Dean OBrien
asked on
Wordpress site hacked - trying to figure out strange behaviour
Experts,
A friends website has been having issues for a number of weeks, the site appears to have been hacked, in that at different times an older version of the site is displayed, with a header tag 'Buy Viagra -BBS'.
Im not directly involved in the site development, but apparently they have followed various steps to fix the site and the developer now believes the site to be fixed. However when i have been accessing it, i get strange results.
Sometimes when i google 'boutique bar show', it advises 'site have been hacked', but sometimes it doesnt show this. I would have thought its a clear cut thing one way or the other with google?
Also, when i enter the URL 'www.boutiquebarshow.com' into three main browsers (Chrome / FF / IE), IE and FF display uptodate site (noticable by title='Home:BBS-Best Boutique...') whereas Chrome shows month old site (noticable by title='Buy viagra - BBS). Now chrome is my default browser, so i assumed this was simply a caching issue and that the site is indeed fixed. So i deleted full browsing history and tried again - to find that indeed chrome started showing the uptodate site.
However... after about 20 mins of doing other stuff, I re-entered the domain into the address bar and now it continues to show the old site - (Buy viagra -BBS).
The bar show that the site promotes is due to run in less than 10 days, so it essential we figure out whats going on... I would appreciate any suggestions / recommendations?
Regards
Easynow
A friends website has been having issues for a number of weeks, the site appears to have been hacked, in that at different times an older version of the site is displayed, with a header tag 'Buy Viagra -BBS'.
Im not directly involved in the site development, but apparently they have followed various steps to fix the site and the developer now believes the site to be fixed. However when i have been accessing it, i get strange results.
Sometimes when i google 'boutique bar show', it advises 'site have been hacked', but sometimes it doesnt show this. I would have thought its a clear cut thing one way or the other with google?
Also, when i enter the URL 'www.boutiquebarshow.com' into three main browsers (Chrome / FF / IE), IE and FF display uptodate site (noticable by title='Home:BBS-Best Boutique...') whereas Chrome shows month old site (noticable by title='Buy viagra - BBS). Now chrome is my default browser, so i assumed this was simply a caching issue and that the site is indeed fixed. So i deleted full browsing history and tried again - to find that indeed chrome started showing the uptodate site.
However... after about 20 mins of doing other stuff, I re-entered the domain into the address bar and now it continues to show the old site - (Buy viagra -BBS).
The bar show that the site promotes is due to run in less than 10 days, so it essential we figure out whats going on... I would appreciate any suggestions / recommendations?
Regards
Easynow
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dean: Glad to see Jason here; you're in good hands!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ray / Jason / Brandon,
Thanks for all your comments, I am trying to get full access to the site to start implementing changes. Once i do i will be sure to follow each of your suggestions.
For now I was able to get the wordpress login details and have been able to upload the 'sucuri security' plugin, which has identified a number of suspicious files, that have been altered since recently since the most recent publish date:
6th August 2015 6:42 pm wp-includes/lndex.php
4th September 2015 9:31 am wp-includes/pomo.php
6th August 2015 6:42 pm wp-includes/functions.php
So i will start with them and hopefully get something sorted.
Thanks again
Dean
Thanks for all your comments, I am trying to get full access to the site to start implementing changes. Once i do i will be sure to follow each of your suggestions.
For now I was able to get the wordpress login details and have been able to upload the 'sucuri security' plugin, which has identified a number of suspicious files, that have been altered since recently since the most recent publish date:
6th August 2015 6:42 pm wp-includes/lndex.php
4th September 2015 9:31 am wp-includes/pomo.php
6th August 2015 6:42 pm wp-includes/functions.php
So i will start with them and hopefully get something sorted.
Thanks again
Dean
The only problem with Sucuri, WordFence, et al is that they do a really good job of identifying what was hacked but are less good actually identifying WHY you got hacked.
So go through the affected files (functions.php may be a false positive but check it anyway) but keep a close eye on the site. If the hack reappears, it's because one or more backdoors are present and that's much harder to fix.
So go through the affected files (functions.php may be a false positive but check it anyway) but keep a close eye on the site. If the hack reappears, it's because one or more backdoors are present and that's much harder to fix.
Precisely , agree, they has certain interest and stake as well. The secure and defensive codes are still to be checked - I really disgusted by others getting WAF to cover up the gaps and deem such virtual apps as solving the issues, I fainted over it but they just dont budge till the mgmt instruct them. Sad case.
ASKER
As a matter of interest, if you search for 'boutique bar show' in google, does it suggest the site is hacked for you? Obviously i wont ask you to access it!
Thanks
Easynow