Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Yesterday i got a bug in my wordpress site, where hacker injected a script which can be seen by googlebot only.
That script is not read or identified on normal browsers.
This is not causing issues site availability or performance but on google search it gives advertisements instead of my site content. which is not good.
while searching on google i got this
https://aw-snap.info/articles/spam-hack-wordpress.php
I tried almost all the options given there.
Can anybody help me to identify the spam?
Thanks
Kiran Peshkar
Google offers a "view as Google" option in webmaster tools. This will help you to see what they see.
I tend to do two things if recovering one of my sites is not obvious what has caused the problem.
Upload a fresh copy of WordPress to my server. This will overwrite all the core files so if any have been hacked the malicious code will be overwritten.
It is likely that a malicious script is hidden somewhere so if it is a simple site I will delete everything and reinstall and re upload plugins. Of course anything in wp-content will need to be saved and restored. But note, a malicious script could be hidden in here.
It might just be easier to do a full restore at this point. Find a recent backup, upload the files and check with Google's tool to see if the malicious code is still active. It is always worth contacting your webhost for help, depending on how good they are they might even sort this out for you.
Remember, any attempt to restore or overwrite files could potentially impact your site or result in data loss so make sure you backup everything you need. Although it is unlikely the malicious code is in the WordPress database you should definitely back this up too.
Unfortunately there is no easy way to remove these types of hack, you never quite know what malicious code has been used. You should consider changing all passwords and reviewing your security so that the hacker doesn't do the same thing again as soon as you get the site up! Make sure all apps on the server are up to date.
Even the most secure WordPress sites get hit from time to time, this is why security is important and why daily backups are essential.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Anti-spam conditions disappear from mailer PHP files while contact form is being simultaneously attacked by spammers.
This is the second time in a week this has happened. Lines of spam-preventing code just get removed from my PHP file (nothing gets added).
I have contacted the server people but they said it's not their problem and something is wrong with PHP itself.
What are the best steps to take to make sure this doesn't happen? Are there any htaccess or ftp security settings I could make use of?
It could be possible that you're simply overwriting your files with versions that don't have the tags in them. Double-check that your plugins and upload scripts don't have permission to overwrite these files without your permission.
If you are worried about your security though, the most common forms of injection of files is through image uploads and forums. Ensure that if you are using any database connections, that you use either MySQLi or PDO, and remember to use parameterised queries!
While you could make a few FTP or .htaccess rules, they aren't really going to stop any potential hackers. The best thing you can do is to make sure you don't have any security vulnerabilities that can be exploited.
If you're running WordPress, run your site through WPScans to make sure there are no vulnerable plugins that you're using (there's literally thousands of vulnerable plugins).
For further reading on security vulnerabilities and how to address them, I recommend checking out the OWASP Top 10 cheat sheet.
Hope this helps! :)
Files don't just have lines randomly disappear.
Someone has access to your server files, either through some form of attack on your webserver (a vulnerability in your code), FTP/STFP/SSH access, or you have something in your code manually editing these files.
It may even be something as simple as you forgetting to save the files correctly, or an old version of the files getting replenished if you have some version management system.
Either way, I suggest changing passwords, increasing security, checking file permission, etc.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 6 years ago.
Improve this question
I am currently working on a site that is hosted on GoDaddy's Wordpress-Managed hosting. I have had issues come up that I've never seen before. For example, I was working right on the FTP, saving my changes and uploading immediately, but none of the changes I made would show up on the server. I read about GoDaddy's restrictive cache so I worked locally until the theme was done. Even then, after I uploaded, the changes wouldn't show. I double-checked the style file on the server, it was updated, but I could not physically see my changes.
After a few hours, the changes showed. Now, however, I'm still struggling. The styles and JS updates will not show in Incognito or on certain computers. I'm at the end of my rope here on where to go and what to do. Is it something to do w/ my Wordpress functions file and the versioning of my CSS and JS? Does it have to do w/ GoDaddy's server? Would switching from GoDaddy's Managed Wordpress to a basic hosting and installing Wordpress myself be more efficient?
Thanks for anyone's help!
My guess is caching server side (for example some caching modules will cache all PHP files for a given period of time).
The quick and dirty solution is to add a query string to the file(s) you are trying to view to see changes immediately.
Example:
http://mywebsite.com/somefile.php?hucd8239812
You will need to change the query string every time you change the file, but it's a quick and dirty way to break cache.
Thanks everyone for helping me out! It actually all had to do with GoDaddy and their server side caching. For some reason, the files were taking roughly twenty minutes to show changes. I just started working locally and uploading only when I needed to. Don't know if that's the best solution, but it's working for this simple site.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
I've been searching the last couple weeks and tried to solve a problem with my site but with no success. The problem is that sometimes I get redirected to a porno site (not always the same) when I try to access mine. I'm using Wordpress and I've searched for malicious code snippets in the index.php, header.php and all theme related files and found nothing that could be doing this.
This is a very hard problem to solve cause it's nearly impossible to reproduce, it just happens sometimes. For example, if you try to access one article from my site and you get redirected that doesn't mean you will always get redirected when accessing that article again (even from another computer), making it very hard to debug.
Do you have an idea how to fix this? Is there any way I can disable redirects to another domain or something?
Before I got redirected to the final site, I was able to see this source:
<html><head><meta http-equiv="refresh" content="0; URL=http://xxx.xxx.com/adsort.php?aid=2&atr=dirs"></head><body></body></html>
I'm not sure if this is useful since it gives no almost information. Beaware that link can redirect you to porno site.
I doubt that wordpress is subjective to XSS scripting. Especially if you're using the latest update. The first thing that comes to mind are outdated plugins that do have security vulnerabilities.
Have you installed outdated plugins? Try to update the ones that are outdated try to find out if they have (or had) any backdoors. (use google, plugin reviews, etc)
If you cant find anything in your filesystem, it may be loaded dynamically. So you should to scan (search for example, that xxx url) ALL tables in your database.
Are you sure it's not just adware on your personal computer?
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have the following problem:
The website I made for a friend has been infected with malware. When I tried to clean it, by replacing files that I found to be different to the ones I uploaded, with my original files, after a short time, the files were different again. The file permissions are all 644, and the folders 755. It is as if the one who infected the files has access to change them whenever I change them back. Can anyone help me since I am very new to this kind of problems?
First things first: report this to your webhost immediately! Secondly change all of your relevant passwords!
That being done, there are a few possible causes:
Your parent webhost has been compromised, in which case there is nothing you can do except move to a better host.
Your website contains a vulnerability that is being picked-up by kiddies with their vuln-scanners. Be sure to audit your code to ensure that no user action can result in your website's filesystem being touched inappropriately; also check for SQL injection avenues.
Your website uses a widely-distributed application, such as WordPress, that has not been patched - this is a major problem.
Your own PC has been compromised and ne'erdowells have used a keylogger or other software to discover your FTP or SSH account details, and are abusing your website. Run a local scan and audit everything to ensure your bank account is being raided either.
This isn't a code-related problem. This isn't the place for your question.
But: It's likely that a program is running on your server and re-infecting the files. I'd recommend either taking it to a professional malware removal service, or (my preference) burning the server in a fire and allowing a new server to rise from the ashes. Then install an AV suite on the new server.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'm sorry if this is not really an appropriate question to ask on here, but this has happened to me a number of times and I don't understand what's going on because I do not have an upload form on my website. Somehow someone is uploading lots of PHP files to my FTP server. These files were even picking up traffic thru Google Analytics. I have a contact form, and it does need to be beefed up security wise, but can a hacker UPLOAD files and alter my .htaccess file through it?
What type of hack is that? I would love to do more research on it to take preventative measures.
It is very possible for a hacker to upload files through a PHP site. I've seen it many times.
PHP has the potential to be very insecure. Getting in through PHP isn't very hard if your configuration is weak. Check your access logs and look for anything that seems wrong, particularly a whole bunch of requests from a single IP address. If they are in that deep, your access log may itself be compromised, and beyond even that.
Contact forms and database driven pages are easy to create with vulnerabilities, and no amount of PHP configuration tweaking will fix that. Look for cross-site scripting vulnerabilities, If you're using a database, SQL Injection attacks, and make sure that there is nowhere in your website that uses a GET parameter in a file path, like reading a file, or writing a file. Don't count on stripping a GET parameter, don't count on regexing it clean, just don't do it.
With regard to FTP, if you can, just turn it off and only upload files through SFTP or SCP. If possible, don't use password authentication, use public key instead.
Ultimately if they are changing files on your file system, you may end up saving yourself time by fixing any vulnerabilities you can find, re-installing the OS from scratch, and reconfiguring PHP and FTP to be secure.
There are some toolkits out there than will do basic tests against your site that are worth a look too. Check out https://www.owasp.org/index.php/Main_Page
Does the form have an upload function? Do you check file types etc? Could easily upload a PHP shell(c99, c100) and alter whats on your account.