Theme was hacked somehow, but couldn't find how or where

  • manicolaus

    #7842

    My site (nicolaus.com) was hacked, with a multi-line message about viagra and such junk displaying above the header for the home page, and this resulted in a Google warning that the site was compromised. I searched the mysql database containing the site and could find no sign of this message in any table. I did several scans with the wordfence plugin and it detected nothing wrong. I used the WP dashboard editor to search the code of many of the theme files, including likely suspects such as header.php, but could not find the added garbage. Finally I switched to another theme just to see, and the garbage went away. I then deleted the graphene theme and reinstalled it fresh, and the garbage stayed away, so my problem is solved. For now. Unfortunately I was not able to identify the corrupted file, so this post is not very helpful to the developer. But maybe it will help another user who runs into the same issue.

    Prasanna SP

    #39529

    When did you get hacked? Can you provide us your server log for that period?

    Once you get hacked, it is likely that there’s a, if not several backdoors left in your site. Carefully check your plugins/scripts for malicious codes and security holes.

    Mod

    Kenneth John Odle

    #39530

    This is one reason that you want to make sure that WordPress, your theme, and any plugins you use are updated, and that you only get them from reputable sources.

    There are plenty of people who sell WordPress plugins which inject code of various types into your site, which generates money for them, not for you.

    Try this:

    http://sucuri.net/

    manicolaus

    #39531

    Unfortunately I can’t identify the date of the hack; it could have been as long as two weeks ago. The site gets hit regularly with failed login attempts trying to log in as Admin. I have two security plugins, login lock and wordfence, both activated.

    My hypothesis is that the hacker somehow compromised one of the theme files. However, the wordfence plugin which is supposed to compare the activated files with the factory files did not find a discrepancy. Also, I manually searched more than a dozen of the theme files and found nothing. The theme contains so many files that I did not search all of them. Next time it happens I will ftp all of the theme files into an editor like Notepad++ on the local machine, which lets me search multiple files at once.

    The only new plugin that I installed recently was a sitemap generator from BWS (bestwebsoft.com). I’ve just checked on that site and got indications from both TrendMicro and MacAfee that it is suspicious and they recommend not going there. The owner/operator appears to be in Russia using a fake Houston TX front. I’m going to delete that plugin and find another sitemap generator.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.