How to Fix the WordPress Casino Hack

A client running WordPress received a Manual Action warning from Google about their site being hacked with injected URLS. The page mentioned on Webmaster Tools was http://domain.com/latest-casino-bonuses. The page was iframing a casino website which was making them look bad on Google. Here’s the way to remove the offending pages.

I removed the exploit with the help of this thread.

Just login to PHPMyAdmin from your Cpanel and click on the database for your website.
Then click in the SQL tab and paste the following query on your database and click “Go”:

SELECT * FROM wp_options WHERE option_name = ‘client_data_run’

Then delete the record that comes up.

Unfortunately, this only gets rid of the pages on your site. It doesn’t fix the source of your problems. To find out how they got in, scan your files for the keywords listed above.

We found the problem inside some old BackupBuddy files:

wp-content/uploads/backupbuddy_temp/obsof1gs6o/db_1.sql
wp-content/uploads/backupbuddy_temp/pnjq7v5or1/db_1.sql

So fire up Putty and SSH into your server. Now navigate to your Home directory and run the following Grep command:

grep -l -r -H “client_data_run” *

That will search your entire Home directory for any file that contain client_data_run. Delete them! That should resolve the hack and keep things clean until the next exploit.

Advertisements