WP Site hacked via ?yme parameter?!!

  • Resolved CrazySerb

    (@crazyserb)


    11 years ago

    Ok, I’ve just spent 3 days straight trying to figure out HOW to get rid of this and I’ve got nothing. Absolutely nothing.

    I’ve gone through all the previous suggestions, FAQs, bullet lists of things to do, sifting through database, code, plugins, disabling things, renaming folders, everything and anything short of reinstalling the whole site from scratch (not an option, given the number of posts/users and related material), and still no luck.

    Here’s the issue.

    If I go to:

    https://medical-mastermind-community.com/?yme=531-cheap+viagra+generic+online

    I get the hacked footer in the bottom with Viagra ads and whatnot.

    if I remove the ?yme=… it works just fine.

    Ok, so far, so good.

    Now, the funky part is this… this URL still shows the same page and same template and same hacked footer:

    https://medical-mastermind-community.com/?yme=531-cheap+viagra+generic+online

    even if I:

    1) change the theme
    2) change the page template used on the home page
    3) set the homepage to draft
    4) trash the homepage
    5) disable all the plugins (rename the /plugins folder)

    you name it, I’ve done it, and I can’t figure out how in the world is it still showing that hacked page?!!

    And how to get rid of it?

    Anyone?!

Viewing 1 replies (of 1 total)
  • Thread Starter CrazySerb

    (@crazyserb)

    jesus, got infected by something that added a big block of <?php eval(gzinflate(base64_encode(…. text all over the place, in WP files, outside of WP folder… all random spots. It wasn’t until I started doing a lookup in shell that I found all these entries.

Viewing 1 replies (of 1 total)
  • The topic ‘WP Site hacked via ?yme parameter?!!’ is closed to new replies.