Is my website being hacked?

11 replies
    
#hacked #website
  • Profile picture of the author IMdude123
    it seems fine for me.
    {{ DiscussionBoard.errors[5128626].message }}
  • Profile picture of the author rosetrees
    It's ok here too. Maybe you have malware on your computer. Download and scan it with malwarebytes (and possibly superantispyware as well)

    Edit: The links at the top work fine here.
    {{ DiscussionBoard.errors[5128632].message }}
  • Profile picture of the author DireStraits
    No problems here mate. Had a look in the HTML code, too, and can't see anything malicious there.

    Carol is spot on: it seems more likely that you have some kind of malware on your computer.

    Try running the free version of Malwarebytes and SpyBot S&D (search Google for 'em), and ensure you're running some kind of virus scanner (personally I just use the free Microsoft Security Essentials; perfectly adequate if you're running Windows). They catch/clear up most stuff, it seems.

    Also, if you're running Windows, try clearing your hosts file: go into Command Prompt and type:

    ipconfig /flushdns
    Good luck.
    {{ DiscussionBoard.errors[5128703].message }}
  • Profile picture of the author Guru_Marketing
    Kyle, it looks fine to me as well. Clear your browser cache and your cookies and try to access your site again.
    Signature

    Kindle Publishers: Get Reviews and More Sales to Your Kindle Books at http://GettingPublishedFast.com/publishers/

    {{ DiscussionBoard.errors[5129577].message }}
  • Profile picture of the author PhiladelphiaSeo
    Have you submitted your site to Google webmaster tools? GWT will tell you if your site has malware and what you need to do to clean it. Then you might have to resubmit it.
    {{ DiscussionBoard.errors[5129619].message }}
    • Profile picture of the author sbucciarel
      Banned
      Originally Posted by PhiladelphiaSeo View Post

      Have you submitted your site to Google webmaster tools? GWT will tell you if your site has malware and what you need to do to clean it. Then you might have to resubmit it.
      I wouldn't do that. Google will put a malware warning on the site and take their good old sweet time in removing it. Tooks months for them to remove it from one of my sites. They're assholes.
      {{ DiscussionBoard.errors[5129832].message }}
  • Profile picture of the author Verisimilitude
    Just to chime in here - a lot of times, link redirects/hijacks are the results of rootkits, which don't typically fall under your standard malware category. ComboFix is exceptional at sniffing 'em out and killing them when MalwareBytes and Spybot can't.
    Signature

    What I have to say most of the time is probably not what you want to hear. Then again, I'm not trying to make a buck off of you either.

    {{ DiscussionBoard.errors[5129655].message }}
  • Profile picture of the author Pat Flanagan
    Kyle, I'm not getting redirected when I click your nav links. However, when I watch the status bar of my browser, I do see an URL outside your domain make an appearance. If you have nothing to do with freefilesblog.com, then I think I know what's happening here, it has nothing to do with what anyone above has written.

    I believe your site may be the victim of a javascript injection.

    Your site is built with Wordpress using the Nova theme. You should create a new folder on your local machine and download the entire Nova theme from your server into this folder.

    You are then going to need to use a text editor that allows you to load multiple files and run a search across all the loaded files. I use EditPadPro, there are many others out there, free and paid. Load ALL the .php files in the theme into this text editor and then run a search for "base64". I bet you'll find it, most likely in the file footer.php (though you should search throughout the theme).

    Wherever "base64" shows up in the theme files, it'll be followed by a long string of gobbledygook letters and numbers. This is actually regular code that has been encoded with base64 encoding. Copy that long string of letters and numbers, go to Base 64 Decoder , paste it in the box, and click the Decode Safely As Text button. You'll probably find it has a link to this freefilesblog site along with some other code that can do all kinds of fun stuff.

    Encoded text strings like this can get "injected" into a Wordpress theme in two ways -- either through a security hole in something your site uses (theme/plugin/other legitimate javascript), or, most commonly, it was in the theme from the get-go. I'm not familiar with the Nova theme, but if you download your themes from free Wordpress theme sites, you run the high risk that those themes will include base64 encoded strings that can do all sorts of fun things. Many times it will be a perfectly legitimate theme that has had the code added by the person running the theme download site, or by someone who submitted the theme to the site. From there, other free theme sites grab the themes for their own stock, and so on.

    I NEVER use free themes for this reason. However, there are times for using them. If you do, ALWAYS scan your themes for base64 encoding. I have found 2 or 3 themes along the way that use base64 encoding for legitimate reasons, usually to protect the code for a special feature they've written (which isn't much protection, as I've shown, it's easy to decode it). But the vast majority of times, if you find base64 encoding in a Wordpress theme, it's going to be in footer.php, it will be unnecessary, and it can be removed.

    Anyway, if you find this is the case, the quickest and easiest solution is to find a legitimate download of the Nova theme that does NOT contain the encoded strings and upload it to your server, overwriting the existing version. If you've made modifications to the theme, you will, of course, need to make those same modifications to the new copy.


    EDITED TO ADD: Kyle, I hadn't looked at the source code for your site, since I figured this was a php issues and wouldn't be visible to the end user. However, looking at the source code, I do see a javascript in the source code referring to the site I mentioned. It's at the very end of the HEAD section of the page. This is a pretty obvious and clumsy addition by the person who inserted it, and I have to think it's whoever is running freefilesblog.com. Since, it appears to be a place where you can illicitly download commercial paid themes via filesharing sites like Filesonic. So, if this is where you downloaded the Nova theme from and it's a paid theme, you've just discovered one of the hazards of not paying for what you should. If you got it from elsewhere, it could be the site owner is spreading the code through free themes on other sites to benefit him/herself.
    Signature

    Product Launch Management & Strategic Product Marketing
    Contact me -- Skype: patflan42 Email: pat@JVwithPat.com

    {{ DiscussionBoard.errors[5129863].message }}
    • Profile picture of the author Kyle Oliveiro
      [DELETED]
      {{ DiscussionBoard.errors[5130369].message }}
      • Profile picture of the author Pat Flanagan
        Originally Posted by Kyle Oliveiro View Post

        Thanks Pat, that might be it. I'll have to go through all the php files and see if I can find anything suspicious.
        Hopefully that's the problem. It never hurts to do the virus and malware scans suggested above, but when you're dealing with Wordpress, you have to know about a few weaknesses it has. The theme system is a massive advantage, but it comes with a hiccup or two.

        If you do mass searches like I suggested, search for both "base64" (a good practice to always do, I do it with every paid theme I use, just in case) plus do a search for that domain name. They may have squirreled away additional code elsewhere.
        Signature

        Product Launch Management & Strategic Product Marketing
        Contact me -- Skype: patflan42 Email: pat@JVwithPat.com

        {{ DiscussionBoard.errors[5130761].message }}
  • Profile picture of the author rosetrees
    @ Pat - thanks for that - I can see it now that you've pointed it out. I hope Kyle reads your post.
    {{ DiscussionBoard.errors[5130137].message }}
  • Profile picture of the author DireStraits
    Nice find, Pat.
    {{ DiscussionBoard.errors[5130485].message }}

Trending Topics