WordPress.org

Ready to get started?Download WordPress

Forums

Infected WordPress site (7 posts)

  1. Boz2006
    Member
    Posted 6 years ago #

    We use a test website for trying out WP themes and various gadgets for images etc.

    This website looks as though it has been infected by malware. It's at goatdoodle dot com but if you're taking a look, please make sure you're protected. We get warnings from Google, Firefox and IE. It is directing a visitor to a fake site for downloading Spyware protection.

    Could anyone advise on how to clean an installation rather than wiping it clean and starting again?

    Thanks

  2. mikey1
    Member
    Posted 6 years ago #

    Hi there, thanks for the warning, I won't visit.
    To me, it sounds like Advanced XP Defender,
    you'll probably get popups with ads saying its been detected, the ads will probably mention Advanced XP Defender.
    Do a google search, there are cleaners available.
    You don't say what version of wordpress you are using, but if its after a recent upgrade, it could well have stayed on your system and continue infecting.
    I googled this :Advanced XP Defender is a scam and should be treated as such: do NOT download or buy it and block their homepage using your HOSTS file.
    I would start by using genuine anti spyware first to idntify what it is.
    hope you get there,
    mike

  3. Boz2006
    Member
    Posted 6 years ago #

    Mike, thanks for the advice.

    I'm using WordPress penultimate version, and it was a clean install from Fantastico, not an upgrade.

    Yes, it is Advanced XP Defender.

    Basic question, apologies, but with genuine anti-spyware how/where do I use it? Can it be uploaded or pointed to the site's folders?

    Or perhaps it's an issue for our webhost?

  4. mikey1
    Member
    Posted 6 years ago #

    Hi there, glad you've identified it.
    I would start with your own computers with anti spyware.
    In fact we talked about this a few weeks ago in this thread.
    http://wordpress.org/support/topic/182061?replies=30

    It can be difficult to get rid of and if necessary your webhost or server should be notified as they will need to do their own scan.
    Incredibly this malware is currently only rated medium risk,
    but causes incredible inconvenience, the russian site pandora that issues these I believe has now been blocked.
    I'm sure it will work out, don't panic, its designed as scareware to make people click on the links.
    mike.
    PS. regarding where/how to use anti spyware, start with your computers, theres some good advice from others in the thread I've left the link to.

  5. Boz2006
    Member
    Posted 6 years ago #

    Many thanks, Mike, I will check the link. Our own PCs appear clean at first sweep.

  6. rawalex
    Member
    Posted 6 years ago #

    boz, that particular hack may not be at the wordpress level, but at the server level. There are certain ones that use various methods to infect / modify / screw with apache webserver, and will only provide this popup once per day per user (which is a good way to hide it), or only to a certain percentage of users.

    It is advisable to ask your host to do a file compare on your full apache install.

    As for the malware itself, the initial program isn't terrible, but it opens a rootkit on your PC and you will get your machine infected to hell with spyware.

  7. Boz2006
    Member
    Posted 6 years ago #

    Thanks, guys. Looking at the ftp logs for this site, they gained entry about a month ago through CPanel, not WP, and inserted a script on the footer of the home page, and dumped some stuff in 777.php (not sure about the latter - some security control folder?). Their IP gave their outfit as in St Petersburg, not unknown for that sort of activity.

Topic Closed

This topic has been closed to new replies.

About this Topic