WordPress.org

Ready to get started?Download WordPress

Forums

Anti-Malware (Get Off Malicious Scripts)
[resolved] Help me clean my site! (4 posts)

  1. cryptedsecurity
    Member
    Posted 11 months ago #

    my Login page is infected,
    the footer of my site is infected
    and the body text in the article too!

    there could be more but I'm terribly frustrated in failing to clean this mess.

    I deleted the wordpress files and copied a latest version in hope that it might clean the wp-login.php but it's still there! I can tell that this might have happened with the timthumb 0day exploit because of the theme that I was using "earthlytouch" that has a "timthumb.php" script.

    The Anti-Malware quarantines the wp-login but it still appears after a few hours on the loginpage.

    I want to know how deep this could be, like do I have to clean the whole database or can I clean it easily?

    I'll be grateful if you could help me with this, thank you so much. Screenshots bellow,

    SCREENSHOTS:
    https://dl.dropboxusercontent.com/u/1518581/WP/antimal.png
    https://dl.dropboxusercontent.com/u/1518581/WP/login.jpg
    https://dl.dropboxusercontent.com/u/1518581/WP/art.png
    https://dl.dropboxusercontent.com/u/1518581/WP/footer.png

    EDITED: Added screenshots.

    http://wordpress.org/plugins/gotmls/

  2. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    It looks like you have almost it clean. I'd bet this last like is just in one place and it should be easy to remove if you can find it.

    I cannot tell if it is hidden in the code or in the database. If you want to email me your WP Admin login I will hunt down this last link for you. Then I can add it to my definition update so it can be automatically removed like the rest were.

    You can email me directly: eli AT gotmls DOT net

  3. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks for sending me an admin login.

    The callback_function_php that is causing that link to show up all over your site was inserted into the top of your theme functions.php file. I removed that and added it to my definitions update so that it can be automatically removed from any site in the future.

    I did not notice anything else that looks out of place. But you can patch the wp-login.php file again if you want it to be stronger against brute-force attacks.

    Let me know if you spot anything else that you want me to investigate.

    Aloha, Eli

  4. cryptedsecurity
    Member
    Posted 11 months ago #

    Thank you so much! I'll definitely let you know. Really appreciate it.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags