Help finding code injection by hacker

  • Resolved kevinsteger

    (@kevinsteger)


    8 years, 10 months ago

    My wordpress installation has recently been hacked. I am experiencing a code injection on all pages that causes the page to pop a 100% width and height div that shows a message of “Checking your browser before accessing {mydomain}…” with a large “[Contine]” button. It emulates the same page the Cloudflare CDN shows you when it believes you are a hacker. However, it is clearly NOT coming from Cloudflare. The script pops a div over the entire page and when you click it redirects you to a new domain. Right now it redirects to https://default72.com/

    I have installed WordFence as well as several other plugins that scan for malware. It does not find anything and the plugin that checks the MD5 checksum of the core files does not find anything either. It also does not appear to have changed my Apache settings (although that is not my expertise). I have also disabled all plugins and the problem still exists.

    The server itself is hardened. There is no root password (or any users with passwords for that matter). All certificate, fail2ban, firewalled, etc.

    When I copy the entire site to a new server the problem persists. So that leads me to believe it is inside a WP file somewhere and not related to the server.

    I’m stumped. Has anybody else seen this?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator James Huff

    (@macmanx)

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter kevinsteger

    (@kevinsteger)

    Hi. That guide is what I have been doing. I’m now on step “Leverage the Community” and wondering if this particular type of hack has happened to anybody else here?

    Moderator James Huff

    (@macmanx)

    If the code still being injected if you temporarily switch to the Twenty Sixteen theme and Twenty Fifteen theme (check both)?

    Thread Starter kevinsteger

    (@kevinsteger)

    James, it is not. Neither of the WP themes produce the error. Thanks for pointing me in that direction I was focused on plugins and core files.

    Moderator James Huff

    (@macmanx)

    Excellent, then it’s definitely your current theme. I’d start by restoring an older backup of it, or just reinstall a clean version if you didn’t customize the theme directly.

    Thread Starter kevinsteger

    (@kevinsteger)

    And there it is. I found a bit of PHP code in the footer.php for the theme. I do not know how it got there but I know the date the edit occurred and I will work backwards from there. I have also installed a file edit login plugin to help monitor this going forward. Thanks for your help.

    Moderator James Huff

    (@macmanx)

    You’re welcome!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Help finding code injection by hacker’ is closed to new replies.

Tags