Hack

  • Resolved keyvan21

    (@keyvan21)


    5 years, 2 months ago

    hello
    i open my website today, and see all of my pages redirect to deleted
    help me plz…!
    thanks

    • This topic was modified 5 years, 2 months ago by Jan Dembowski.
Viewing 6 replies - 46 through 51 (of 51 total)

  • Please see my previous updates on page 3.

    I checked the plugin for the “aam-media” parameter. There are only 2 files:

    \core\Media.php
    \Shared\Manager.php

    in Media.php is:

    protected function __construct() {
    $media = filter_input(INPUT_GET, ‘aam-media’);
    $request = (is_numeric($media) ? urldecode(AAM_Core_Request::server(‘REQUEST_URI’)) : $media);
    $root = AAM_Core_Request::server(‘DOCUMENT_ROOT’);

    $this->request = str_replace(‘\\’, ‘/’, $root . $request);
    $this->request_uri = preg_replace(‘/\?.*$/’, ”, $request);
    }

    and in Manager.php is:

    //check Media Access if needed
    if (AAM_Core_Request::get(‘aam-media’)) {
    AAM_Core_Media::bootstrap()->authorize();
    }

    could this INPUT_GET or AAM_Core_Request::get be the problem?

    Because the first command in the access.log was

    GET /wp-config.php?aam-media=1

    • This reply was modified 5 years, 2 months ago by marc77.

    The only common plugin I have in all hacked sites and with other hacked users is AAM.

    I am pretty sure it is AAM. See my posts before.

    Quick and dirty todo until its fixed:

    block the IP Range in the httaccess
    +
    deactivate the plugin
    +
    rename the plugin folder
    +
    change all DB and WP Passwords

    • This reply was modified 5 years, 2 months ago by marc77.

    Same issue, i used updraft backups and update last version of AAM (5.9.9.1).
    I don’t know if it’s fixed but i noticed this :
    “5.9.9 : Fixed security vulnerability reported by “Props to Ov3rfly””

    I checked my hacked database :
    INSERT INTO wp_options (option_id, option_name, option_value, autoload) VALUES
    (1, ‘siteurl’, ‘https://js.wiilberedmodels.com/zls.js?foup’, ‘yes’),
    (2, ‘home’, ‘https://js.wiilberedmodels.com/temps?tt=2&’, ‘yes’),

    @marc77 To block IP I insert this into .htaccesss?

    Order Deny,Allow
    Deny from 178.128.193
    Deny from 50.63.162

    Is this correct?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    This post has gotten a bit out of hand so I’m closing this. It’s impossible to help people anymore.

    AAM has been patched. If you’re using that, upgrade.

    We recommend people make their OWN support posts to get help, as most issues are not the same between users.

Viewing 6 replies - 46 through 51 (of 51 total)
  • The topic ‘Hack’ is closed to new replies.

Tags