HELP PLEASE! malware ruining my life
-
So, after updating to the newest version of wordpress all of my sites have been listed on google’s malware list.
I’ve tried everything to get the offending javascript to disappear, including hiring an IT specialist. Unfortunately it looks like I’m going to have to wipe all of my servers and start from scratch.
I’m hoping there is a way to back up all my posts so I can reinstall them into my new sites without having to do it one be one. Anyone know how to do this?
Also, anyone know how to virus/malware protect a server? this is also beyond my capabilities. I can NEVER allow this to happen again as it is costing me more than to just outsource a custom website and not deal with what used to be my favorite CMS….
-
Your problems are actually far less likely to be related to your favorite CMS than they are your own habits, site, (including timely software updates to minimize exposure for any known issues) and/or server security.
I’m hoping there is a way to back up all my posts so I can reinstall them into my new sites without having to do it one be one. Anyone know how to do this?
There sure is. Web-Site Basics 101: Your content (posts, pages, comments) is actually stored in your database. The goal here is two-fold. 1) Backup all the files and folders in your web space to a safe location, and 2) Do the same with your database. You should also learn how those files and the database are now capable of re-infecting your site, should you accidentally restore data or a file from a backup you took once your site was already hacked.
Tons of fantastic information in this article. WordPress Backups
Also, anyone know how to virus/malware protect a server? this is also beyond my capabilities.I can NEVER allow this to happen again..
Nothing you do will ever be a 100% guarantee. And you can never say never. It’s not realistic. What you CAN do, is start by learning basic good habits that include much more than you might initially expect or think of. A good start and some excellent advice found here: Hardening WordPress The server/shared hosting environment security is 100% the responsibility of your host. If you have a VPS or dedicated server, then it’s up to you.
Even if your site(s) are on a managed server, protection from the HTTP protocol and practicing safe habits is up to you.
There are many steps that you can take to harden your site as previously mentioned. Here are a few more:
1. http://codex.wordpress.org/Backing_Up_Your_Database
2. http://codex.wordpress.org/Restoring_Your_Database_From_BackupMore reading:
1. http://codex.wordpress.org/FAQ_My_site_was_hacked
2. http://wordpress.org/support/topic/268083#post-1065779
3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
4. http://ottopress.com/2009/hacked-wordpress-backdoors/timthumb hack reading:
If you have indications of possible timthumb hacking, please read these:
1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/If you believe your personal computer (not your host server) is infected please read these:
1. MajorGeeks.com malware removal:
http://forums.majorgeeks.com/showthread.php?t=35407
2. MajorGeeks.com how to protect yourself from malware:
http://forums.majorgeeks.com/showthread.php?t=44525Thank you for your suggestions, they have been duly noted.
Any ideas on what or where coding from “tds22.assexyas.com” might come from, or be hiding? I backed up my website and am running as many malware programs as I can find, then replacing the old version of the website with the one that supposedly doesn’t have the one file the programs deleted, but it doesn’t seem to be fixing the issue.
Thanks again.
Deleted the injection link to stop flipping out anti virus things 🙂
Also, anyone know how to virus/malware protect a server? this is also beyond my capabilities.
You need to ask your webhost for help, or hire someone then.
And it keeps happening becuase your install isn’t secure :/
This is a duplicated post (-1 in the url). The original post was here http://wordpress.org/support/topic/help-please-malware-ruining-my-life?replies=3
Here was my response:
To learn how to export your posts, pages, custom post types, comments, custom fields, categories, tags, custom taxonomies, and users go to http://codex.wordpress.org/Tools_Export_ScreenIf you have the proper security settings and permissions enabled and no fishy plugins or themes your websites shouldn’t get hacked. I would recommend installing Ultimate Security Checker and Better WP Security. Cloudflare also has a great free service which I could recommend.
(FWIW, the -1 and so on just means two people have the same post. You’d be surprised at how many people use the exact same, weird, wording).
But yes, please don’t make dupe posts.
And if hacked the first thing you should do is inform your webhost.
Odd update:
now all of my pages display: “”you need to pay for this crypt””
anybody have any further insight? googling the phrase will find you a long list of websites displaying the same thing.
Have you talked to your webhost about this?
It’s not WordPress, it’s your server. They’re still getting in. If you’ve changed your passwords, deleted all the wordpress files from your server, uploaded CLEAN versions of everything, and they still get in, pick up the phone and call your webhost. Now.
@rxdlr: I see this malware on many sites.
The malicious code is usually at the very top of the index.php file.
By the way, is the “you need to pay for this crypt” still there? Do you see it in the index.php?
The malicious code is usually injected by backdoors. On WordPress sites it pretends to be a plugin. Please check if you have the following “plugin” /ToolsPack/ToolsPack.php ?
It could be hiding in your database. Did you reinstall the old database? Make sure to find and remove any references to “you need to pay for this crypt” or whatever other code you’re seeing.
Also, make sure the computer you’re logging into your site with is free of malware, or it’ll keep gaining your new passwords and reinfecting your site.
I wrote an article about this infection:
http://blog.unmaskparasites.com/2012/03/07/you-need-to-pay-for-this-crypt-trial-version-of-malware/And ironically enough, visiting your site to read the article set off an AVG virus warning on my windows laptop and harshly limited access to your content. I think AVG’s latest definitions may be wound a little too tight. 🙂
I know, it always happens when I post snippets of malicious code. Unfortunately, I don’t have AVG to test which part of the code triggers the alert (it’s usually enough to add some extra space, but it’s hard to predict what their rules look for exactly).
I’ll try to play with the snippet and leave a bare minimum so that it is still recognizable.
Update: I’ve slightly modified the snippet. Not sure if it’s enough. Do you still see the alerts?
UseShots wrote:
Do you still see the alerts?
Yes, according AVG it’s an Exploit Blackhole Exploit Kit (type 2129)
http://www.avgthreatlabs.com/webthreats/info/blackholeexploitkit/
A client of mine had this issue today.
The solution (for me) was simple…
An extra line of PHP code was added at the very top of his index.php file – the main one.
It started with:
<?php eval(base64_decode(
I removed the entire line of code…
From the <? to the ?>
And it fixed it.
–
You can also just re-upload your original index.php file, if you prefer.
- The topic ‘HELP PLEASE! malware ruining my life’ is closed to new replies.