0

I'm renting a server (centOS 5.something), on which I run several websites. One of them runs on Wordpress, and recently Google Webmaster tools reported an increase in mobile crawl errors.

I checked, and for some reason there's a bunch of weird URLs that I never created. I logged onto the FTP, and checked filenames. .htaccess was fine. I also checked internal Wordpress for pages/posts etc. and even scripted then searched the database for it, but did not find anything there.

However, it seemed that there were made some changes to php.php and index.php. index.php did not seem to contain anything odd, but there was a large php_encoded string in php.php. I decoded it online, but my PHP is rusty. However, what I saw did not harbour much good.

I since then upgraded Wordpress to the latest version, and am going to port everything on the server over to a new server.

However, none of this seems to have solved the redirect issues, and I just got a new mail from Google regardi site errors. Pointing at one of the fake URLs reveals the redirects or forwards are still active.

Would anyone be able to tell me where to look for redirects on CentOS, if they are not located in my .htaccess? The server also runs Plesk, in case that is helpful. I primarily am interested in getting rid of these fake pages, and the new server will hopefully mean whatever changes might have been made will be undone.

Thanks.

Edit: I did check the wordpress recommendations, as well as read the replies in the other thread. However, most of those answers are very generic. I'm specifically hoping to figure out where the redirects might be stemming from, and yes, I will port everything on this machine to a different server.

SchmitzIT
  • 101
  • 4
  • 1
    Clearly the server has been hacked, and upgrading wordpress wasn't enough to remove the hacker from the system.. You'll need to wipe it all and reinstall from good backups then upgrade wordpress and all of the plugins and your themes. As for the redirects, they were probably added elsewhere in wordpress's code or database, or added back by the hacker after you upgraded. – DerfK Feb 02 '17 at 18:37
  • 1
    Possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – DerfK Feb 02 '17 at 18:38
  • @DerfK - I checked the DB and code. The only two pages that were changed recently were the ones mentioned in the OP. The database did not contain any of the keywords from the URLs I tried. – SchmitzIT Feb 02 '17 at 18:41
  • There are many ways to encode things in you pages that make it hard to find changes / additions. There are also many ways to hide things completely. You need to re-install from a known good backup, you cannot be sure otherwise that your setup is clean. – Tero Kilkanen Feb 02 '17 at 20:53

0 Answers0