My Site's been hacked!

[GuestofHonor]

its imunify 360 that will 100% work

but it will delete all infected files which are required for wordpress to function.
He needs to scan with wordfence first and remove the malicious codes from the required files before scanning with imunify 360

 

[YUCATAN.DANCE]

Guys...
here is the simple method. ask your hosting provider for a full cPanel scan, that'll generate a log in root directory.
then use that report to find the infected files/folders and remove all.

here is my 2nd scan summary i did 30 mins ago.

----------- SCAN SUMMARY -----------
Known viruses: 2206551
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 6378
Scanned files: 38937
Infected files: 0
Data scanned: 895.23 MB
Data read: 1903.41 MB (ratio 0.47:1)
Time: 1922.703 sec (32 m 2 s)

 

[GuestofHonor]

Guys...
here is the simple method. ask your hosting provider for a full cPanel scan, that'll generate a log in root directory.
then use that report to find the infected files/folders and remove all.

here is my 2nd scan summary i did 30 mins ago.

----------- SCAN SUMMARY -----------
Known viruses: 2206551
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 6378
Scanned files: 38937
Infected files: 0
Data scanned: 895.23 MB
Data read: 1903.41 MB (ratio 0.47:1)
Time: 1922.703 sec (32 m 2 s)

unfortunately the regular scan doesn't always show all infected files
scan with wordfence again using high sensitivity scan to make sure and ask your hosting provider to install imunify 360 extension if it's not installed, if it's installed use it from cPanel and make sure to change the proactive defence to kill mode

 

[YUCATAN.DANCE]

unfortunately the regular scan doesn't always show all infected files
scan with wordfence again using high sensitivity scan to make sure and ask your hosting provider to install imunify 360 extension if it's not installed, if it's installed use it from cPanel and make sure to change the proactive defence to kill mode

thanks for the suggestion. I'll ask hostgator right away. i don't thik they'll use imunify 360, cuz they have sitelock managed by them.
and wordfence is running in background with high sensitivity mode. let's see..

 

[cesareborgia]

I can't help but laugh when someone says either that Wordfence (or whatever WP plugin) will protect them from hacking/solve any hacking and when someone blames something they had downloaded here to be the cause of the hack.
In this particular case, I've to admit, because of your URL I thought that it was something that I did to a client that didn't pay.

 

[GuestofHonor]

I can't help but laugh when someone says either that Wordfence (or whatever WP plugin) will protect them from hacking/solve any hacking and when someone blames something they had downloaded here to be the cause of the hack.
In this particular case, I've to admit, because of your URL I thought that it was something that I did to a client that didn't pay.

wordfence will detect files with malicious codes and then you have to fix them yourself !!!
imunify 360 will stop the execution of malicious files

That was what i said

 

[cesareborgia]

wordfence will detect files with malicious codes and then you have to fix them yourself !!!
imunify 360 will stop the execution of malicious files

That was what i said

The answer you gave on the previous page actually was not bad (as much as I don't like Imunify).
I guess I have seen too much blame on the plugin downloaded, and not on the person itself.

 

[iWebMastro]

I had the something similar to this, and the culprit for me was Classic Editor Plugin.
Like, If I activate Classic Editor Plugin, automatically some casino links were added to my site and lot of URL get generated to some slot website.
Even in upload folder again and again the File was getting uploaded, even if I delete them.

So first I cleaned my site with Wordfence.
Started looking for Plugins and Found when I activate Classic Editor Plugin all this sh** was happening.
I deleted, Classic Editor and problem solved.

 

[kingweb]

Hey everyone, recently i've found some issues which is redirect issue and my WP index.php files got autometically modified and there are some some .php codes inserted.
I've scanned and fixed it with Wordfence but it got infected over and over.
how to prevent infection from happening again????

try securityinfinity.com
use their lifetime deal
it scans and shows all vulnerabilities in minutes.
tried for a friend and it worked

 

[datadeba]

those are the examples of infected files.

I have also faced the same problem. I removed all the codes some time ago. My site ranking totally down!

 

[jar]

I've had the same hack before. I don't love Wordfence but have used it. I used Securi (the plugin, not the service) on one site that was infected but found that it kept sending me false positives every time there was interaction with WooCommerce. Just my experience and I think we all find what works for us.

For a free solution:
wordpress.org/plugins/ninjascanner/
wordpress.org/plugins/ninjafirewall/

With the free versions you can run a scan and find problematic files and files that are don't match the original theme/plugin files where matching is available. Those unmatched files can be automatically fixed in many cases. The firewall will not prevent new hacks if you already have backdoors.

If you have SSH access there are a number of grep searches you can run to find files with similar strings. When this hack affects one site, it often affects other WP sites in the neighborhood.

You can run a search with a string you find in an affected file (sample string here - use one from your file):

find . -type f -name '*.php' | xargs grep -l " *Array();global*"

You can also prevent files from being overwritten like this (wp-config.php, index.php and any others that get harmfully changed):

find . -name "index.php" | xargs chattr +i

*You have to undo this if you are ever purposely changing (plugin/theme updates, etc.) or removing the directory containing the file you have protected this way.

You can also look for changed files in the past X time:

find . -type f -name '*.php' -mtime -1 -ls

If you don't permanently solve the problem, it WILL come back.

 

[emmsana]

@YUCATAN.DANCE it will be appreciated if you can list the plugin and the theme. So that we can be careful of where to download from. Thanks.

 

[emmsana]

@YUCATAN.DANCE on production if you have a tight budget & it's a personal site, grab some legit activations from the trusted sellers here & for other plugins, like the backup ones and stuff, either do it manually yourself or use the free version. Wherever a free version + manual work can do the trick, do that. It'll save you from these headaches & give your site better performance (by reducing number of pplugin)

Please how do we know those trusted sellers here on babiato? Is there any section for it?

 

[CAFFEiNE]

Please how do we know those trusted sellers here on babiato? Is there any section for it?

Check their post history, age on forum, number of sales & contributions. For example, for anything for sale by someone like @Medw1311 or @TassieNZ will be 100% legit beyond doubt. There are quite a few very legit sellers here who you can safely buy from without any worries at all. These examples should give you an idea on how you can judge.

 

[AlexRazor]

2 year ago I purchase avada theme and 2 day later my website hacked!

 

[taintedage]

So I had same issue a couple of days back, after combing through here this is what has solved my issue.
Deep scan with wordfence
Delete all plugins and themes and leave default wordpress themes
deleted wp includes and wp admin and replaced them with new folders from wordpress repository

So far so good so far, but I keep scanning and monitoring, and since it has not come back I suspect some outdated plugins

 

[herrada]

Easy just download the database re install the worpress and upload the database but first to a copy of the files on a subfolder because you will need to put back the old important files where they belong except the front files

 

[emmsana]

I really appreciate the efforts of the moderators and the admins. Unfortunately, with what i learnt here yesterday, i decided to check one of my website which was broken and i am still trying to fix it.
i got the woozone plugin from babiato using the download button which i believe was screened before upload as you suggested. However, this is my scanned result attached. The ironic part is i just downloaded the Wordfence to scan the website and discovered wordfence even detected itself as effected.

CC: @Babak

i need advice pls.

We make an effort to abide by the standards that have been set up in our community about new users contributing resources in threads. The best advise is to report any questionable comments made by new members because we moderators monitor an average of about 190,000 people, making it challenging to keep track of everything. If necessary, we'll evaluate the comments and take appropriate action. best recommendation at the moment is to use the download button on the page at all times, or make sure you're downloading from a trusted user who has the Nullmaster badge since Babiato has approved them.

 

[GuestofHonor]

I really appreciate the efforts of the moderators and the admins. Unfortunately, with what i learnt here yesterday, i decided to check one of my website which was broken and i am still trying to fix it.
i got the woozone plugin from babiato using the download button which i believe was screened before upload as you suggested. However, this is my scanned result attached. The ironic part is i just downloaded the Wordfence to scan the website and discovered wordfence even detected itself as effected.

CC: @Babak

i need advice pls.

Maybe since you already have the injector on your website it just inject all php codes ?!
I'm using kaspersky total security and it usualy detect all infected php files, i will run a scanon the files you mentioned if you give me the post link and the version

 

[GuestofHonor]

I really appreciate the efforts of the moderators and the admins. Unfortunately, with what i learnt here yesterday, i decided to check one of my website which was broken and i am still trying to fix it.
i got the woozone plugin from babiato using the download button which i believe was screened before upload as you suggested. However, this is my scanned result attached. The ironic part is i just downloaded the Wordfence to scan the website and discovered wordfence even detected itself as effected.

CC: @Babak

i need advice pls.

I have just checked wordfence 7.7.1 and the infected file that you have in the screenshot is not even in the package !!
It must have been copied there by the malware that you already have on the server !
Please check the downloaded package locally on your PC and you will understand what i'm talking about !
and if you notice that it's already a dot file in both locations of the screenshots
I believe that you should've investigated this before you post such a comment, right ?