someone hacked the WP site. and added popup ads.

Discussion in 'Black Hat SEO' started by hardik9099, Oct 11, 2017.

  1. hardik9099

    hardik9099 Regular Member

    Joined:
    Oct 10, 2017
    Messages:
    301
    Likes Received:
    49
    Gender:
    Male
    My website hacked by someone and he added some propeller ads popup code on my site. I was not able to find that script, I tried removing all the plugins from the site and turn to basic WP theme also.

    how is it possible?


    when i load the site, i can see a small script running on load, and i can see the publisher id of that hacker.
    i used some plugins to find the script running on site when site loaded. but there is nothing in WordPress.

    any idea where he added the script?
     
  2. volund

    volund Supreme Member

    Joined:
    Jan 24, 2010
    Messages:
    1,224
    Likes Received:
    751
    Occupation:
    Trying to make a buck or two
    The code could be hidden in any number of files.

    The best and easiest thing to do if your site gets hacked is to delete all your files and then upload a backup. It is much faster and safer than trying to find where the code is hidden. Last time I had to do this to a site the whole process took 10 minutes. Remember all your posts and pages are in your database so you do not lose any info other than maybe some recent updates.


    If you do not have a backup you have a couple of choices.

    Download all the php files and then run grep on them searching for a code snippet from the hack. The problem with this or any other cleaning method is you will never be 100% sure you get all of it as there may well be code hidden to reinstall the hack after the cleaning.

    Temporarily install a new version of your site locally or on a different domain, use the same theme, plugins etc. Basically you are manually creating a clean backup. Once you have this done you then delete all the files on your current hacked domain and upload the backup you created.

    If you use this method make sure you create the same exact setup that you are currently using otherwise you will have problems with your site not working properly.

    Once you have your site clean you need to harden it and if you have not been doing backups you need to start.
     
    • Thanks Thanks x 1
  3. danparks

    danparks Regular Member

    Joined:
    Sep 26, 2011
    Messages:
    209
    Likes Received:
    76
    If you use this method, also make sure to download any .js files (if there are any). Hackers can inject script code in these existing files.


     
  4. MillieNelson

    MillieNelson BANNED BANNED

    Joined:
    Jun 30, 2017
    Messages:
    126
    Likes Received:
    26
    Gender:
    Male
    its possible via ur hosting provider too so be carefull
     
  5. ddungud

    ddungud Newbie

    Joined:
    Jan 5, 2016
    Messages:
    17
    Likes Received:
    1
    check your functions.php file. I experienced that problem about 3 weeks ago. Discovered some code had been inserted. I deleted it and changed the file permission to 444
     
  6. MikeyMikey13

    MikeyMikey13 BANNED BANNED

    Joined:
    May 25, 2014
    Messages:
    2,340
    Likes Received:
    971
    I've had this happen to some of my sites.

    There is two files hiding in the WP-admin folder.

    And then some code in functions.php. But if you try to delete the code in functions, the files hiding in wp-admin will callback and rewrite your functions...

    Google snippets of the code in functions and you'll find your answer good sir
     
    • Thanks Thanks x 1
  7. CenTex Hosting

    CenTex Hosting Jr. VIP Jr. VIP

    Joined:
    Nov 8, 2009
    Messages:
    2,418
    Likes Received:
    934
    Gender:
    Male
    Occupation:
    Founder/CEO
    Location:
    Austin, TX
    Home Page:
    I would recommend to see if your host has a clean backup that could be loaded. One of the neg draw backs to using wordpress sites. Way to easy for these guys to hack and just do that. Those files could be hidden in a number of different files. You could also ask your host to run a scan on your site if they don't have backup.