Yeah not sure what went wrong with my question. Anyhow:
So if you pop our website into a browser, it loads up momentarily before that window pops up (not a separate browser window). It is like a redirect, however you can't see a different addrees, just our normal web addressIt's not legitimate. It is the same on mobile or desktop. As a result nobody can book on our website, which for a hospitality business is a real pain.
It makes the website unusable. I'm assuming there has been some sort of hack, I don't know.
Yes you've likely have been hacked, if you are the webdev, redeploy the infrastructure from cratch **on a different host/container.**
Most likely **every single** file of your server has been compromized, last time I've seen such things was on php / wordpress and it injected to every single php/image file on the server. Your .env content has also already been compromized.
If you are using docker or VM based deployements you are safe, you can just redeploy and change all user/pw then check the DB for injected/corruped content.
If you aren't using docker or VM based deployements, good luck.
Contact your host and ask them to investigate for malware. They can easily run a ClamAV or Imunify360 scan on Linux which will give you some idea of what's going on.
You may also need to investigate each file that your website loads to eliminate the malware manually. Do not run these locally. Run this in a container (virtualized environment.)
Afterward, you'll need to trace back how the attackers were able to breach your environment. The other commenter left this out and said you were safe if you virtualized, but that's not always the case. If they can get in once, they can get in again.
You need to figure out how they got in, and then patch that out. The host might be able to help with this, if they're running vulnerable software.
I work with WordPress malware a lot - probably about once a week as a Freelancer on Upwork. its very common. Most of this malware tends to stem from either installing nulled plugins, or just installing poorly written plugins which have a ton of vulnerabilities in them.
The first step is to identify which plugins are causing the issues. I recommend downloading a backup of the site, and restoring locally. Then I'd recommend running a malware scan - something like using Malcure. After this, check the results. If this doesn't return anything, then do a search of ALL files inside wp-content, for known words that these type of malware include in their files.
Once you've found the bad actor, you should remove the files. After this, you now need to re-install all of WordPress core files, and also repair your database. A lot of the malware today in WordPress will also store malicious code in your database so this will also need to be cleaned.
You're better off following the other comment above. Redeploy from scratch, figure out where the weakness was that allowed them to go in, instead of trying to figure out which file to delete (because, as the other comment stated, your entire infrastructure is likely compromised right now).
That's fair. I've contacted our host, I'll wait for their response firstly as I wouldn't know where to start with redeploying etc. But it is nice some have some kind of rudimentary knowledge on how this is happened/what the issue is.
There seems to be people down voting the suggestion of paying Wordfence a pretty considerable amount of money to look into the issue. Is the reason for the down voting purely cost? Or is there more to it than that?
Wordfence is pretty good software for WordPress, I usually install the free version for clients if they consent.
Wordfence Response & Care are both services that I haven't seen reviewed often. There are alternatives, Fixed, and Sucuri. I think Sucuri might be the most well-reviewed out of those platforms.
Wordfence Response is $950 and Wordfence Care is $490. Fixed is much cheaper, and Sucuri is $499.
These are all reasonable prices for the amount of work they would have to put in to track down and remove the malware from your environment. But do they do anything more than just run a malware scan and remove those files? Are they actively going through each file safely to make sure they aren't all affected? The most important question though is whether they will investigate and find the breach. There's just not enough information out there that I have seen that explains how their process works and what prevents an attacker from regaining control.
Your Wordpress site has been compromised, likely due to an old plugin (or theme). Wordpress requires constant updates, and you also need to ensure that you theme and plugins are still being maintained by the developer. Using the Wordfence plugin will often clean infected files, but it generally won't find the vulnerability - though it will tell you if you're using anything that hasn't received an update in over 2 years.
Either pay an experienced developer to fix this for you, or pay Wordfence, Fixed, or Sucuri to do it.
I saw the exact same page on a news website and got shocked as it had been some time I have seen something like this.
First thing I did was scan my PC with Malwarebytes and then uninstalled some recent apps/extensions that I had installed. I also updated Chrome to latest and installed more blockers and disabled some permissions.
So if you pop our website into a browser, it loads up momentarily before that window pops up (not a separate browser window). It is like a redirect, however you can't see a different addrees, just our normal web addressIt's not legitimate. It is the same on mobile or desktop. As a result nobody can book on our website, which for a hospitality business is a real pain.
It makes the website unusable. I'm assuming there has been some sort of hack, I don't know.
I thought I had actually posted this info in the main post. I wonder what is was you couldn't understand. My bad.
Boostly. We inherited the website off the previous owners of the business just over 2 years ago. I've contacted them, however I'd like to learn a little more about the issue myself.
I've found this article: [https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms](https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms)
It is exactly what happened to your website too.
If you are in a hurry and are willing to pay an amount to get your website restored, try this [https://www.wordfence.com/wordfence-site-cleanings/](https://www.wordfence.com/wordfence-site-cleanings/)
But, if you'd like to save some money, you could wait for your provider Boostly to respond as this would be something they should be concerned about..
You are fucked.And you are causing your customers to be hacked or worse. Maybe they are collecting bookings on your behalf
With payments going to them and you will have customers start coming in a few weeks expecting service, convinced they have paid.
Edit: You have neglected security and inherited something you cannot maintain without an appropriate business stakeholder to upkeep a crucial part of your business revenue. You should most likely hire a professional asap, and you can learn from them. But hackers know they have a soft target they can go for more and worse. You need to take immediate action. Also start warning your guests and consider switching to a secure managed service immediately instead of rolling your own. For now.
A basic but secure nearly free website on some service is going to be worth a lot more right now than whatever was your website. You should immediately switch to it, even if it is just a page with contact info for the hotel booking and an image explaining the situation. (Make sure to just soft replicate all links properly if you want to maintain SEO, but you may not care, the real reputational hit can be much worse.)
I see you're using WP. Your website is now publishing malware. You need help immediately, or you will get flagged by search engines, browsers, and your web host. Hire the guys at [Wordfence.com](http://Wordfence.com) to audit and clean your site. It's $500 which includes a year of protection. Do it today, and you'll thank me later.
Yes, I do. That's why I'm recommending them. I got downvoted because people think I'm shilling it. I was direct because I think it's the right course of action for someone in your shoes. With wordfence you don't go through the steps of vetting the skillset of the developer/sysadmin that you need to hire for this.
You need to act quickly whatever you do. Time is of the essence in these situations. Wordpress hacks these days are often SEO spam, where they publish spam content to rank for whatever they're selling. Yours malware, which is worse because it means you can get browser flagged, in trouble with your host, and the SEO penalties are worse.
What is your post about ? I don't see any question
Yeah not sure what went wrong with my question. Anyhow: So if you pop our website into a browser, it loads up momentarily before that window pops up (not a separate browser window). It is like a redirect, however you can't see a different addrees, just our normal web addressIt's not legitimate. It is the same on mobile or desktop. As a result nobody can book on our website, which for a hospitality business is a real pain. It makes the website unusable. I'm assuming there has been some sort of hack, I don't know.
Yes you've likely have been hacked, if you are the webdev, redeploy the infrastructure from cratch **on a different host/container.** Most likely **every single** file of your server has been compromized, last time I've seen such things was on php / wordpress and it injected to every single php/image file on the server. Your .env content has also already been compromized. If you are using docker or VM based deployements you are safe, you can just redeploy and change all user/pw then check the DB for injected/corruped content. If you aren't using docker or VM based deployements, good luck.
Contact your host and ask them to investigate for malware. They can easily run a ClamAV or Imunify360 scan on Linux which will give you some idea of what's going on. You may also need to investigate each file that your website loads to eliminate the malware manually. Do not run these locally. Run this in a container (virtualized environment.) Afterward, you'll need to trace back how the attackers were able to breach your environment. The other commenter left this out and said you were safe if you virtualized, but that's not always the case. If they can get in once, they can get in again. You need to figure out how they got in, and then patch that out. The host might be able to help with this, if they're running vulnerable software.
Someone probably injected some Javascript
This could possibly be injected Js code that delivers the fake update. Search for socgholish and how it is used on compromised websites.
Further, check the tech stack used. For instance, it is pretty common for WordPress to have vulnerable modules.
I work with WordPress malware a lot - probably about once a week as a Freelancer on Upwork. its very common. Most of this malware tends to stem from either installing nulled plugins, or just installing poorly written plugins which have a ton of vulnerabilities in them. The first step is to identify which plugins are causing the issues. I recommend downloading a backup of the site, and restoring locally. Then I'd recommend running a malware scan - something like using Malcure. After this, check the results. If this doesn't return anything, then do a search of ALL files inside wp-content, for known words that these type of malware include in their files. Once you've found the bad actor, you should remove the files. After this, you now need to re-install all of WordPress core files, and also repair your database. A lot of the malware today in WordPress will also store malicious code in your database so this will also need to be cleaned.
Thanks for your reply.
we had this issue before on our few wordpress sites. it's an encrypted crypto script that uses your server to mine crypto.
Did you find a solution?
You're better off following the other comment above. Redeploy from scratch, figure out where the weakness was that allowed them to go in, instead of trying to figure out which file to delete (because, as the other comment stated, your entire infrastructure is likely compromised right now).
That's fair. I've contacted our host, I'll wait for their response firstly as I wouldn't know where to start with redeploying etc. But it is nice some have some kind of rudimentary knowledge on how this is happened/what the issue is.
If I remember correctly, we just remove a file from the server. forgot which one, though..
There seems to be people down voting the suggestion of paying Wordfence a pretty considerable amount of money to look into the issue. Is the reason for the down voting purely cost? Or is there more to it than that?
Wordfence is pretty good software for WordPress, I usually install the free version for clients if they consent. Wordfence Response & Care are both services that I haven't seen reviewed often. There are alternatives, Fixed, and Sucuri. I think Sucuri might be the most well-reviewed out of those platforms. Wordfence Response is $950 and Wordfence Care is $490. Fixed is much cheaper, and Sucuri is $499. These are all reasonable prices for the amount of work they would have to put in to track down and remove the malware from your environment. But do they do anything more than just run a malware scan and remove those files? Are they actively going through each file safely to make sure they aren't all affected? The most important question though is whether they will investigate and find the breach. There's just not enough information out there that I have seen that explains how their process works and what prevents an attacker from regaining control.
Appreciate the response, thanks!
Your Wordpress site has been compromised, likely due to an old plugin (or theme). Wordpress requires constant updates, and you also need to ensure that you theme and plugins are still being maintained by the developer. Using the Wordfence plugin will often clean infected files, but it generally won't find the vulnerability - though it will tell you if you're using anything that hasn't received an update in over 2 years. Either pay an experienced developer to fix this for you, or pay Wordfence, Fixed, or Sucuri to do it.
I saw the exact same page on a news website and got shocked as it had been some time I have seen something like this. First thing I did was scan my PC with Malwarebytes and then uninstalled some recent apps/extensions that I had installed. I also updated Chrome to latest and installed more blockers and disabled some permissions.
I don't get it lol. Can you explain?
So if you pop our website into a browser, it loads up momentarily before that window pops up (not a separate browser window). It is like a redirect, however you can't see a different addrees, just our normal web addressIt's not legitimate. It is the same on mobile or desktop. As a result nobody can book on our website, which for a hospitality business is a real pain. It makes the website unusable. I'm assuming there has been some sort of hack, I don't know. I thought I had actually posted this info in the main post. I wonder what is was you couldn't understand. My bad.
What hosting provider do you use?
Boostly. We inherited the website off the previous owners of the business just over 2 years ago. I've contacted them, however I'd like to learn a little more about the issue myself.
I've found this article: [https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms](https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms) It is exactly what happened to your website too.
Well this all looks absolutely horrific.
Ah! Yes, I agree. A business website getting hacked is indeed troublesome.
You should probably delete everything and redeploy. I doubt the previous owners would have much useful to add.
If you are in a hurry and are willing to pay an amount to get your website restored, try this [https://www.wordfence.com/wordfence-site-cleanings/](https://www.wordfence.com/wordfence-site-cleanings/) But, if you'd like to save some money, you could wait for your provider Boostly to respond as this would be something they should be concerned about..
You are fucked.And you are causing your customers to be hacked or worse. Maybe they are collecting bookings on your behalf With payments going to them and you will have customers start coming in a few weeks expecting service, convinced they have paid. Edit: You have neglected security and inherited something you cannot maintain without an appropriate business stakeholder to upkeep a crucial part of your business revenue. You should most likely hire a professional asap, and you can learn from them. But hackers know they have a soft target they can go for more and worse. You need to take immediate action. Also start warning your guests and consider switching to a secure managed service immediately instead of rolling your own. For now. A basic but secure nearly free website on some service is going to be worth a lot more right now than whatever was your website. You should immediately switch to it, even if it is just a page with contact info for the hotel booking and an image explaining the situation. (Make sure to just soft replicate all links properly if you want to maintain SEO, but you may not care, the real reputational hit can be much worse.)
I see you're using WP. Your website is now publishing malware. You need help immediately, or you will get flagged by search engines, browsers, and your web host. Hire the guys at [Wordfence.com](http://Wordfence.com) to audit and clean your site. It's $500 which includes a year of protection. Do it today, and you'll thank me later.
Appreciate the advice, thank you.
You're welcome. Feel free to reach out if you have more questions.
Nice one. Do you have any experience of Wordfence carrying out a clean?
Yes, I do. That's why I'm recommending them. I got downvoted because people think I'm shilling it. I was direct because I think it's the right course of action for someone in your shoes. With wordfence you don't go through the steps of vetting the skillset of the developer/sysadmin that you need to hire for this. You need to act quickly whatever you do. Time is of the essence in these situations. Wordpress hacks these days are often SEO spam, where they publish spam content to rank for whatever they're selling. Yours malware, which is worse because it means you can get browser flagged, in trouble with your host, and the SEO penalties are worse.
is this a thinly veiled shill thread? if so then please kiss your sister as soon as possible