1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site hacked or what?

Discussion in 'Black Hat SEO' started by TheMatrix, Jul 29, 2011.

  1. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Hi all

    I'm facing a very strange problem here.

    For one of my sites, I see several (80+) indexed URLs in Google in this format:

    Code:
    www.site.com/index.php?list=21&page=37
    Here's the first page screenshot of the G search:

    [​IMG]

    It's a WP site BTW!

    I have no such pages on my site whatsoever.

    Each of these pages, redirects me to this site:
    Code:
    http://www.paperhelp.org/?pid=98
    The strangest thing is that the redirect only works when I'm logged in to my WP admin panel. Or else, it goes to my homepage.

    Also, lately, some of my posts are being redirected to the homepage.

    How is that happening? Can anyone help?

    TheMatrix
     
    Last edited: Jul 29, 2011
  2. scraper1

    scraper1 Regular Member

    Joined:
    May 28, 2011
    Messages:
    214
    Likes Received:
    207
    Location:
    Kontiki
    Home Page:
    Your blog might be backdoored. You are either owned through a vulnerability in WP or a plugin, or through a backdoored theme or plugin.
     
  3. svr231

    svr231 BANNED BANNED

    Joined:
    Nov 6, 2010
    Messages:
    50
    Likes Received:
    46
    strange for me...
    May be i should get more alert from this
     
  4. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    I searched through every file in my installation, and the DB, but couldn't find the site's name in there.

    How do I remove the backdoor?
     
  5. shadowedsniper

    shadowedsniper Junior Member

    Joined:
    Aug 15, 2008
    Messages:
    168
    Likes Received:
    100
    Check your theme files. It's probably a free theme from some website other than wordpress' right? And it's probably encoded with base64 so you won't be able to find it through a plain text search.
     
  6. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    No, it's a custom coded theme. I myself wrote every single piece of code!
     
  7. fanthomas

    fanthomas Registered Member

    Joined:
    Jan 25, 2010
    Messages:
    98
    Likes Received:
    31
    Must be the plugins. Do you think you've had this problem for a long time without realizing it? If yes then it will be hard to figure out which plugin is causing it. I would remove all of them and start over. This is why I don't use wordpress and create static sites.
     
  8. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    The site's been up for almost 2 years now, and I just saw this. Maybe these pages have been created 7-10 days ago.
     
  9. sbw27

    sbw27 Regular Member

    Joined:
    Jan 6, 2008
    Messages:
    390
    Likes Received:
    441
    Yeah...hacked. Try installing exploit scanner or virus scanner...both free wp plugins that will help you find the exploit.
     
  10. GreyWolf

    GreyWolf Executive VIP Jr. VIP

    Joined:
    Aug 17, 2009
    Messages:
    1,930
    Likes Received:
    5,388
    Gender:
    Male
    Occupation:
    Artist / Craftsman
    Location:
    sitting at my PC
    Yeah that's very odd. It sucks when things like that happen.

    One thing I did notice when I made a typo and left the : out of the search string "site ******.com inurl:index.php" it actually gave a whole different set of results showing pages where you're site is backlinked with the format "******.com/index.php?list=21&page=37". There's a lot of backlinks to your domain with various different list and page numbers. It might be worthwhile for you to check that out as well, maybe you can find something leading you to who's posting them or something.

    I then did the search string correctly "site:******.com inurl:index.php" and got the same results page you pasted. When I click any of the links it just goes to your homepage just as you said. I don't really see what value it would be to a hacker if the only time it redirects is for the site admin, but I'm sure they have some reason for it. Maybe it's to somehow identify you so they can exploit you even more like with a keylogger or something.

    I didn't find the paperhelp.org link anywhere in the source of your home page so it's probably somewhere in the php files. If you have a bulk text search program you might try searching for it in all the files on your server. Of course it could be in an obfuscated code section or the redirect from your site could be going somewhere else first and then redirecting to the paperhelp.org site.

    I did a search for the paperhelp site and backdoor but didn't find anything, you might keep doing similar searches though. Maybe search you're theme and plugin names on google adding backdoor, virus, hacked, etc. It seems like for something like this others would be having the same problem.

    I'd definitely be concerned if it was my site. I'd keep searching for answers until I found something. Worst case you might need to delete and reinstall wordpress and your themes. I'd do everything I could to figure it out before doing that though.

    Be sure to come back to this thread and post whatever you figure out or after you try whatever final solution you come up with. Good luck.

    Another place you should check is in your htaccess to see if there's anything suspicious there. It seems like that would be more likely if it was happening all the time though. Since it's only happening when your logged into admin I'd think it's probably somewhere else. Still worth checking though.
     
    • Thanks Thanks x 1
    Last edited: Jul 29, 2011
  11. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Ran the scan. Nothing found!
     
  12. jkrillah

    jkrillah Junior Member

    Joined:
    Mar 25, 2010
    Messages:
    191
    Likes Received:
    140
    Location:
    Canary Islands, Atlantic Ocean
    You are using latest WP? Cos one of my hosters had just sent every customer an email about always updating to the latest cos "its not funny when your wordpress blog gets hacked".

    On a sidenote a site of mine just got hacked too, luckely a new site, it ran ArticleDashboard script.. They "defaced" it...
     
  13. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    That's quite a nice discovery. I went through these backlinks to the unwanted pages, and look at one of these:

    Code:
    http://www.bmwlemon.com/showthread.php?13-hxyecijtjxi-bPaxgearnec-yeyfegqeyla&
    And another:

    Code:
    http://www.avsuomi.nl/gb/index.php?eintrag=120&PHPSESSID=8b12ca8278b9642885cfbf2473f85fa7
    All of the backlinks are from guestbooks, xRumer-style forum pages etc.

    Seems like it's not only me. They are fcking other people as well using the same exploit.

    I'm downloading my theme, and will go through each line of code, to check any suspicious snippet. Also, I've elevated the matter to my hosting provider.

    Also, a few days ago, I was into another problem.

    Some plugins were casuing WP-ADMIN to be blank (White) unless deleted manually.

    The plugins I checked were these:
    wp-minify
    wp-http-compression
    secure wordpress
    W3 Total Cache
    WordPress Gzip Compression

    when anyone (or all) of these is activated, the screen goes blank white, and the whole admin area is nothing but a white screen.

    Unless I manually delete the plugin's folder in wp-content/plugins/ using FTP/cPanel, the problem persists.

    Now, I checked, and the problem is resolved.
     
  14. blackmamber

    blackmamber Junior Member

    Joined:
    Feb 11, 2010
    Messages:
    117
    Likes Received:
    74
    Those links have been removed, just checked on G. Maybe someone trying to clone your site
     
  15. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Unfortunately, they are still there!
     
  16. jkrillah

    jkrillah Junior Member

    Joined:
    Mar 25, 2010
    Messages:
    191
    Likes Received:
    140
    Location:
    Canary Islands, Atlantic Ocean
    Such stuff has been going on forever. Viagra spammers epxloited holes in stat tools for example , to place their backlinks.

    The problem can be anywhere. Your host isnt updating your virtual server regulary with latest security fixes.. It can be sql, php, webserver, wordpress installation, fantastico... IF its a plugin yes it would be helpful to find out which one it is... you could search all your plugins in google + exploit, or check your logs as to what exactly was done before this started
     
  17. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    UPDATE:

    It WAS a plugin!

    STATPRESS!

    How I found out?

    I ran a search in my DB using phpmyAdmin and found out the cause.

    I have not deleted the plugin, and the DB tables and rows it created!

    The problem is NOT fixed though!

    Redirect still is there...
     
    Last edited: Jul 29, 2011
  18. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    New Update:

    Out of anger, I tried to DoS the site to which links redirect, and only after 20k pings using SB, I think I might have seen the face of success!

    I just tried to use that redirect and got this error:

    [​IMG]

    Doing the http://whois.domaintools.com/dorgusus.in, I get the following information:

    Again, GreyWolf was right. The person(s) is/are using a secondary site to setup the redirect.

    The script is at

    Code:
    http://dorgusus.in/go/got.php?sid=1
    If anyone can extract any good info..??

    EDIT: I used httpFox to analyze the redirect and here's what I got when I clicked on the G search result.

    [​IMG]

    So, I can conclude that the person is using a 302 redirect!
     
    Last edited: Jul 29, 2011
  19. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    A few more confusing things I am seeing:

    [​IMG]

    [​IMG]
     
  20. TheMatrix

    TheMatrix BANNED BANNED

    Joined:
    Dec 20, 2008
    Messages:
    3,444
    Likes Received:
    7,279
    Another update:

    1. I just deleted all of my wp-admin and wp-includes folders, and re-uploaded fresh downloaded files from wordpress.org. Still the problem is there!
    2. I dectivated all my plugins, but still the problem persists. So it seems to be just my theme, but as far as I have checked, there's no suspicious code in it.

    Man. What is it....
     
    Last edited: Jul 29, 2011