-
Posts
-
Sorry guys I was in a hurry yesterday…
I have some more information now (working night shift):
Cause:
my site was attacked by JapaneseSEO hack 4 days agoSymptoms:
1 .htaccess was modified
2. site ownership in Google Search Console was compromised
3. sitemap was modified and reuploaded to Google Search Console
4. search results, linking and redirections were pointing to fake folders/spam sites, the site lost ranking in Google Search etc.
5. Google could not successfully index my page, page rankings lostAction:
1. backup everything
2. fixed .htaccess
3. unverification of all owners of the site in Google Search Console (my and hackers)
4. deleted all traces of google html snippet needed for Google verification
5. cleaned the site with Wordfence and Sucuri
6. deleted malicious sitemaps
7. all passwords changed (Cpanel, WordPress, FTP, Google…)
8. Google reverification of the site done with a different method
9. generated a new sitemap and submitted it to Google, asked google for recrawl, reindexing
10. extra site security & protecion (Wordfence & Sucuri), i had some other security plugin previously
11. run Redleg’s File Viewer and found the weird script with hxxpGoogle finally indexed my site correctly, but I still want to address the HXXP issue.
I contacted you guys because some of the script is pointing to x-theme files. I would really want to clean this too even though all security scanners and Google say everything is ok now except for Redleg.https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fvinalisjak.si&ref_sel=none&ua_sel=gbot2&fs=2
I am positive now that these script lines are actually traces of malicious activity. I would really appreciate some directions how to safely clean it asap without compromising the X-theme’s functionality.
614: < / script >
615: < script type=’text/javascript’ src=hxxp://vinalisjak.si/wp-content/themes/x/framework/js/dist/site/x-body.min.js?ver=4.6.1′> < / script >
616: < script type=’text/javascript’ src=hxxp://vinalisjak.si/wp-includes/js/comment-reply.min.js?ver=0e95476cd9a73cc23f1702da4286b313′> < / script >
617: < script type=’text/javascript’ src=hxxp://vinalisjak.si/wp-content/plugins/cornerstone/assets/dist/js/site/cs-body.min.js?ver=1.3.1′> < / script >
618: < script type=’text/javascript’ src=hxxp://vinalisjak.si/wp-includes/js/wp-embed.min.js?ver=0e95476cd9a73cc23f1702da4286b313′> < / script >
619: < script type=’text/javascript’ src=’https://maps.googleapis.com/maps/api/js?ver=0e95476cd9a73cc23f1702da4286b313′> < / script >
622: < script id=”x-customizer-js”>Thanks
This reply has been marked as private.Hi,
Thanks for writing in!
These scripts are not malicious and are part of the theme.
You can download new xtheme from your dashboard page – https://community.theme.co/dashboard/
Then compare the contents of those files from the newly downloaded xtheme to make sure that there are no script injection.
Thanks
OK guys,
obviously I’ve read to much hxxp stuff on google, everything seems suspicious now.
Good to know these lines are part of the x-theme.Thanks
You’re welcome! 🙂
This reply has been marked as private.This reply has been marked as private.Hi Saso,
The best way to remove the malicious scripts is deleting the current theme then install the new one.
Please also install & scan your all files with this plugin: https://wordpress.org/plugins/wordfence/.
Hope it helps 🙂
Hi,
what happens with all my theme settings & CSS if I delete the current X-theme and then install a new one?
thanks
what happens with all my theme settings & CSS if I delete the current X-theme and then install a new one?
Hello There,
Sorry for the confusion. You should override(login to your FTP Account using FileZilla Client Software upload the latest X theme to wp-content/themes/x folder) your current theme with the latest version of X instead of deleting it.
Regards!
Hi Thai,
yes I thought so, I was just about to do that, I just needed confirmation first.
Already saved all my CSS to text file just for safety. All my backups are also stored locally to in case of breaking anything.Thanks
Great 🙂
Let us know how it goes!
