Posted 3 weeks ago #
I am using WP 2.8.5. I have scan my computer and has no virus and i have even install fresh window copy. I have deleted Wordpress software and have uploaded fresh one. I have change all FTP, Cpanel and Wordpress username and password. But it is still redirecting to fake virus scan site.
It does not happen all the time. It happen randomly and mostly with Opera and IE.
Kindly help!
Posted 3 weeks ago #
But the virus most probably be still within your database.
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
Posted 3 weeks ago #
Ah How will I virus check my database? I have not done that far.
See Step 8 in the second link above.
Posted 3 weeks ago #
Thank you so much mercime and esmi for your time.
I don't know I will ever get rid of it.
Is it also possible that my host server has got infected? I am on shared hosting.
Posted 3 weeks ago #
Have you run Donncha's WordPress Exploit Scanner? http://ocaoimh.ie/exploit-scanner/
I don't know I will ever get rid of it.
One of my other ways to double check if WP's been hacked is to:
Go to Dashboard > Tools > Export All Authors and save XML to computer. Open it up with plain text editor and scan through the file to see if scripts, iframes and others were inserted there then delete such because there should be nothing of the kind in the XML file at all. Twice, I saw hacked scripts at the end of the XML file. If your XML file is large, you could also do an Edit > Find "script" or "iframe" etc.
After you've cleaned your XML, you could make make a totally clean install with the XML with a new database - that is, if you don't care about keeping your old plugin info like post views, most popular, and other statistical data etc.
Posted 3 weeks ago #
That was a great help.
I cleaned up my XML . But I still get redirection. Than I check with exploit-scanner and this is the result. What is this telling me?
Exploit Scanner
This script searches through your WordPress install for signs that may indicate that your website has been compromised by hackers. It does NOT remove anything, this is left for the user to do.
Modified Core Files
1. /home/blogcast/public_html/wp-config-sample.php
2. /home/blogcast/public_html/wp-includes/images/crystal/license.txt
3. /home/blogcast/public_html/wp-includes/js/scriptaculous/MIT-LICENSE
4. /home/blogcast/public_html/wp-includes/js/swfupload/plugins/swfupload.speed.js
5. /home/blogcast/public_html/wp-includes/js/tinymce/license.txt
Suspicious Strings
base64_decode
Often used by malicous scripts to decode previously encoded data, such as malicious URLs
Found in the following file(s):
1. /home/blogcast/public_html/wp-content/plugins/wp-security-scan/simplepie.inc
pe & SIMPLEPIE_CONSTRUCT_BASE64)
{
$data = base64_decode($data);
}
if ($type & SIMPLEPIE_CONSTRUCT_XHTML)
{
if ($this->remove_div)
{
$data = preg_replace('/^<div' . SIMPLEPIE_PCRE_XML_ATTRIBUTE . '>/', '', $data);
$data = preg_replace('/<\/div>$/', '', $data);
display: none
CSS styling used to hide parts of a web page (is often used legitimately, be concerned if it's used to hide a link)
Found in the following file(s):
1. /home/blogcast/public_html/wp-content/themes/blogcastorv2/functions.php
"wrapstart") { ?>
<div id="wrapstart" style="display: none;">
<?php } elseif ($value['type'] == "wrap") { ?>
<div id="wrap<?php echo $value['name']; ?>" style="display: none; float: left;">
<?php } elseif ($value['type'] == "mainwrap") { ?>
<div id="gangmei-wrap">
div id="wrap<?php echo $value['name']; ?>" style="display: none; float: left;">
<?php } elseif ($value['type'] == "mainwrap") { ?>
<div id="gangmei-wrap">
<?php } elseif ($value['type'] == "wrapend") { ?>
</div>
<?php } elseif ($value['type'] == "wrapend2"
-subnav-tab-<?php echo $value['name']; ?>" style="display: none; width: 438px;">
<?php } elseif ($value['type'] == "titles") { ?>
<div class="gangmei-title"> <?php echo $value['name']; ?> </div>
<?php } elseif ($value['type'] == "subtitles") { ?>
<div class="gangmei-sub-title"> <?php
2. /home/blogcast/public_html/wp-content/themes/blogcastorv2/js/jquery-1.2.6.js
ing its values properly in Safari
// then some display: none elements are involved
else {
var swap = [], stack = [], a = elem, i = 0;
// Locate all of the parent display: none elements
for ( ; a && color(a); a = a.parentNode )
stack.unshift(a);
// Go through and make the
a = elem, i = 0;
// Locate all of the parent display: none elements
for ( ; a && color(a); a = a.parentNode )
stack.unshift(a);
// Go through and make them visible, but in reverse
// (It would be better if we knew the exact display type that they had)
for ( ; i < stack.len
3. /home/blogcast/public_html/wp-content/themes/blogcastorv2/style.php
rgin-left: 40px;
margin-top: 68px;
}
.children {
display: none !important;
}
a:focus {
outline: none;
}
.share-div {
width: 590px;
height: 30px;
background-color: #FFF;
display: none;
}
.share {
visibility: <?php echo $gangmei_share; ?>;
}
.random-image {
width: 44px;
height: 44px;
border: 4px
dth: 590px;
height: 30px;
background-color: #FFF;
display: none;
}
.share {
visibility: <?php echo $gangmei_share; ?>;
}
.random-image {
width: 44px;
height: 44px;
border: 4px solid #F2F2E4;
float: left;
margin-left: 10px;
}
.random-content {
float: right;
width: 210px;
}
.random-content a:link
display:none
CSS styling used to hide parts of a web page (is often used legitimately, be concerned if it's used to hide a link)
Found in the following file(s):
1. /home/blogcast/public_html/wp-content/themes/blogcastorv2/js/jquery-1.2.6.js
// handle an edge condition where css is - div { display:none; } or similar
if (this.style.display == "none")
this.style.display = "block";
elem.remove();
}
}).end();
},
hide: function(speed,callback){
return speed ?
this.animate({
height: "hide", width: "hide", o
eval(
Could be JavaScript code used to hide code inserted by a hacker.
Found in the following file(s):
1. /home/blogcast/public_html/wp-content/themes/blogcastorv2/js/jquery-1.2.6.js
2] ];
if ( typeof fn == "string" )
fn = eval("false||function(a,i){return " + fn + ";}");
// Execute it against the current filter
r = jQuery.grep( r, function(elem, i){
return fn(elem, i, m, r);
}, not );
}
}
// Return an array of filtered elements (r)
// and t
f JSON is used.
if ( type == "json" )
data = eval("(" + data + ")");
return data;
},
// Serialize an array of form elements or a set of
// key/values into a query string
param: function( a ) {
var s = [];
// If an array was passed in, assume that it is an array
// of form element
2. /home/blogcast/public_html/wp-content/themes/blogcastorv2/js/jquery.js
17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};whil
String.fromCharCode
JavaScript code used to hide suspicious code, but can also be legitimate code.
Found in the following file(s):
1. /home/blogcast/public_html/wp-content/themes/blogcastorv2/js/jquery.js
on(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(H(){J w=
shell_exec
Executes a server command like ls, cd, wget, etc. This may be a script used by hackers.
Found in the following file(s):
1. /home/blogcast/public_html/wp-content/themes/blogcastorv2/timthumb.php
("/FREEBSD|LINUX/", $os)) {
$mime_type = trim(@shell_exec('file -bi "' . $file . '"'));
}
}
// use file's extension to determine mime type
if (!valid_src_mime_type($mime_type)) {
// set defaults
$mime_type = 'image/png';
// file details
$fileDetails = pathinfo($file);
$ext = strt
Suspicious Plugins
Hooray! No suspicious plugins found in the active_plugins database record.
Suspicious Settings
Hooray! No suspicious text was found in any of your settings!
Suspicious Posts and Comments
Hooray! No suspicious text was found in any of your posts or comments!
Posted 3 weeks ago #
It get redirected to this site http://infabouthacks.cn/?pid=180s05&sid=3c5779
(^^^ which I would suggest people not to visit!)
Might be a cookie based redirect.
What's in your .htaccess file?
Posted 3 weeks ago #
oh NO! I delete all files on my domain. And I put only a test index.html file . It is redirecting to this site http://infabouthacks.cn/?pid=180s05&sid=3c5779
What am I support to do now?
Just get rid of the test index.html file you put up?
What's in your .htaccess......?
Posted 3 weeks ago #
here is the link to my blog www.blogcastor.com
If you Use Opera and refresh or reload the page 3-5 times you will know.
Opera seem to block that url(http://infabouthacks.cn/?pid=180s05&sid=3c5779) from showing up.
Posted 3 weeks ago #
the .htaccess file is blank
Posted 3 weeks ago #
I have even deleted all files on my domain, and all my databases. I just put a test index.html but still it is redirecting. What could be the reason for the redirection?
You must log in to post.
