Hacked and all my sites now have impossible cialis and viagra pages

  • I’m using the latest version of WP (3.3.1) on all my sites and suddenly about a month ago I have all these pages (or posts) for cialis and viagra. The odd thing is that they appear as pages that aren’t possible as actual WP pages (e.g. https://www.DOMAIN.com/wp-includes/index.php?iga=25790&OEQ=1332871201) which are obviously not real URLs.

    I found thi sout because I have Google alerts for all my domains and Google i picking up these pages. Even more interesting, if you click on the links, they show as a blank page in any browser on a windows machine, but if you are using a browser on a linux machine, you can see all the spam copy and links. So… average users wont’ see these pages anywhere, but google sure does and is indexing the pages. This will both hurt me (google thinks my site is affiliated with cialis) and is also likely helping the spammers pages that my site now seems to be linking to.

    I have added no plugins, and oddly, this is ahppening to *all* my WP domains, but not my Drupal or Joomla ones, so that is the interesting consistency. Has anyone else seen this? I’ve looked for odd files, base64 code in existing files, etc, etc and found no smoking gun, i’m I’m stumped. Any advice?

Viewing 7 replies - 16 through 22 (of 22 total)

  • Hi war3rd

    One infection wouldn’t be cause to move just yet. I would talk to the Liquidweb guys to see if they can’t provide better insight (i.e., diagnose the logs and what not to understand the potential attack vector). In my experience more often than not there is as much responsibility on the end-user than the host.

    I wouldn’t wait for Google to reindex on their own, I would resubmit via webmaster tools so that they can proceed. If you request a review they take on average of 10 hours, although sometimes as much as a week. At least this way you know if you’ve removed it all. It’ll suck if you wait a month hoping its clear just to find out its not.

    I would also lock down your uploads directory, within wp-content, to disallow any PHP files to be uploaded to executed. If it happens again I’d attribute it to a missing backdoor on your server.

    Don’t know much about your setup on the server, but if its not in the app directory I’d go up a few directories and check the other server directories as well.

    Thanks

    Hi war3rd

    Lastly, just so you know all the hosts on the list @songdogtech provided have sites that have been hacked.

    I had good experiences with hostmatters.com when I was with them years ago (I’m on a VPS now, but that is probably overkill for most WP users).

    Also, read this:
    https://ottopress.com/2011/how-to-cope-with-a-hacked-site/

    @perezbox said:

    Lastly, just so you know all the hosts on the list @songdogtech provided have sites that have been hacked.

    Means nothing. All shared hosts are vulnerable to some degree. Some are much better than others.

    Hi sondogtech,

    What I actually said was that all the hosts have “sites that have been hacked.”

    If you see the distribution of malware across these hosts you’d understand my statement better, specifically the one for the hosts on that page you provided.

    This statement in itself holds no value if you can’t quantify or objectively explain it: “Some hosts are simply insecure and you will get hacked again.” Are you implying that his is more insecure than the ones on the page you referenced? If so, can you objectively quantify that statement? If not, then it too holds no true value, does it?

    The purpose of my statement was in direct response to consider changing. Too often the immediate response is to change the host, but in reality there are a number of things that comes down on the end-user that should be considered first. I would argue that like WordPress, the biggest weakness for hosts is more often than not the end-user.

    I hope this provides better clarity around my response.

    For the record, I don’t work for any host. Just my .02

    Thanks

    This is happening to my site now. What’s interesting is that it only seems to occur in Windows XP. WP used to advise me to update although I have already. The issue would be resolved but only for a day or a few minutes. The links would come right back. I’ve been meaning to replace all the core files but I’m afraid that it won’t resolve the issue since there may be something stored in my database -_-. What a pain.

    @thefaro: As per the Forum Welcome, please post your own topic. Your problem – despite any similarity in symptoms – is likely to be completely different.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘Hacked and all my sites now have impossible cialis and viagra pages’ is closed to new replies.