Wordpress site hacked -- redirects to another site [closed]

Question

My Wordpress site has been hacked. Links on the site have been changed to take users to the hacker's site at storage.piterreceiver.ga. This site, in turn, redirects to other sites which my browser flags as dangerous.

Has anyone else had this happen? How can a restore my site and prevent a reoccurrence?

Answer 1

Thanks to @Jesmond Darmanin i found the the solution how to fix that. He described to delete all occurances of "piterreceiver" in the database. You can do that in this way:

1. Connect to your wordpress instance with SSH
2. Go to your wordpress directory
3. Execute wp db search --all-tables piterreceiver
4. Execute wp db query <<< "delete from <table> where <id> = 123456"

Be carefully, this is the "crowbar" method. Just do that, when you are absolutely sure, that the returned value is not needed anymore (which was the case in my installation < lucky guy).

Answer 2

We discovered the behaviour on several of our sites aswell, the culprit seems to be the DSGVO Plugin offered by legalweb.io.

The plugin developer has been informed and the best solution was to clean the _options from the malware code and disabled the plugin.

Answer 3

I found the same on one of my sites and could not identify any malware in the files, however, the "site URL" and "home" in "_options" table was altered and I suspect a SQL injection to have been the culprit here. None of my malware tools could identify anything at the filesystem level so it appears to be some sort of 0day exploit as I cannot find anything similar. I've ensured that everything is updated and will monitor my site further, but a starting point would be to determine if there are any outdated plugins or themes that may suffer from a vulnerability and if yes then a more difficult task would be to identify which. I am looking through my logs now and will update this thread if I find anything.