Solution to recent security issue?

Hi @alyanna

We really apologize for that.

There was a window of about 24 hours when this issue was exploited between December 7 and December 8. That window was closed by www.remarpro.com sending out auto-updates with the security fix.

So, I’m speaking with incomplete knowledge as the issue is still fresh, but a typical attack seemed to have two possible parts:

– A new user was created on December 7 or 8.
– A plugin was uploaded called “wp-striplple”.`You may need to check the /wp-content/plugins/ folder to find it.

Please check for this two issues. If you find either, it might be good to also run a general security scan.

Hi Steve, thank you so much for the prompt response.

I saw the new users created, and was able to delete them through the MySQL database.
There isn’t a plugin called “wp-striplple” in my plugins folder.

I tried restoring my files from a backup from 12/08 and the site still doesn’t load. It keep redirecting to https://track.trainresistor.cc/

Hi @alyanna. December 8 was inside the 24 hour window for the hack, so it might be wise to go back a day or so earlier.

I tried restoring it from 12/06 and flushing the cache, however it still doesn’t work. However, my host’s restore option has a note that it doesn’t remove files added after the backup.

I’m at a lost as to how to get my website (ecommerce store) back up and running.
Trying to access the wp-admin url now redirects to bing.com
The main page redirects to trainresistor still

Do I have to restore my database as well?

@alyanna In this case, the database is more important than the files.

It’s possible that your homepage URL has been changed in the wp_options table in the database.

Thank you so so so much that solved the problem!!!

A customer told me that the website was not working. Before restoring the website I did some research and I found you. I have restored the website and the database to 12/6 and perfect, everything working fine and the plugin updated to version 2.3.2.
Thank you all for the solution.

I have the same issue.
Yesterday my site was hacked and I restored a backup, all working again 9/12.
Today I get the https://track.trainresistor.cc/

After restoring backup.
Which version of WP should I upgrade to and should I restore a backup again?
Or can I do something else?
Thanks

I’ll explain how I did it. I have restored a complete copy of 12/6, with complete I mean the web and the database. Once the website is restored, I immediately update the PublishPress plugin from version 2.3 to 2.3.2, if you do not update this plugin the same thing will happen.

Thanks for your helpful feedback @carsermil @tonnetje @alyanna

We really apologize for this issue and are grateful for you posting here. Our team is avaiable and happy to help.

Any backup copies of your site from before December 7 are likely to unaffected by this issue and will be safe to restore.

Thank you, I’ve restored a backup from before 7/12 and updated the plugin.
It seems to work now! Hope that’s it.

That’s great to hear, thanks @tonnetje

I have successfully fixed my website https://thacnuocphongthuy.vn/, it is redirected only when you login with admin account.
here’s how I fixed it: I first read @stevejburge’s warning and followed it to find the error, but I couldn’t find any user or wp-striplple plugin directory.

I decided to delete the entire sql to use the old spl that was backed up before it crashed.

Then I went back to the plugin folder and there was a new folder called “wp-romain” appeared, after viewing the code I saw wp-striplple with the owner site path (I deleted it quickly) Too bad I forgot to save the website link in time)

and everything was back to normal.

• This reply was modified 2 years, 11 months ago by thuansky.

Also, with the help of my host provider, we realized that once you get into the database file, under wp_option table is where the WordPress URL is indicated. This is where URL redirect injection normally happens and where hackers change it. You just need to change it back to your own URL. Good luck to anyone who encounters this problem.