Site hacked, fixed, now has problems

  • Resolved madjenja

    (@madjenja)


    8 years, 8 months ago

    Hi all,
    my friend’s site was quarantined a couple weeks ago by its host due to being infected by the exploit discussed here: https://blog.avast.com/wordpress-and-joomla-users-get-hacked-be-aware-of-fake-jquery . My friend asked me to help.

    Based on the info the host provided and a sucuri.net scan, I was able to find and delete the malicious code. I also deleted theme folders twentytwelve, twentythirteen, and twentyfourteen, which apparently were used in the attack, perhaps as a back door.
    Before screenshot:
    https://creativechristianimagery.com/ScreenShot2016-06-30_7.18.03%20PM.png
    After screenshot:
    https://creativechristianimagery.com/ScreenShot2016-06-30_8.26.36%20PM.png
    I restored the file, “/public_html/wp-includes/wp-db.php” to a backup version from May. I will be checking periodically to make sure the malicious javascript is not being re-injected by another file.

    I updated the core installation to 4.5.3, and all the plugins. I also added security plugins including JetPack, and will be upgrading jetpack to a security level plan. The theme, Portafolio, is up to date.

    Now the site is not functioning the way it did before. Since I was not familiar with the site beforehand (or with WP for that matter), I’m not sure how to fix. The problem I’m having is that the row of images don’t seem to be linking to their respective pages. Not an earth-shattering problem, but one that needs corrected. Any tips?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    At creativechristianimagery.com I see the row of images below the top image on the page are all just linking to creativechristianimagery.com

    Unfortunately though, I couldn’t stay long enough to inspect it before some malicious javascript redirected me elsewhere, and a fake pop-up warned me that Windows was infected (I’ve always been a Mac user), so it would seem that your site is still infected and possibly the actual hack vector was not found and removed the first time.

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Your site is still hacked, even though sitecheck.sucuri.net isn’t seeing it.

    I had the same experience James did and had to force-quite my browser.

    You may want to consider using one of the commercial website cleaning services to clean up and monitor your site.

    Thread Starter madjenja

    (@madjenja)

    Thanks for responding stern and James.

    For anyone else who may be affected by this exploit, there are two additional actions I took based on the feedback:

    1. Changed passwords! This seemed to “maim” the exploit.

    2. I upgraded to WordPress.com’s premium service and they ran the VaultPress scanner, which identified three problem files, which I deleted. These files were missed by both the host’s scanner and sucuri’s scanner.

    Moderator James Huff

    (@macmanx)

    You’re welcome, and thanks for sharing your solution!

    Just to clear up any confusion for anyone who stumbles across this, the correct plan name is Jetpack Premium (even though it’s offered through WordPress.com). Separately, WordPress.com has its own WordPress.com Premium plan, which is not available to self-hosted sites and doesn’t include VaultPress. ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Site hacked, fixed, now has problems’ is closed to new replies.