Wordpress Hack on linux apache server - no detectable changes in files [duplicate]How do I deal with a compromised server?How did they hack my Wordpress sitesMy Wordpress site being hack by modifying the .htaccessWordpress crashing, Apache restart fixes it temporarilyRedirect aspx in apacheServer does not load WordPress - No HTML nor PHP ErrorsWordpress on Apache is redirecting all https to httpNginx 0.7.43 to proxypass a Wordpress site to Apache 2.4 + PHP 5.6Weird redirects on websiteHow to debug this mass site outage situation?404 routing issue - AWS Linux Wordpress site
Failing students when it might cause them economic ruin
Can the word crowd refer to just 10 people?
Latin words remembered from high school 50 years ago
Why does the U.S military use mercenaries?
Can anyone provide me info what this is?
Is it a good idea to teach algorithm courses using pseudocode instead of a real programming language?
Vehemently against code formatting
Why are Marine Le Pen's possible connections with Steve Bannon something worth investigating?
What's is the easiest way to purchase a stock and hold it
Was Tyrion always a poor strategist?
Bash Array of Word-Splitting Headaches
Does science define life as "beginning at conception"?
Why were early aviators' trousers flared at the thigh?
Was murdering a slave illegal in American slavery, and if so, what punishments were given for it?
How to plot a surface from a system of equations?
Why could the Lunar Ascent Engine be used only once?
Can a problematic AL DM/organizer prevent me from running a separate AL-legal game at the same store?
Why does snapping your fingers activate the Infinity Gauntlet?
Does the Aboleth have expertise in history and perception?
Is presenting a play showing Military charactes in a bad light a crime in the US?
Better than Rembrandt
Working hours and productivity expectations for game artists and programmers
Find the 3D region containing the origin bounded by given planes
What is the backup for a glass cockpit, if a plane loses power to the displays/controls?
Wordpress Hack on linux apache server - no detectable changes in files [duplicate]
How do I deal with a compromised server?How did they hack my Wordpress sitesMy Wordpress site being hack by modifying the .htaccessWordpress crashing, Apache restart fixes it temporarilyRedirect aspx in apacheServer does not load WordPress - No HTML nor PHP ErrorsWordpress on Apache is redirecting all https to httpNginx 0.7.43 to proxypass a Wordpress site to Apache 2.4 + PHP 5.6Weird redirects on websiteHow to debug this mass site outage situation?404 routing issue - AWS Linux Wordpress site
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
This question already has an answer here:
How do I deal with a compromised server?
13 answers
I have a weird hacking case with one of my wordpress sites. It's a small site, basically shows 5 blog posts on whether or not the office will be open/closed. It's not too complicated or anything, but it was hacked and now redirects to some spam/malware sites.
Basically the site loads the pages, and after about 3 seconds it redirects. I've checked the header.php, index, footer, and don't see anything obvious, plus they weren't listed as being changed. The other thing that is weird is I ran a linux command to search for files that have been changed in the last 10 days, and the only ones that came back were ones I touched while checking for these redirects and doing :wq with vi. It doesn't seem like anything on the php/backend side is doing this redirect.
It is hosted on a apache linux server. Would there be somewhere else I can check to see if this redirect is being made? If there was something that was causing it in the php files, wouldn't it redirect immediately instead of letting the site load? There isn't an .htaccess and I don't see anything obivous in the apache.conf file.
After doing some digging I found that there is some script injects in all pages. The script redirects to a page where there is some malicious content. However, the wordpress version control does not say that these pages were edited. It doesn't have anything historical that looks like this had happened. Is it possible that something was changed in the wp-admin to inject these scripts in the editor? Or if you make changes to the wordpress database for a page does it not create a new version? Where would I check that? What permissions should my wordpress site have?
Thanks for the help!
apache-2.4 redirect wordpress spam
asked May 7 at 2:04
BrendanBrendan
32
marked as duplicate by Iain, kubanczyk, Ward♦ May 8 at 2:59
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
add a comment |
This question already has an answer here:
How do I deal with a compromised server?
13 answers
I have a weird hacking case with one of my wordpress sites. It's a small site, basically shows 5 blog posts on whether or not the office will be open/closed. It's not too complicated or anything, but it was hacked and now redirects to some spam/malware sites.
Basically the site loads the pages, and after about 3 seconds it redirects. I've checked the header.php, index, footer, and don't see anything obvious, plus they weren't listed as being changed. The other thing that is weird is I ran a linux command to search for files that have been changed in the last 10 days, and the only ones that came back were ones I touched while checking for these redirects and doing :wq with vi. It doesn't seem like anything on the php/backend side is doing this redirect.
It is hosted on a apache linux server. Would there be somewhere else I can check to see if this redirect is being made? If there was something that was causing it in the php files, wouldn't it redirect immediately instead of letting the site load? There isn't an .htaccess and I don't see anything obivous in the apache.conf file.
After doing some digging I found that there is some script injects in all pages. The script redirects to a page where there is some malicious content. However, the wordpress version control does not say that these pages were edited. It doesn't have anything historical that looks like this had happened. Is it possible that something was changed in the wp-admin to inject these scripts in the editor? Or if you make changes to the wordpress database for a page does it not create a new version? Where would I check that? What permissions should my wordpress site have?
Thanks for the help!
apache-2.4 redirect wordpress spam
asked May 7 at 2:04
BrendanBrendan
32
marked as duplicate by Iain, kubanczyk, Ward♦ May 8 at 2:59
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
@lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware.
– Kernel Stearns
May 7 at 12:58
add a comment |
This question already has an answer here:
How do I deal with a compromised server?
13 answers
I have a weird hacking case with one of my wordpress sites. It's a small site, basically shows 5 blog posts on whether or not the office will be open/closed. It's not too complicated or anything, but it was hacked and now redirects to some spam/malware sites.
Basically the site loads the pages, and after about 3 seconds it redirects. I've checked the header.php, index, footer, and don't see anything obvious, plus they weren't listed as being changed. The other thing that is weird is I ran a linux command to search for files that have been changed in the last 10 days, and the only ones that came back were ones I touched while checking for these redirects and doing :wq with vi. It doesn't seem like anything on the php/backend side is doing this redirect.
It is hosted on a apache linux server. Would there be somewhere else I can check to see if this redirect is being made? If there was something that was causing it in the php files, wouldn't it redirect immediately instead of letting the site load? There isn't an .htaccess and I don't see anything obivous in the apache.conf file.
After doing some digging I found that there is some script injects in all pages. The script redirects to a page where there is some malicious content. However, the wordpress version control does not say that these pages were edited. It doesn't have anything historical that looks like this had happened. Is it possible that something was changed in the wp-admin to inject these scripts in the editor? Or if you make changes to the wordpress database for a page does it not create a new version? Where would I check that? What permissions should my wordpress site have?
Thanks for the help!
apache-2.4 redirect wordpress spam
asked May 7 at 2:04
BrendanBrendan
32
This question already has an answer here:
How do I deal with a compromised server?
13 answers
I have a weird hacking case with one of my wordpress sites. It's a small site, basically shows 5 blog posts on whether or not the office will be open/closed. It's not too complicated or anything, but it was hacked and now redirects to some spam/malware sites.
Basically the site loads the pages, and after about 3 seconds it redirects. I've checked the header.php, index, footer, and don't see anything obvious, plus they weren't listed as being changed. The other thing that is weird is I ran a linux command to search for files that have been changed in the last 10 days, and the only ones that came back were ones I touched while checking for these redirects and doing :wq with vi. It doesn't seem like anything on the php/backend side is doing this redirect.
It is hosted on a apache linux server. Would there be somewhere else I can check to see if this redirect is being made? If there was something that was causing it in the php files, wouldn't it redirect immediately instead of letting the site load? There isn't an .htaccess and I don't see anything obivous in the apache.conf file.
After doing some digging I found that there is some script injects in all pages. The script redirects to a page where there is some malicious content. However, the wordpress version control does not say that these pages were edited. It doesn't have anything historical that looks like this had happened. Is it possible that something was changed in the wp-admin to inject these scripts in the editor? Or if you make changes to the wordpress database for a page does it not create a new version? Where would I check that? What permissions should my wordpress site have?
Thanks for the help!
This question already has an answer here:
How do I deal with a compromised server?
13 answers
apache-2.4 redirect wordpress spam
apache-2.4 redirect wordpress spam
asked May 7 at 2:04
BrendanBrendan
32
asked May 7 at 2:04
BrendanBrendan
32
edited May 7 at 17:01
Brendan
asked May 7 at 2:04
BrendanBrendan
32
asked May 7 at 2:04
BrendanBrendan
32
asked May 7 at 2:04
BrendanBrendan
32
32
marked as duplicate by Iain, kubanczyk, Ward♦ May 8 at 2:59
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by Iain, kubanczyk, Ward♦ May 8 at 2:59
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
@lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware.
– Kernel Stearns
May 7 at 12:58
add a comment |
@lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware.
– Kernel Stearns
May 7 at 12:58
@lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware.
– Kernel Stearns
May 7 at 12:58
@lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware.
– Kernel Stearns
May 7 at 12:58
add a comment |
1 Answer
1
active
oldest
votes
If your server was compromised, then it is entirely possible for the attacker to circumvent any application-level version controls through the back end, including the built-in Wordpress page versions and timestamps. It is also possible to falsify the date modified on files, as noted here: https://askubuntu.com/questions/62492/how-can-i-change-the-date-modified-created-of-a-file.
There are any number of different specific ways that malware could be created to implant redirection scripts on every page like this, so without analyzing the specific malware there is no way to tell exactly how it was built. Some simple JavaScript would be fully capable of detecting whether you were logged in through the dashboard or not, and only running the redirect code on the public site.
I would recommend referring to these steps for responding to a compromised server: How do I deal with a compromised server?
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If your server was compromised, then it is entirely possible for the attacker to circumvent any application-level version controls through the back end, including the built-in Wordpress page versions and timestamps. It is also possible to falsify the date modified on files, as noted here: https://askubuntu.com/questions/62492/how-can-i-change-the-date-modified-created-of-a-file.
There are any number of different specific ways that malware could be created to implant redirection scripts on every page like this, so without analyzing the specific malware there is no way to tell exactly how it was built. Some simple JavaScript would be fully capable of detecting whether you were logged in through the dashboard or not, and only running the redirect code on the public site.
I would recommend referring to these steps for responding to a compromised server: How do I deal with a compromised server?
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
add a comment |
If your server was compromised, then it is entirely possible for the attacker to circumvent any application-level version controls through the back end, including the built-in Wordpress page versions and timestamps. It is also possible to falsify the date modified on files, as noted here: https://askubuntu.com/questions/62492/how-can-i-change-the-date-modified-created-of-a-file.
There are any number of different specific ways that malware could be created to implant redirection scripts on every page like this, so without analyzing the specific malware there is no way to tell exactly how it was built. Some simple JavaScript would be fully capable of detecting whether you were logged in through the dashboard or not, and only running the redirect code on the public site.
I would recommend referring to these steps for responding to a compromised server: How do I deal with a compromised server?
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
add a comment |
If your server was compromised, then it is entirely possible for the attacker to circumvent any application-level version controls through the back end, including the built-in Wordpress page versions and timestamps. It is also possible to falsify the date modified on files, as noted here: https://askubuntu.com/questions/62492/how-can-i-change-the-date-modified-created-of-a-file.
There are any number of different specific ways that malware could be created to implant redirection scripts on every page like this, so without analyzing the specific malware there is no way to tell exactly how it was built. Some simple JavaScript would be fully capable of detecting whether you were logged in through the dashboard or not, and only running the redirect code on the public site.
I would recommend referring to these steps for responding to a compromised server: How do I deal with a compromised server?
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
If your server was compromised, then it is entirely possible for the attacker to circumvent any application-level version controls through the back end, including the built-in Wordpress page versions and timestamps. It is also possible to falsify the date modified on files, as noted here: https://askubuntu.com/questions/62492/how-can-i-change-the-date-modified-created-of-a-file.
There are any number of different specific ways that malware could be created to implant redirection scripts on every page like this, so without analyzing the specific malware there is no way to tell exactly how it was built. Some simple JavaScript would be fully capable of detecting whether you were logged in through the dashboard or not, and only running the redirect code on the public site.
I would recommend referring to these steps for responding to a compromised server: How do I deal with a compromised server?
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
answered May 7 at 2:53
Kernel StearnsKernel Stearns
604316
604316
add a comment |
add a comment |
@lain it is similar, but I think the core question here is not how to deal with the compromise but rather how the observed malware could function in this context. Brendan, I would recommend editing the question, however, to clarify the main question now that you have found the malware.
– Kernel Stearns
May 7 at 12:58