What changes did the hacker make on your site?

  • I see on my site that the site URL was changed to a pastebin link.
    After looking through many common target files and through the database, I see nothing else tampered with.
    If you found anything else on your site that was changed, please post here with the modified files, etc.

    Thanks!

Viewing 10 replies - 1 through 10 (of 10 total)

  • Hi @mgsolidus,
    my website was hacked too. It now redirects to a website of offers.

    Where in your website did you find the change you mention? Before coming to know about the issue of this plugin, when I found my website was hacked I updated wordpress core and disabled all the plugins adding (via FTP) an underscore before the name of each folder. But the issue persists. Now that I know about the problem with WP GDPR I even deleted the folder of WP GDPR plugin, but the behavior of my website hasn’t changed – it is still redirected to another website.

    Any help would be appreciated.
    Thanks

    @aliag

    I have two sites, both were hacked – one worse than the other.

    One of them had the same problem yours does – every page would redirect to a string of dodgy sites.

    I had to go into the site’s database using phpMyAdmin and find the wp_posts table. In the entry for the item’s content, at the bottom of each entry was a javascript thing that redirected the browser to the sites. It was in every post, image and file that I’d uploaded. I had to manually delete every instance from every file in there – about 8000 in total. The site is fine now. There may have been an automated way of doing that but I did it that way.

    Good luck

    Many thanks @timothyp

    that’s a great hint. I’ll look for something similar.

    Thread Starter mgsolidus

    (@mgsolidus)

    @aliag

    See this Sucuri blog post to stop the redirect – https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html

    Folders to look out for as well:

    /wp-content/uploads/us-assets/

    Hi @timothyp

    It seems that I found the point. I downloaded my database and went through it with Notepad. In the table “wp_options” I found that the “siteurl” url was changed with a different address from the url address of my website, and to which I had seen the wp-admin was redirecting. Once I modified that on my online database, writing my correct website address, the website stopped being redirected.

    Now everything seems to be fine on that side.

    At the moment I just receive some errors from “TemplatesNext ToolKit” plugin, but I suppose that is caused by the previous attempts I made for solving the problem of redirection: I renamed all the plugin folders, removed the folder of the theme, uploaded a new version of it, deleted it and uploaded the older version…so I think something got messed up in the process and I don’t think it’s caused by hacker attack. I’ll look for support on the plugin page here on WordPress and let’s see what comes out.

    Thank you.

    Hi @mgsolidus

    I just read you post now, after posting my reply to @timothyp. Too bad, could save a couple hours of work. ??

    However your post was useful anyway. I looked for the folder you tell “/wp-content/uploads/us-assets/” and I don’t have it. I looked for the file “wp-cache.php” as adviced in the article you posted and I don’t have it neither, since I don’t use the plugin “WP Super Cache” and, as far as I understand, “wp-cache.php” belongs to this plugin. I also checked the list of users (my website is an e-commerce) but haven’t found anything strange.
    Thus I suppose everything got back to normality on my website [beside the problem with “TemplatesNext ToolKit” plugin that I mentioned in my previous reply].

    Did i forget anything? Oh, yeah, I deleted the plugin WP GDPR Compliance.
    I think that’s all for now.

    Thanks everybody for your support!

    The website of our client is hacked too and the website is still broken. Can you help to fix it?

    The link to the website is https://www.lammes.nl

    I can’t login anymore. Thanks!

    • This reply was modified 6 years, 3 months ago by Wendy Weel.

    Wendy Weel, you need to access the site through ftp and/or cPanel to fix it.

    I have had 2 of my sites taken down and 4 more showed signs of infection. They are back up and running now but I am still double-checking everything. The above post helps – https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html

    and also
    https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

    and

    https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/

    It would be really helpful if the plugin author laid out EXACTLY what happened in the hack, and a step by step way to fix it!

    Hi @wendyweel

    what I did for solving the situation I was in was to download the database and check it and there I found that the entry in the “wp_option” table ‘siteurl’ had been changed with the url to another website.

    You can check the database directly online, via PhpMyAdmin, and do the change.

    Hope this helps. Good luck!

    Hi,

    Also check your .htaccess file. Mine was changed on one of my web servers to rewrite to some shady subfolder. Which in turn lead to a site not displayed correctly, as the assets (js, css) could not be found.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘What changes did the hacker make on your site?’ is closed to new replies.