brend-store.ru hijacked my site via a plugin

I run security and before kmessinger said anything, I’d already read all of those articles. I’d just done a redesign and always clean out my whole server between redesigner. I am familiar with Sucuri Site Check and run it as often as I run Malwarebytes on my physical machine. It was checked and fine BEFORE the plugin install, but not after. If my server was compromised, wouldn’t it affect ALL of my domains and subdomains because it only effected the one I’d just installed the plugin on?

I do understand Esmi’s position, I just didn’t appreciate being treated like I’m intentionally badmouthing a plugin I’ve used before and appreciated. I also did not retract my statement and don’t appreciate words being put in my mouth. I would have loved to have had an opportunity to say how much I do love the plugin but the WordPress plugin page DID redirect me to a scareware site. My OWN site did not send me to scareware or spam. THAT plugin page did. I did my best to alert the proper authorities to fix it. I know that the plugin would never intentionally hijack my site, but I do feel it or its source was compromised.

My site was perfectly fine before the plugin, and only the one part was compromised after. The files I found that restored my site long enough to get my hosting provider to fix the rest were new files created that day and that time in my WordPress plugin files in a folder for the Maintenance Mode plugin in a folder that had not finished downloading and my WordPress said there was an error with the plugin. Something doesn’t add up. Within the past month more than just me have reported the plugin messing up their sites and blogs. More than just me have reported the plugin and even Esmi said it was “unlikely” not impossible. In the past month a fantastic plugin has been likely responsible for messing up several sites…it may be worth paying some attention to instead of arguing with already upset users.

If my server was compromised, wouldn’t it affect ALL of my domains and subdomains because it only effected the one I’d just installed the plugin on?

If they’re all run under the same account on the same server, the odds are likely that would be yes, but… If you ever manage to fully understand the machinations of hackers and spammers, you are well up on the rest of us.

Now to clarify … We actually don’t know if the www.remarpro.com site sent you to the scareware site. YOU assume www.remarpro.com was compromised. I assume your server was compromised. Neither of us know just yet ?? Both of us have totally valid reasons for the assumptions.

We know this: You attempted to use the in-app Plugin Installer to install a plugin and, via methods as of yet unknown, you were not directed to the www.remarpro.com page but instead to a scareware site.

Is that a correct assessment of what happened? (Yes, I know it’s simplifying it, but right now, we need to do that a bit.)

My gut tells me that in order for YOU and you alone to be redirected like that (and since no one else has jumped up and said ‘me too! THAT plugin!’, I’m sorry to say I strongly feel it’s JUST you), then something was ALREADY wrong on your server. What was wrong? My candidates in order of likelihood:

1) You had another plugin/theme on that WordPress install that was corrupted.
2) Your install was insecure and a legit (but evil) plugin/theme is using that to leverage the hack
3) Your login ID (SSH/FTP) was compromised
4) Your server has a security hole

What we would need to do, were this MY server, is grab the access logs and error logs and look at what the hell was passed through to my server at that time. A GOOD host will help you. I repeat this because the one time I was hacked – through my own stupidity – my host helped me trace it back to a time-frame on a Friday where I was, indeed, being an idiot (FTP instead of SFTP on a Windows box with no virus protection, using IE … I know).

Thank you so much for the help. It just seems so weird that I opened the plugin and when I clicked to download, it opened the scareware site in the same window…and it was only the ONE site, not any of its subdomains or my other domains. I had not installed any other new plugins whatsoever in the past few months or so and the theme I installed I built myself. That would leave either a hole in my server security, which seems unlike since only one site was affected. There is just a lot of big doubts about EVERY possibility, including my own thought. What can I do to figure out what happened and ensure it doesn’t happen again. Changing my login, etc. helps if that was the issue, but if it was compromised once it can be again. I’d like to know for sure what happened so I can be better educated if it happens again.

Crose13: Check your uploads folder for strange files/folders. I think I might have found some backdoor/virus files in one of my website’s uploads folders. I guess I’ll find out if this was the culprit in a few days…

Hi,
Thanks for the tip about the WordPress .htaccess, I found the thread here thanks to a search on the web… and the Domain name where my admin pages were redirected. I found all the links redirecting to the same website plus lines to make it seen by the search engines…

Whereas the scripts that you may find that have allowed to hack the sites, I had found some before : php files installed in the uploads directory. Since then I added lines of code in a .htaccess placed into the uploads directory to prevent listing the files and executing cgi in that directory.

Here the plugin which have found to be the source of the leak was wp-phpmyadmin. It has not been updated for a while, and usually I had it deactivated except when I needed to use it, but this time I had forgotten to deactivate it after use.

Once a while now, I activate the debug in the wp-config.php file, and look what message errors it provides, then once the faulty plugins removed or replaced I deactivate the debug feature again.

Regards,
Mélodie

Our site was hacked in a way that redirected pages to powerprogramm.ru/make/index.php.

after checking with sucuri, a careful review of our .htaccess file showed that it had been compromised and the redirect code had been added.

when checking your file, be sure to look further down in the document. in our case (as another mentioned above) the script was ‘hidden’ 50 lines down in the page and to the right. it might be missed at a quick glance.

hope this helps others.

also, i should add, the now defunct wp-phpmyadmin plug in was installed on this site. it is highly suspected to be a cause in the attack.

Dear All, i Have a problem in my site.my site is always redirect a page its say:How to Get from JFK to Manhattan and Back? – navettejfk.com
Mode Maintenance

Sorry for the inconvenience.
Our website is currently undergoing scheduled maintenance.
Please try back in 60 jours
Thank you for your understanding.

how can i solved it.please replay answare.

thanks.

Please post your own topic.