skip to Main Content

My WordPress site has been hacked. Links on the site have been changed to take users to the hacker’s site at storage.piterreceiver.ga. This site, in turn, redirects to other sites which my browser flags as dangerous.

Has anyone else had this happen? How can a restore my site and prevent a reoccurrence?

11

Answers


  1. Chosen as BEST ANSWER

    After all, I find the best solution, and please follow these steps:

    1. Rename wp-content folder.
    2. Create new wp-content 'don't forget about permission for this folder.
    3. Install one wp security plugin like word fence it's recommended but you can install whatever you want.
    4. Scan the whole website and directories with this plugin for Malewares.
    5. For more insurance you can search the database with mysqldump -uUSER -pPASSWORD database --extended=FALSE | grep pattern
    6. Change or delete the records found from step 4, (in my case the problem was in the wp_options table and siteurl and home had been changed).
    7. Install a clean and fresh version of your template.
    8. Copy old uploads folder from old wp-content to the new one.
    9. And that's it your website will be alive again.

    I just want to say thank you to @David Koenig and @Ralph Rathmann. Your replies were really helpful.

    and thanks to the others for their replies and guides.


  2. I recommend to rewrite affected files by the files from clean/original WordPress (be sure you using the same version of the WP)

    Login or Signup to reply.
  3. I found the same on one of my sites and could not identify any malware in the files, however, the "site URL" and "home" in "_options" table was altered and I suspect a SQL injection to have been the culprit here.
    None of my malware tools could identify anything at the filesystem level so it appears to be some sort of 0day exploit as I cannot find anything similar. I’ve ensured that everything is updated and will monitor my site further, but a starting point would be to determine if there are any outdated plugins or themes that may suffer from a vulnerability and if yes then a more difficult task would be to identify which. I am looking through my logs now and will update this thread if I find anything.

    Login or Signup to reply.
  4. I have just managed to restore back a website that was affected by this. My fix was to search the database for storage.piterreceiver.ga and when found, replace it with the actual site’s URL. i found two entries that needed to be amended. once that was done, i was able to get back in to WordPress as usual.

    Login or Signup to reply.
  5. We found this script in the WP DSGVO Tools (GDPR) Plugin by legalweb and in the Rewrite rules by YOAST SEO. But not all systems with this plugins are corupted.

    Affected are mainly pages that have been updated in the last few days.

    A backup of the database is sufficient. Nevertheless, it should be determined how the intervention in the page came about.

    Login or Signup to reply.
  6. We discovered the behaviour on several of our sites aswell, the culprit seems to be the DSGVO Plugin offered by legalweb.io.

    The plugin developer has been informed and the best solution was to clean the _options from the malware code and disabled the plugin.

    Login or Signup to reply.
  7. We saw the same behaviour on our sites and I can confirm the DSGVO plugin is the culprit. Somehow the Matomo/Google Analytics tracking codes were overwritten with the malicious redirect.

    I just talked to legalweb and they confirmed that this is the underlying issue – they are working on an update but didn’t want to share how the attack was performed. Disabling the plugin and looking for the redirect url in the database solved the issue.

    Login or Signup to reply.
  8. Thanks to @Jesmond Darmanin i found the the solution how to fix that. He described to delete all occurances of "piterreceiver" in the database.
    You can do that in this way:

    1. Connect to your wordpress instance with SSH
    2. Go to your wordpress directory
    3. Execute wp db search --all-tables piterreceiver
    4. Execute wp db query <<< "delete from <table> where <id> = 123456"

    Be carefully, this is the "crowbar" method. Just do that, when you are absolutely sure, that the returned value is not needed anymore (which was the case in my installation < lucky guy).

    Login or Signup to reply.
  9. As already mentioned, the problem is about the plugin WP DSGVO Tools (GDPR) and in our case, the database entry could also be deleted in the backend, by navigating to /wp-admin/admin.php?page=sp-dsgvo&tab=statistic-integrations > Matomo > Use Matomo (off) or removing the content from the field "Matomo code".

    Login or Signup to reply.
  10. I scanned my wp-website with sucuri.net and had some high risk malware alert. When I tried to enter my site it directed me to this ‘storage.piterreceiver.ga’ and ‘0.johncarlsberg.best’ (also with 1,2 etc. as prefix).
    Because I also wasn’t able to restore my updraftBackup, because I got some authentication errors, I tried uninstalling Plugins and updating everything.

    -> For me it fixed the site by uninstalling WP DSGVO Tools (GDPR) Plugin.

    Login or Signup to reply.
  11. I had the same problem on my wp-website.

    No files (.php et al) have been affected(as i can see so far), but i found in the database (wp)_options obfuscated code in "sp_dsgvo_legal_web_texts".

    That points to the plugin "WP DSGVO TOOLS (GDPR)".

    Since no login was possible anymore, i deleted the plugin subfolder shapepress-dsgvo via sftp on the server in the plugins-directory.

    Then i deleted manually every record in the database table:

    DELETE FROM wp_options WHERE option_name LIKE ‘sp_dsgvo%’
    (maybe you have to change the table-prefix wp_ to your needs)

    The Official WordPress Plugin-Directory has blocked this plugin on 20.09.21, but that doesn’t affect your installation, so you have to clean it manually.

    Keep in mind to find some other GDPR Tool, but for now we are happy to have a website, thats online again.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search