• June 6, 2018 at 2:24 pm #1767
      Mike Baker
      Keymaster

      I’ve been on the Internet for some time and have had to repair a bunch of sites that have gotten hacked. Typically the hack is from an old plugin or dated core WordPress scripts. This particular one that I am working on right now only reveals itself ON GOOGLE search results. It turns a legit site into a dick pill peddler! The thing is there is no evidence of it in the source code, there is no rogue user, no threats were found by security plugins or any of the typical things that happen. It JUST appears in Google search results.

      Here is a link to learn more about the Pharma WordPress Hack, I will post my findings when I solve the problem. Super weird one!

    • June 12, 2018 at 8:50 pm #1776
      Mike Baker
      Keymaster

      This was not an easy one but I got it sorted. I don’t know how they got in but they placed several files. The last one was:

      wp-lib.php stuck in the wp-content/plugins directory and had encrypted code or “obfuscated” code:

       

    • June 12, 2018 at 8:56 pm #1777
      Mike Baker
      Keymaster

      The process was:

      1. Moved from Godaddy shared hosting to Premium/Secure/Dedicated WordPress Hosting at: WPEngine Manged WordPress Hosting (with an SSL)
      2. Leave ALL old WP files behind that may have been scattered into the core files outside of wp-content
      3. Get the site up with a copy of wp-content as it was
      4. Update everything and I mean everything in plugins & theme
      5. Get rid of anything and everything that wasn’t needed
      6. Install WordFence, Sucuri Security & Anti-Malware from GOTMLS.NET
      7. Locate any questionable files, database entries
      8. Delete, back-up, delete, back-up and test
      9. Create new XML sitemap and resubmit to Google Search Console
      10. Clear with Comodo, Google Safe Search and several others
    • June 12, 2018 at 8:57 pm #1778
      Mike Baker
      Keymaster

      This process took me as an individual about 15 hours. It was very much the weirdest hack I had seen to date

    • January 18, 2019 at 12:21 pm #2062
      Mike Baker
      Keymaster

      I ran into this again from a potential client. They let it go and still to this day their website peddles “synthroid” and other bs! Take a look at the Google search results here

You must be logged in to reply to this topic.