I tried the whole afternoon/evening to find a solution to completely clean our site but I still had no luck. There might be several preg_replace code spread out in several files on our server where it should not be. Another strange encrypted file found here was wp.php.

    Any ideas?

    James

    (@james13wheelergmailcom)

    I have the same problem, but no idea how to resolve.
    @getinked5 I’m wondering why deleting the site and restoring didn’t resolve the issue?

    Thread Starter getinked5

    (@getinked5)

    Im guessing its in the datadase which is the only I haven’t had time to clean out yet.

    Thread Starter getinked5

    (@getinked5)

    Ill have to try reloading our theme again too

    vickie

    (@vickieflores)

    I’ve had the same thing this evening.

    My super helpful host (TSO) found things that shouldn’t have been in .htaccess and removed them. This seems to have solved the problem (hopefully) so might be worth you checking there for anything unusual.

    Thread Starter getinked5

    (@getinked5)

    Yeah my htaccess was clean

    If one of you wants some help getting this cleaned up, I’d be happy to have a look, and then give some instructions for everybody else having the issue. You can get in touch with me through the contact form at my site.

    Just managed to clean up my partners site (well I think I have) following some of the pointers in this thread:

    1) .htaccess had been appended to with “Error 404” directives. Removed those only.
    2) Removed sm3.php and wp.php completely.
    3) Updated thumb.php to the latest version from https://timthumb.googlecode.com/svn/trunk/timthumb.php which has hopefully closed any holes.

    This seems to have solved the issue and I’m not seeing any redirects to the .ru site anymore.

    Note: I have not scanned the DB yet.

    vickie

    (@vickieflores)

    Thanks for the summary @psynix – I’ve now also updated timthumb.php.

    It would be really helpful if you could post how you scan the database?

    Many thanks

    Thread Starter getinked5

    (@getinked5)

    i’m on vacation right now or i’d be spending more time on this. i updated my thumb page also but my seems to be only SQL injected. only when i go to my search plugin page am i seeing any errors. i’ll be digging into the database more tomorrow.

    Thread Starter getinked5

    (@getinked5)

    great site @peter builder. i’ll hit you up later for some different reasons related to security.

    The problem I’m ran into is that the .htaccess files were modified. NOTE: they do not LOOK modified at first, but you should notice scroll bars which normally are not be there. That indicates that there is a lot more text in your file than you are currently seeing.

    In case your hosting provider doesn’t help. Try this solution:

    First CHMOD your .htaccess file from 444 to 644. (It appears that the files were turned 444 after the edit that caused the problem.)

    Access (edit) your .htaccess file. MAKE A COPY! Then, clear it out. Add in something like this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    AddType x-mapp-php5 .php

    # protect wpconfig.php
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>

    # disable directory browsing
    Options All -Indexes

    #Protect .htaccess itself
    <Files ~ “^.*\.([Hh][Tt][Aa])”>
    order allow,deny
    deny from all
    satisfy all
    </Files>

    # END WordPress

    You can try checking this site https://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676 or others if you want to see additional tips on how to secure your .htaccess file.

    Once you have saved your .htaccess file, save it.

    This should now have fixed the problem above.

    -Kimberly
    https://www.silverwebdesigns.net

    Hey Kimberly,

    I fixed the permissions and editted the .htaccess file like your mentioned, thinking that would fix it. It seemed fine for an hour or two and then I saw the malicious code in there again (and the permission was again changed to 444).

    So I fixed it again, but this time I also updated the thumb.php in my theme files. I am hoping this fixes it for the long run.

    Did your .htaccess file get modified after you fixed it?

    thanks!
    april

    Tried visiting your website lately Kimberly? Redirects to the .ru site at the moment.

    Psynix,

    I can’t seem to locate these two files you mentioned:

    “2) Removed sm3.php and wp.php completely.”

    Where would these be?

    thanks!
    april

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘Admin – Search Plugin page – hacked/exploited’ is closed to new replies.