Welcome to WebmasterWorld Guest from 54.162.155.183

Forum Moderators: ergophobe

Message Too Old, No Replies

I have a site hijacking my wordpress - can you help?

     
5:37 pm on Jan 20, 2009 (gmt 0)

10+ Year Member



I have a site that is based on Wordpress. It has been working fine. This morning I had added my Google Analytics code to the footer and decided then I would update some plugins. Anytime I clicked on the settings of a plugin I had added it took me to:

http://example.biz/

I have disabled all plugins and added then back in one at a time and it still does it no matter how few I have and when I change up the order I reload them.

I had someone looking at it and he is giving up but the last he said was it was loading an iframe before the site. I honestly do not know why anyone would hijack a plugin setting since the only people that see it is the web owner and its just going to piss him off. I wonder if it really is even a hi-jacking?

If anyone is willing to take a look I would sure appreciate it. Let me know by PM and I will send you ftp, wp-admin etc.

Thanks so much.

[edited by: ergophobe at 6:47 pm (utc) on Jan. 20, 2009]
[edit reason] Personal URL removed, nefarious URL exemplified [/edit]

5:45 pm on Jan 20, 2009 (gmt 0)

5+ Year Member



Before you start giving random people your FTP and Wordpress login, why don't you reinstall wordpress?
5:55 pm on Jan 20, 2009 (gmt 0)

10+ Year Member



-checked all plugins for malicious code, and deactivated them

-checked .htaccess in root + subfolders

-installed a fresh copy of WP 2.7.

-checked database for noscript, display,...

5:59 pm on Jan 20, 2009 (gmt 0)

10+ Year Member



It is using an iframe because it retains the correct wp-admin settings url in the nav bar at top but frames the site it send you to.
11:57 pm on Jan 20, 2009 (gmt 0)

5+ Year Member



Let me ask the obvious question. Are you sure what you are clicking is really the settings? I only ask because I have seen links in plugins that are really promotions for other websites and not settings.
Did you download this plugin from somewhere other than the wordpress website? I have heard of themes being hacked and hosted for download on other websites but perhaps it happens with plugins too. Always download themes and plugins from the wordpress website.
Next I would deactivate and delete all the plugins. You can delete them in example.com/wp-content/plugins, test and see if your problem is gone.
If it is then download what you need from wordpress website and try reinstalling and activating one by one and testing.

Hope some of that helps. Let us know

12:11 am on Jan 21, 2009 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



That raises the question too of whether or not you've cleaned out your themes directory. You said you downloaded new versions of WP, but did you get rid of any non-default theme?

Obviously, you want to get your old theme back, but just as a troubleshooting exercise it might be worth it.

12:29 am on Jan 21, 2009 (gmt 0)

10+ Year Member



Yes, I am absolutely clicking on the settings - very familiar with Wordpress - use it on many sites.

ergophobe - are you saying I should delete all themes except my theme I want to keep?

2:36 am on Jan 21, 2009 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I'm saying put your site in maintenance mode and delete (or rather move to a directory outside your WP install) all themes and try it with a fresh upload of the default theme.

Honestly, I have no idea if this will work, but it will remove one source from consideration.

That said, personally what I would probably do first is look at the html source and try to find some unique code from the offending page and grep the whole WP install for it and see if that turned up anything and I would do the same with a dump of the MySQL file.

2:43 am on Jan 21, 2009 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



PS - failing finding anything with grep, the next thing I would look for is obfuscated javascript. In other words, they might be doing something like obfuscating the domain by encoding it and then unencoding it with base64_decode() or simply some sort of string concatenation.

You might try loading your pages without javascript to see if the attack is JS based.

So, sorry for my disorganization. In order, I would do this:

1. disable Javascript in my browser and see what happens.

2. grep through all files for some unique text (the domain name or iframe tag or something).

3. do a DB dump and grep through that for the string.

4. move all themes outside WP install and try a known good theme.

5. Come back here for a shoulder to cry on.

Best of luck!

 

Featured Threads

Hot Threads This Week

Hot Threads This Month