My Site's been hacked!

[YUCATAN.DANCE]

Ask your hosting provider to scan the directory! Find the file and clean it! You can try by replacing the WordPress file manually! before overwriting the files, dnt forget to make a backup zip

already did. they provided the scan log and i cleaned up manually. fortunately those files are not much!

 

[orbitsolutions]

already did. they provided the scan log and i cleaned up manually. fortunately those files are not much!

replace everything! themes , plugins etc.. scan site online

 

[CAFFEiNE]

already did. they provided the scan log and i cleaned up manually. fortunately those files are not much!

Give a list of Themes & Plugins you have used just so that people can be wary off & do additional checks

 

[whitetigerdk]

THERE IS ONE THING I WOULD LIKE TO SUGGEST, I'VEE SEEN RANDOM PEOPLE (NEWLY CREATED ID) SHARE RESOURCES IN COMMENTS WITHOUT ANY PROPER BACKGROUND CHECK OF THAT PLUGIN/THEMES. I THINK THAT NEEDS TO BE PROHIBITED FOR THE SAFETY OF OTHERS.

Indeed.. Need to report every time we see to have resource/user removed..

 

[YUCATAN.DANCE]

ok, here is the scan log...
before scanning i removed bunch of plugins, so these are not included in the logs.

Backdoor Scan-log - Pastebin link

 

[CAFFEiNE]

ok, here is the scan log...
before scanning i removed bunch of plugins, so these are not included in the logs.

Backdoor Scan-log - Pastebin link

That's not a virus, that's the whole plague itself That's a nasty infection!

 

[OVOSZN]

I had this last month, it writes to an about.php, and the .htaccess file stays in the server's memory so you have to constantly delete the file sit rewrites, and flush the memory, it cost me two weeks of constantly fixing, lost revenue and I lost 2 clients. I eventually paid for Securri and they sorted it out. My advice is on Black Friday and Cyber Monday see what plugins you can get for cheap and start buying them if you can, nulled plugins can have malware in them, I only use them as demos so I stop wasting money on plugins that don't work

You shouldn't use nulled plugins on production websites, even more so when clients are involved. They're great for testing on staging sites to see if they do what you need - you then purchase a licence. Unfortunately, the only thing that cost you revenue is cheaping out by not purchasing a licence.

 

[CAFFEiNE]

@YUCATAN.DANCE on production if you have a tight budget & it's a personal site, grab some legit activations from the trusted sellers here & for other plugins, like the backup ones and stuff, either do it manually yourself or use the free version. Wherever a free version + manual work can do the trick, do that. It'll save you from these headaches & give your site better performance (by reducing number of pplugin)

 

[YUCATAN.DANCE]

@YUCATAN.DANCE on production if you have a tight budget & it's a personal site, grab some legit activations from the trusted sellers here & for other plugins, like the backup ones and stuff, either do it manually yourself or use the free version. Wherever a free version + manual work can do the trick, do that. It'll save you from these headaches & give your site better performance (by reducing number of pplugin)

will do from next time. thanks! <3

 

[Custom B]

Is there an effective way to prevent it?

ok, here is the scan log...
before scanning i removed bunch of plugins, so these are not included in the logs.

Backdoor Scan-log - Pastebin link

jeeez that must have been some crawling speed site...the wwwalking dead

 

[Tuton]

been using babiato resources from 2018 bro. never experienced such kind of weird problem. but it happened recently. must be some plugin causing the issue.

THERE IS ONE THING I WOULD LIKE TO SUGGEST, I'VEE SEEN RANDOM PEOPLE (NEWLY CREATED ID) SHARE RESOURCES IN COMMENTS WITHOUT ANY PROPER BACKGROUND CHECK OF THAT PLUGIN/THEMES. I THINK THAT NEEDS TO BE PROHIBITED FOR THE SAFETY OF OTHERS.

We make an effort to abide by the standards that have been set up in our community about new users contributing resources in threads. The best advise is to report any questionable comments made by new members because we moderators monitor an average of about 190,000 people, making it challenging to keep track of everything. If necessary, we'll evaluate the comments and take appropriate action. best recommendation at the moment is to use the download button on the page at all times, or make sure you're downloading from a trusted user who has the Nullmaster badge since Babiato has approved them.

 

[GuestofHonor]

Hey everyone, recently i've found some issues which is redirect issue and my WP index.php files got autometically modified and there are some some .php codes inserted.
I've scanned and fixed it with Wordfence but it got infected over and over.
how to prevent infection from happening again????

have you changed wordfence scan settings to high sensitivity to check all folder ?!
you already have a shell on your website which allows the hacker to modify files any time or he already has access to your cPanel
and my advise is to find a hosting that have

imunify 360

installed to block the scripts from executing

 

[anaxtech]

best thing to resolve issues go to https://sucuri.net/ hire services they will fix everything with small price ...

 

[GuestofHonor]

those are the examples of infected files.

This is shell installer
1- use wordfence scan with the high sensitivity setting to scan all directories
2- change your cPanel password and check if new users has been added to the database or wordpress users.
3- check if file manager plugin has been installed on ur wordpress.
4- use a hosting provider that have

imunify 360 extention

installed to block the execution of infected scripts and shells
5- Always use 2FA authentication option in wordfence
6- always Disable Code Execution for Uploads directory from wordfence all options.
7- disable user registration (if your website doesn't require it).
8- disable file editing in wordpress by adding this code to wp-config.php

define( 'DISALLOW_FILE_EDIT', true );

9- protect wp-config.php by moving it outside public_html
10- check the steps here

I hope this helps

 

[counselme]

..even worse

what do you mean by "even worse"?

You think Babiato is a place people or anyone just uploads whatever they like without those files being scanned first?

I use many plugins from here and have never had this issue. Please, drop it.

 

[GuestofHonor]

Is there an effective way to prevent it?

sometimes your website is not the one originally hacked but another on the same server which gives the hacker the ability to access all websites on that server.
use good hosting provider and clean your files and scan your files using imunify 360 and wordfence(high sensitivity scan)
imunify will stop the execution of any malicious script and delete it

 

[Custom B]

what do you mean by "even worse"?

You think Babiato is a place people or anyone just uploads whatever they like without those files being scanned first?

I use many plugins from here and have never had this issue. Please, drop it.

dude chill..

 

[counselme]

been using babiato resources from 2018 bro. never experienced such kind of weird problem. but it happened recently. must be some plugin causing the issue.

THERE IS ONE THING I WOULD LIKE TO SUGGEST, I'VEE SEEN RANDOM PEOPLE (NEWLY CREATED ID) SHARE RESOURCES IN COMMENTS WITHOUT ANY PROPER BACKGROUND CHECK OF THAT PLUGIN/THEMES. I THINK THAT NEEDS TO BE PROHIBITED FOR THE SAFETY OF OTHERS.

I have been using Babiato too but issues like is not because of the files you downloaded from Babiato. There are many ways to hack your application (WordPress mostly).

I can join hands in helping you fix it if you don't mind. I've done it for different clients before and all websites work well now.

It takes time but I sure make it work.

 

[counselme]

dude chill..

Had to say something cos of what you said BUT I have seen who you replied earlier. All good.

 

[amitkumar]

its imunify 360 that will 100% work