I am trying to fight a very serious text injection problem problem with a wordpress site! Please HELP!
On this site: http://www.clarktogei.jp which is in wordpress I have several means of security:
- the password is very strong
- there is sucuri installed (without online WAF)
- there is All in One Wordpress Security installed
The site is on a secure Centos server with cPanel which is also secured by its internal firewall.
Still I just noticed that within the code someone has injected the following html code:
I searched for bits of strings from this withing the database, could not find it. I searched for bits by word match on the whole site folder could not find it. I don't know how or where this stuff is coming from but I need to get rid of it and prevent it in the future, and since this is a client's live site I need to do this urgently before the client finds out!
Please help!
P.S. By the way the two thoughts occured to me that the code might have been injected in base64 format. So I used this site:
https://www.base64encode.org/ to convert one of the words in this code "kors" into base 64 utf-8 format: a29ycw==
I searched just for that in the DB and in the HTML too but no luck. :(
Is this a widespread problem? I can't find any info on google. It might be new... but it is my problem at the moment and I need to get rid of it
- the password is very strong
- there is sucuri installed (without online WAF)
- there is All in One Wordpress Security installed
The site is on a secure Centos server with cPanel which is also secured by its internal firewall.
Still I just noticed that within the code someone has injected the following html code:
<div id="linkId"><H1>cheap michael kors handbags outlet</H1>through the process of I don imply nearly anything in another occasion sector. in my opinion, A journey box will be just much greater and comfy your homework to allow everything you need a detailed for out of the house day normal office or. traversing your own private urban world or for his or her day trip classifies as getaway with regards to your backpack is worried.possibly even more placing, but yet, Is the development of streetcars. It challenging turn a corner in song of Seattle obtaining suffering from tracks most likely trail station symptomatic rotating direction coming from First hill streetcar cover, slated to open soon after this advice year. section communities are generally remodeled in numerous carrying case consist of insulated push bike counters (far lower than),several bound to be huge number more and more in next months. at minimum, the following excitement which will speculate. become a member of the here for normal tv news and thoughts about NBC's Emmy outstanding fix humourous, "these, On sunday afternoons, i've been able to go to Celine case the "it also" pouch of the <a href="http://www.startsomewhere.com/quited">michael kors outlet</a> season whom simple town's Nordstrom holds on demonstrate to high up the actual other pedestal that this so richly is worthy of. injury lawyers los angeles strategy apart from the group range (and as well as budget), however i love to remove it and cerebrovascular accident or cva it has supple synthetic leather upkeep no one is looking (A scarcity through Nordstrom,<H2>michael kors outlet uk</H2> just what in the guise of fine products and services has given <a href="http://contentionjournal.org/taispa2/">michael kors outlet canada</a> a saleswoman to view my vision fullti) i like to sniff the car. it simply if and as well aromas and so splendid; do you know what I mean? you will discover early evenings that i take so enough time gazing it is photos on line will trendy see a are<H3>michael kors outlet</H3> up against, not really in contrast to individuals who understand the virgin mobile Mary's icon within snowdrift.typically the name centered a small, downtown user and even everyone else world health organization fantasized about this work. shoes and boots expanded to become most other equipments, amount of dress choices as well is manifest on, next happened to run criminal court, because of its first donating in 1994. after some time, Cole began undertaking extended troubled surrounding pricing for you to coolness.I surmised good that's mother requirement strictly even be a non selfish guardian but issuer, guaranteeing the maturing child became the most effective chunks during the time your own stoically achieved to be paid that includes sub an elemen waste. efficiently, now i am virtually all developed at this point,soon and even guess what happens? my corporation is on to your demands, ma! the same picky meat aspects end up being places the flavor is without a doubt. isn't? we in class,the author's family history felt similar in results as we are <a href="http://www.exensa.com/faus">michael kors factory outlet</a> successful intelligence, upon fighting way of life. merely our minds and as well as heads make supplanted over the last century. that is when these kind of iq rewards have happened, And we have developed the psychological skills needed to handle the demands of the modern world,it you to compare prices <a href="http://www.amazingpeople.co.uk/organlsation">michael kors outlet uk</a> readily. use, when you've planned to buy a travelling <a href="http://lcedn.com/resouces">cheap michael kors handbags outlet</a> bag, invest in a ladies handbag that would be worth the investment property. such belongings generally simply speaking which may carry a little more than the particular ones. He became addicted courtesy of fear of the 1979 Iranian innovation, what gave birth to Ayatollah Ruhollah Khomeini Shiite theocracy. through 1980, Saddam began fight in direction of Iran. He turned to finally un organic rivalry and in addition rocket conditions on civilian communities.<br /><p>related articles:<br / ><a href="http://www.xmgoodarch.com">http://www.xmgoodarch.com</a><br/><a href="http://www.aaronstokes.com">http://www.aaronstokes.com</a><br/><a href="http://eastdevonexcellence.co.uk">http://eastdevonexcellence.co.uk</a><br/><a href="http://www.gbskoninginbeatrix.nl">http://www.gbskoninginbeatrix.nl</a><br/><a href="http://spec-nerjaveika.ru">http://spec-nerjaveika.ru</a><br/></p><p>Copyright © 2014 cheap michael kors handbags outlet. All Rights Reserved.Powered by michael kors outlet uk.</p></div>I searched for bits of strings from this withing the database, could not find it. I searched for bits by word match on the whole site folder could not find it. I don't know how or where this stuff is coming from but I need to get rid of it and prevent it in the future, and since this is a client's live site I need to do this urgently before the client finds out!
Please help!
P.S. By the way the two thoughts occured to me that the code might have been injected in base64 format. So I used this site:
https://www.base64encode.org/ to convert one of the words in this code "kors" into base 64 utf-8 format: a29ycw==
I searched just for that in the DB and in the HTML too but no luck. :(
Is this a widespread problem? I can't find any info on google. It might be new... but it is my problem at the moment and I need to get rid of it
ASKER
Thanks dave. I will test this in a minute and get back to you but it's greatly promising.
I understand the problem with security. It is never enough! Any suggestion over and above what I am already doing to ensure this does not occur again?
I understand the problem with security. It is never enough! Any suggestion over and above what I am already doing to ensure this does not occur again?
ASKER
Hi, I can't find the string "linkid" neither in the files nor in the database. :(
What should I do? Where should lik look?
In this case I have done a plain search, not base64 or anything else
What should I do? Where should lik look?
In this case I have done a plain search, not base64 or anything else
I'd be looking for any 'includes' or JavaScript that is included in the pages.
I think this page https://blog.sucuri.net/2014/06/spam-hack-targets-wordpress-core-install-directories.html is about your problem.
ASKER
Do I just get a wordpress installation from the wp site and substitute the includes folder? I can't see any strange folders at the moment. But they may be cleverly named too.
ASKER
by the way I have the latest wp 4.2.4
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've seen this before. Do you have a file named php5.php or something similar in your wordpress installation?
Try these steps:
1. Disable ALL plugins, and see if it goes away.
2. Change the theme to see if it goes away.
If #1 and #2 fail, it's in your WP core. Otherwise, it's in a plugin or theme.
If disabling the plugins works, then re-enable them one-by-one until the problem returns. When it does, you know which plugin is the problem.
If changing the theme (to twentyfifteen, for example) removes the problem with all plugins enabled, then its in your theme, which is a serious issue.
The fact that you have the latest WP Core doesn't matter if your plugins or theme are not secure (i.e., were not coded by someone who understands security and knows what they are doing, which is not true of your site). If the problem is in your theme, you will continue to have it until the vulnerability in the theme is fixed. In my client's case, they had a theme designed by a web designer who was a copy / paste PHP tinkerer. It was a mess - full of deprecated functions, bad logic, and unsanitized inputs. We re-created their look and feel with a new child theme of twentyfifteen, and it solved the issue - permanently.
Without fixing the plugins / theme, the infection will survive WP Core updates and securi won't be worth anything.
Try these steps:
1. Disable ALL plugins, and see if it goes away.
2. Change the theme to see if it goes away.
If #1 and #2 fail, it's in your WP core. Otherwise, it's in a plugin or theme.
If disabling the plugins works, then re-enable them one-by-one until the problem returns. When it does, you know which plugin is the problem.
If changing the theme (to twentyfifteen, for example) removes the problem with all plugins enabled, then its in your theme, which is a serious issue.
The fact that you have the latest WP Core doesn't matter if your plugins or theme are not secure (i.e., were not coded by someone who understands security and knows what they are doing, which is not true of your site). If the problem is in your theme, you will continue to have it until the vulnerability in the theme is fixed. In my client's case, they had a theme designed by a web designer who was a copy / paste PHP tinkerer. It was a mess - full of deprecated functions, bad logic, and unsanitized inputs. We re-created their look and feel with a new child theme of twentyfifteen, and it solved the issue - permanently.
Without fixing the plugins / theme, the infection will survive WP Core updates and securi won't be worth anything.
For reference, this is the entire injected div & associated script:
In looking at the css on your site, I notice you have the Visual Composer Extension installed, which iis a rollup of over 47 add-ons. I can't say for certain, but there could easily be an out of date plugin in that package being exploited. I'd try disabling that one specifically and see if it causes the malicious code to disappear.
<div id="linkId"><H1>cheap michael kors handbags outlet</H1>through the process of I don imply nearly anything in another occasion sector. in my opinion, A journey box will be just much greater and comfy your homework to allow everything you need a detailed for out of the house day normal office or. traversing your own private urban world or for his or her day trip classifies as getaway with regards to your backpack is worried.possibly even more placing, but yet, Is the development of streetcars. It challenging turn a corner in song of Seattle obtaining suffering from tracks most likely trail station symptomatic rotating direction coming from First hill streetcar cover, slated to open soon after this advice year. section communities are generally remodeled in numerous carrying case consist of insulated push bike counters (far lower than),several bound to be huge number more and more in next months. at minimum, the following excitement which will speculate. become a member of the here for normal tv news and thoughts about NBC's Emmy outstanding fix humourous, "these, On sunday afternoons, i've been able to go to Celine case the "it also" pouch of the <a href="http://www.startsomewhere.com/quited">michael kors outlet</a> season whom simple town's Nordstrom holds on demonstrate to high up the actual other pedestal that this so richly is worthy of. injury lawyers los angeles strategy apart from the group range (and as well as budget), however i love to remove it and cerebrovascular accident or cva it has supple synthetic leather upkeep no one is looking (A scarcity through Nordstrom,<H2>michael kors outlet uk</H2> just what in the guise of fine products and services has given <a href="http://contentionjournal.org/taispa2/">michael kors outlet canada</a> a saleswoman to view my vision fullti) i like to sniff the car. it simply if and as well aromas and so splendid; do you know what I mean? you will discover early evenings that i take so enough time gazing it is photos on line will trendy see a are<H3>michael kors outlet</H3> up against, not really in contrast to individuals who understand the virgin mobile Mary's icon within snowdrift.typically the name centered a small, downtown user and even everyone else world health organization fantasized about this work. shoes and boots expanded to become most other equipments, amount of dress choices as well is manifest on, next happened to run criminal court, because of its first donating in 1994. after some time, Cole began undertaking extended troubled surrounding pricing for you to coolness.I surmised good that's mother requirement strictly even be a non selfish guardian but issuer, guaranteeing the maturing child became the most effective chunks during the time your own stoically achieved to be paid that includes sub an elemen waste. efficiently, now i am virtually all developed at this point,soon and even guess what happens? my corporation is on to your demands, ma! the same picky meat aspects end up being places the flavor is without a doubt. isn't? we in class,the author's family history felt similar in results as we are <a href="http://www.exensa.com/faus">michael kors factory outlet</a> successful intelligence, upon fighting way of life. merely our minds and as well as heads make supplanted over the last century. that is when these kind of iq rewards have happened, And we have developed the psychological skills needed to handle the demands of the modern world,it you to compare prices <a href="http://www.amazingpeople.co.uk/organlsation">michael kors outlet uk</a> readily. use, when you've planned to buy a travelling <a href="http://lcedn.com/resouces">cheap michael kors handbags outlet</a> bag, invest in a ladies handbag that would be worth the investment property. such belongings generally simply speaking which may carry a little more than the particular ones. He became addicted courtesy of fear of the 1979 Iranian innovation, what gave birth to Ayatollah Ruhollah Khomeini Shiite theocracy. through 1980, Saddam began fight in direction of Iran. He turned to finally un organic rivalry and in addition rocket conditions on civilian communities.<br /><p>related articles:<br / ><a href="http://padukasandals.com">http://padukasandals.com</a><br/><a href="http://acusticamedica.pt">http://acusticamedica.pt</a><br/><a href="http://lcedn.com">http://lcedn.com</a><br/><a href="http://win.centrocisa.it">http://win.centrocisa.it</a><br/><a href="http://www.imkersvereniginghelmond.nl">http://www.imkersvereniginghelmond.nl</a><br/></p><p>Copyright © 2014 cheap michael kors handbags outlet. All Rights Reserved.Powered by michael kors outlet uk.</p><div> Top-rated Coach Handbags Outlet Online Come Back With Afforable Price & New Style. <a href="http://www.coachoutletonline24.us.com/">coach outlet online</a>Michael Kors Handbags Outlet Store Online Up To 80% OFF <a href="http://www.michaelkorsoutletus.us.com/">michael kors outlet</a></div></div><script>/*<![CDATA[*/eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 0=2.3("4");0.5.6="7";',8,8,'traget|var|document|getElementById|linkId|style|display|none'.split('|'),0,{}))/*]]>*/</script>In looking at the css on your site, I notice you have the Visual Composer Extension installed, which iis a rollup of over 47 add-ons. I can't say for certain, but there could easily be an out of date plugin in that package being exploited. I'd try disabling that one specifically and see if it causes the malicious code to disappear.
ASKER
Thanks
i will put all your suggestions to the test and let you know
i will put all your suggestions to the test and let you know
Did this ever get resolved?
ASKER
Yes
Open in new window
You keep saying secure but clearly it isn't. Over the years, people have occasionally been able to break into the servers and edit the page code for all kinds of sites.