google / WebFundamentals

Former git repo for WebFundamentals on developers.google.com
Apache License 2.0
13.85k stars 2.56k forks source link

Japanese Keyword Hack and King.txt file hack #7518

Open aowanders opened 5 years ago

aowanders commented 5 years ago

In November I was hacked with the japanese keyword hack. I went into my cpanel and investigated every file there was. I found multiple files infected with gibberish code and the ever present eval(base64 junk!!!! I also found a number of text files labeled king.txt that displayed this:

Hacked By Legion BOmb3r @error SquaD

Contact : ICQ = 740839025 FB = https://www.facebook.com/Legion.Bomber

I simply hit delete on every file I could find that looked malicious, gibberish and out of place. I am not a developer, coder, designer or security auditor. But when you see things like “hacked by ……” it isn’t hard to draw the conclusion that file doesn’t belong! So I hit delete.

What prompted me to do this investigation was I found a number of indexed pages on google for my site with japanese characters. All in all I have deindexed over 200 of them using the google URL removal tool which can be found here https://www.google.com/webmasters/tools/removals

I used the other google removal tool and it didn’t remove any of these indexed pages. Using this google removal tool deindexed those japanese pages within hours https://www.google.com/webmasters/tools/removals

The problem I am having that none of the wordpress guides or FAQ pages on hacked sites references is how to actually locate, identify or confidently know which files are infected. Yeah it says to use succuri or wordfence scanners. Well I have wordfence installed and was installed prior to this hack. It didn’t stop it. My hosting company has run multiple scans using succurri and their in house malware tool. They have found nothing!!! In fact at one point they blamed google for this.

The wordpress hacked guide infers that a wordpress owner knows how to code, develop or navigate their cpanel or database. I know how to login, but that is about the extent of it. You have millions of website owners that possess the same skill level I have and your not providing any step by step instructions on how to identify and locate these infected files.

I say all of this because after deleting all the files I could find that looked malicious my site still creates one japanese web page every day. EVERY DAY I have to do a google sitewide search for my domain. Copy and paste the url into the google URL removal tool.

My hosting company can not find any reference to the URL I am deleting. They can not find it in the database or the file manager. Sucurri scan says my site is fine. There is no malicious malware, but yet today I found three text files named king.txt and when opening up that file I see this:

Hacked By Legion BOmb3r @error SquaD

Contact : ICQ = 740839025 FB = https://www.facebook.com/Legion.Bomber

So how am I supposed to have any confidence in spending money with wordfence or succurri when there scanners cant find this:

Hacked By Legion BOmb3r @error SquaD

Contact : ICQ = 740839025 FB = https://www.facebook.com/Legion.Bomber

can’t find out which file, database, line of code keeps producing a japanese web page that points to a 404 on my site?

What am I actually supposed to do here? What am I actually supposed to be looking for? What file am I actually supposed to be investigating? What area of my cpanel am I actually supposed to be opening, and what am I actually supposed to be looking for?

No I am not goiing to download my site in an xml format and delete all of my plugins and all of my content and whatever other nonsense you state in your wordpress guide.

What files should I be doing a search for? What should I be searching for in the database? what words, verbiage, symbols, references should I actually be typing into the search box within my file manager or database page to find infected files to finally clean this up once and for all 6 months after the fact?

The page I need help with: https://aowanders.com/index.php/ko77-9650412/nvz98yk52o/16018.html

Viewing 3 replies - 1 through 3 (of 3 total) JIGSAW (@jigsaw) 1 hour, 14 minutes ago I have also checked my search console ownership to make sure that I am the only owner or verified owner of my site. I have also check my sitemap to make sure there are no funny URLs or additions that I did not put there. Both check out just fine.

What am I actually supposed to be looking for in these files? What am I actually supposed to be searching for to finally remove this japanese keyword hack? what verbiage am I supposed to be looking for. What part of the URL that I have provided for my site should I use as a search parameter because I have tried everything past the .php in every combination of sequences you can think of and find nothing. I can deindex that URL and have it removed in a couple of hours, but tomorow there will be another unique URL displaying chinese characters.

What do I need to search for within my cpanel to finally put a stop to this?

JNashHawkins (@jnashhawkins) 10 minutes ago I can’t see your plugins so I can’t tell what’s there so I’ll just speak in generalities here while remembering you mentioned running WordFence.

My first recommendation is to run iThemes Security and Wordfence together. They behave well together and compliment each other.

I’d also install the Sucuri scanner plugin, enable it and run it then disable it again. You really don’t need that many security plugins that do the same things but Sucuri is worth running here and there. Run then disable.

Deindexing something in Google doesn’t remove it from your website. If Google finds it again it may put it back.

I did an offline scan of your site and didn’t see anything but there are stealth SQL injections and such that hide then run and then hide again.

I did a search for a few parts of the keyword string you mentioned via Google and your own site’s search… nothing. Doesn’t mean it isn’t there.

It’s possible there’s something hidden in your database or an external script your site calls that has a problem.

JIGSAW (@jigsaw) 3 seconds ago Thank you for taking the time to offer your assistance. I did install both succuri and ithemes. Did a scan found nothing and uninstalled. I realize deindexing doesn’t remove it from the site or core files. Which is why I am trying to figure out what files to look in and what to actually look for in the files I open up.

I can’t be the only one in the world that has had this hack and trying to figure out how to clean a site afterwards. There has to be a tool, guide, resource somewhere that states step by step how to remove this japanese keyword hack. WordPress.org has generaliites. Google has more generalities.

Really no site on the internet has cleaning instructions for this malware invasion?

southalan commented 2 years ago

Hello, good afternoon! I know this is a really old post, but Google posted a solution here: https://developers.google.com/web/fundamentals/security/hacked/fixing_the_japanese_keyword_hack