Hacked site / hack: cleaning corrupt files in WordPress

We received the following email one morning:

Wordpress website hacked OVH Google Ads

"Hello sir,

Is it possible to exchange in order to repair

a hacked Wordpress site under OVH.

Our Google Ads campaigns cannot start.

Thanking you for your return,

For yourself"

 

After talking to the customer, he noted:

  • That the virus manifests itself on his workstation ...
  • … But not from that of other collaborators. Hence the difficulty of realizing the infection and treating it.

 

Concretely, it is his anti-virus NortonLife which sent him the following report:

Norton Blocked Malicious Site

 

Malware on the site was trying to redirect it to questionable sites.

This site was listed with others on a list of sites to block with Adblock.

Above all, another Internet user complained that he could no longer access his Google Ads campaign following the same message:

Suspicious redirect from malware site

 

The timing is interesting since it was also around this date that the alert messages had started for the customer.

The company's webmaster had installed a first security extension on Wordpress, but without success. He could not identify suspicious links and files.

We started scanning the site with more robust software.

He reported various elements of use to correct :

  1. Account name admin = admin, with simple password.
  2. Various standard Wordpress themes installed, unused and never updated.
  3. Extensions not updated, some of which are not necessarily useful.
  4. CMS version not updated as well, all running on an old version of php.

The "professional" hacker looks for known flaws that are easy to exploit and make profitable. He had found the ideal candidate with this site.

Taking advantage of an item not updated, he was able to install some files and modify the code of others :

Wordpress infected files

 

Researching these files, we actually discovered that the virus did not manifest itself for Internet users who had already had a log account on the site:

Ads not visible for IP already logged on site

 

Solution for this type of case:

Removing added files:

Files added by wordpress hacker

 

Cleanup of corrupted file (s) but essential to the theme / site:

Wordpress infected file cleaning

 

It is always preferable to make a copy of each file before intervention;).

 

Finally, we checked that the site was not registered on a "blacklist" (spam, blocklist ...):

Site not on spam list

 

Since then, he was ready to resume his Google Ads campaigns !

Google Ads campaign hacker review

 

You meet difficulties following hacking of your site

We intervene for a flat rate of € 250, payable only in the event of a result.

Intervention between 24 and 48 hours.

8% discount for cryptocurrency settlements.

We are at your disposal by email (contact@gloria-project.eu) or via the following form:

 

 
 
 
Fields marked with a * are mandatory
 
 
 
 
 
 
 
 
 
 
 

 

 

Practical cases :

Package services from € 250

Be alerted of a new article: