homepage Welcome to WebmasterWorld Guest from 54.204.79.235
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Content Management
Forum Library, Charter, Moderators: ergophobe

Content Management Forum

    
I have a site hijacking my wordpress - can you help?
glenv




msg:3830509
 5:37 pm on Jan 20, 2009 (gmt 0)

I have a site that is based on Wordpress. It has been working fine. This morning I had added my Google Analytics code to the footer and decided then I would update some plugins. Anytime I clicked on the settings of a plugin I had added it took me to:

http://example.biz/

I have disabled all plugins and added then back in one at a time and it still does it no matter how few I have and when I change up the order I reload them.

I had someone looking at it and he is giving up but the last he said was it was loading an iframe before the site. I honestly do not know why anyone would hijack a plugin setting since the only people that see it is the web owner and its just going to piss him off. I wonder if it really is even a hi-jacking?

If anyone is willing to take a look I would sure appreciate it. Let me know by PM and I will send you ftp, wp-admin etc.

Thanks so much.

[edited by: ergophobe at 6:47 pm (utc) on Jan. 20, 2009]
[edit reason] Personal URL removed, nefarious URL exemplified [/edit]

 

KevinBoss




msg:3830515
 5:45 pm on Jan 20, 2009 (gmt 0)

Before you start giving random people your FTP and Wordpress login, why don't you reinstall wordpress?

glenv




msg:3830519
 5:55 pm on Jan 20, 2009 (gmt 0)

-checked all plugins for malicious code, and deactivated them

-checked .htaccess in root + subfolders

-installed a fresh copy of WP 2.7.

-checked database for noscript, display,...

glenv




msg:3830522
 5:59 pm on Jan 20, 2009 (gmt 0)

It is using an iframe because it retains the correct wp-admin settings url in the nav bar at top but frames the site it send you to.

reprint




msg:3830855
 11:57 pm on Jan 20, 2009 (gmt 0)

Let me ask the obvious question. Are you sure what you are clicking is really the settings? I only ask because I have seen links in plugins that are really promotions for other websites and not settings.
Did you download this plugin from somewhere other than the wordpress website? I have heard of themes being hacked and hosted for download on other websites but perhaps it happens with plugins too. Always download themes and plugins from the wordpress website.
Next I would deactivate and delete all the plugins. You can delete them in example.com/wp-content/plugins, test and see if your problem is gone.
If it is then download what you need from wordpress website and try reinstalling and activating one by one and testing.

Hope some of that helps. Let us know

ergophobe




msg:3830868
 12:11 am on Jan 21, 2009 (gmt 0)

That raises the question too of whether or not you've cleaned out your themes directory. You said you downloaded new versions of WP, but did you get rid of any non-default theme?

Obviously, you want to get your old theme back, but just as a troubleshooting exercise it might be worth it.

glenv




msg:3830874
 12:29 am on Jan 21, 2009 (gmt 0)

Yes, I am absolutely clicking on the settings - very familiar with Wordpress - use it on many sites.

ergophobe - are you saying I should delete all themes except my theme I want to keep?

ergophobe




msg:3830952
 2:36 am on Jan 21, 2009 (gmt 0)

I'm saying put your site in maintenance mode and delete (or rather move to a directory outside your WP install) all themes and try it with a fresh upload of the default theme.

Honestly, I have no idea if this will work, but it will remove one source from consideration.

That said, personally what I would probably do first is look at the html source and try to find some unique code from the offending page and grep the whole WP install for it and see if that turned up anything and I would do the same with a dump of the MySQL file.

ergophobe




msg:3830957
 2:43 am on Jan 21, 2009 (gmt 0)

PS - failing finding anything with grep, the next thing I would look for is obfuscated javascript. In other words, they might be doing something like obfuscating the domain by encoding it and then unencoding it with base64_decode() or simply some sort of string concatenation.

You might try loading your pages without javascript to see if the attack is JS based.

So, sorry for my disorganization. In order, I would do this:

1. disable Javascript in my browser and see what happens.

2. grep through all files for some unique text (the domain name or iframe tag or something).

3. do a DB dump and grep through that for the string.

4. move all themes outside WP install and try a known good theme.

5. Come back here for a shoulder to cry on.

Best of luck!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Content Management
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved