My Elementor Pro Wordpress site got hacked and is redirecting when I open the site [closed]

Moderator Note - While this is off-topic, we're leaving it up for now since there seems to be a widespread issue. We do not need similar posts popping up, and there are useful answers. Do not take this as a sign that future questions like this will be welcomed. Wordpress administration in general is off-topic, and Stack Overflow is not a resource to diagnose why any given site was hacked.

Until yesterday my site was working fine, I don't know what happens from morning, site is not opening, when I try to open it's automatically redirecting to tracking line site then to some other website, when I try to login for wp-admin it shows this error:

window.stop();var step = "https://away.trackersline.com/away.php?id=43436-22-4734573234"; document.location.href=step; window.location.replace(step);

What is this? And what happened to my site? How can I get it back? and How can I protect my site from this kind of hacks?

3 Answers

I'm having the same issue starting a few hours ago. It seems like it's exploiting some common flaw.

I'm solving it... and possible will have more info in an hour or so.

For now I can share the following:

Using Wordpress | Blueshost server | Cloudflare CDN | Elementor

16 hours ago I received a strange email saying the admin email had changed to [email protected]

Admin email sent through the website (like creating new user) started giving errors. Also noticed there were new strange users being created.

An hour ago my website presented this output:

window.stop();var step = "https://away.trackersline.com/away.php?id=43436-22-4734573234"; document.location.href=step; window.location.replace(step);

And after it started redirecting to different url and chained redirects with spam and ads.

I have checked my .htaccess file and theme's header.php, footer.php, functions.php files and found nothing unusual there.

I have checked my _options wordpress table (the suffix may not be "wp", thank you Dimistris for pointing this table) and the field siteurl had indeed a hacked url. I've changed it to my website url and this way had access to the wp cpanel.

At the wordpress _options table the following fields mailserver_url, mailserver_login, mailserver_pass also have strange values. With other email and password. I don't know what values it should have but mailserver_pass password yes is not a good value for sure.

I'll keep on digging and when find a solution for my case I'll share it. Still have no clue on what was the flaw that allowed this and how to protect it from future attacks.

Following update:

So has some friends pointed out here, the vulnerability comes from Elementor Pro + Woocommerce. Thank you all cause did put me in right direction to solve it. After changing siteurl field at _options table, and regain access to wp cpanel and updating Elementor Pro plugin from version 3.5 to 3.12 (info says the vulnerability happens from 3.6 bellow) things started to get back in shape. After updating elementor it has also corrected the field _elementor_assets_data from the table _options, so no need to mess in there. I did change the following fields mailserver_url, mailserver_login, mailserver_pass, siteurl at table _options (just in case). I'm not so used to use phpmyadmin and was not seeing all the fields until I noticed the listbox to change the number of visible results. Also the search %away.trackersline% helped me to check if there were any leftovers.

The spam scan from bluehost gave the bellow result, but after opening the file and checking the code, I didn't find any sign of it. So I guess it's a false positive due to this being related to access drive.

public_html/wp-content/plugins/use-your-drive/vendors/jquery-file-upload/SECURITY.md: SiteLock-PHP-SUSPICIOUS-fzl-logonly.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 2263445 Engine version: devel-clamav-0.99-beta1-632-g8a582c7 Infected files: 1

Also doing a checkup to removing and updating some plugins. I have some backups from UpdraftPlus, but sincerily I think it's safer not to restore and with least damaging to not use them. I've been also checking new users from past week no matter the role and deleted some clearly spam.

Nothing like a major shutdown at the website to clean the website and wondering about future, life and a good excuse to drink another coffee.

The issues are with the Elementor PRO vulnerability.

We got these issues across many of our sites earlier today, the catch was ELEMENTOR PRO which had BROKEN ACCES CONTROL that provided hacker to modify the SITEURL, Admin email and add new ADMIN users.

Symptoms

The Symptoms include redirection of homepage / cart / checkout to suspicious URL https://away.trackersline.com

We got email that admin email had changed to [email protected]

Bunch of new admins in our site.

Investigation

For any redirection issues that happen on Wordpress site, the problem lies under

.htaccess - a plain 301 redirect

wp-config - it may have overriding rules for home and site url

Theme - Usually the header.php, footer.php or functions.php in parent or child theme has got some <?php EVAL functions before the opening tags of <?php

Plugins - any recently installed/updated plugin or even an old nulled/cracked plugin could have provided a backdoor to the hacker.

Database - It has HOME and SITEURL under wp_options table, which can also be overridden by wp-config.php but in this case SITEURL had the suspicious URL https://away.trackersline.com. (NOTE: the prefix can be different for you so I mentioned a default one 'wp_')

Solution

Scan your site and database using Wordfence / Sucuri / Imunify360 or any available scanner. In our case none detected the vulnerability as it was new.

Replace the HOME or SITEURL via PHPMYADMIN or WP CLI to your site primary domain.

Remove any other admin user and also check the admin email under Settings > General to verify that its the valid one.

Update Elementor Pro, which is now patched for BROKEN ACCEESS CONTROL

Read more about Vulnerability: https://wpscan.com/vulnerability/73e8e030-8e8b-43de-a602-c699ab2eafaf

OK so as Naqi pointed out the issue seems to be coming from an out of date Elementor plugin or vulnerability.

We couldn't get into the website dashboard so I had to login to the main server and do everything by hand on the command line; I'm on Ubuntu.

First, the "wp_options" table had been changed. The home value was still set to the actual site but the SiteUrl option had been changed to the one you're seeing in the redirect.

I've managed to reset this back to the original value and get back into the dashboard; I would advise this is the first thing you do.

Once in, go to your users and check how many admins you have; we had one extra with the details shared by Geme; delete that user immediately!

Then get yourself a plugin like WordFence and do a full scan of the system; change your scan options so that scans will check files outside of your WordPress installation. Ours reported some changes in plugins and it will let you change them or delete them. Go through it with a fine tooth comb.

Then have WordFence update your .htaccess file for added security.

Once you've done all that

Change your admin password

Change your wordpress db password in mysql and then update your wp-config with the new password.

Then, update ALL of your plugins and delete any that are not active.

This is one of the pitfalls of WordPress unfortunately.

Big lesson: Keep backups, (off your server, use a plugin like Duplicator Pro to export to an external storage like Dropbox, Google Drive etc and keep your plugins up to date.

I am still doing more scans since I had emails about a sql database and if I find anything else, I'll post it here.

ncG1vNJzZmirpJawrLvVnqmfpJ%2Bse6S7zGiorp2jqbawutJobm5waGuEdn2OprBmnZyauqa606ipZqiipHq4u9Gdp6udo6h6tLXTnmSgp6RitaKvyp6bZpmemXqqv4yrnJ2hopqwtbXNoGSwoJWjeqp5zqmcp2WknbJuv8g%3D

Elina Uphoff

Update: 2024-05-19

ZBlogR