WordPress.org

Ready to get started?Download WordPress

Forums

Malicious code detection (6 posts)

  1. eswrite-wp
    Member
    Posted 2 years ago #

    Since I cleaned up my site from a hack (thought I had cleaned it), http://sitecheck.sucuri.net/scanner/ indicated no malicious code. Neither did a check from Google Webmaster tools. However, in its search results, Google reported that my site may be compromised. So I had my ISP run a scan, and they found (according to them) a bunch of malicious code, which they cleaned up through a script. Now they are recommending I re-install everything, but I'm pretty sure all my backups are going to have whatever is triggering the Google warning ... and whatever http://sitecheck.sucuri.net/scanner/ can't detect.

    I pretty much ran through the process described in my previous thread, so I'm a bit puzzled, again, since the recommended scanners flagged nothing.

  2. eswrite-wp
    Member
    Posted 2 years ago #

    Oh, I just did another scan at http://sitecheck.sucuri.net/scanner/. It says WordPress is outdated... but I just re-installed 3.3.1. What gives?

    EDIT: I looked deeper. It's flagging the default and my current index.php theme files.

    Web application version:
    WordPress version: WordPress 3.1.1
    WordPress directory: http://imagesbyeduardo.com/main/wp-content
    WordPress theme: http://imagesbyeduardo.com/main/wp-content/themes/carbonize/

    WordPress internal path: /hermes/waloraweb071/b376/moo.esfotoclix/main/wp-content/themes/carbonize/index.php
    Wordpress internal path: /hermes/waloraweb071/b376/moo.esfotoclix/main/wp-content/themes/default/index.php

    WordPress version outdated: Upgrade required.

  3. eswrite-wp
    Member
    Posted 2 years ago #

    Okay... I just checked both my installed /default/index.php and the one in the WP 3.3.1 clean install. They both read:

    <?php
    // Silence is golden.
    ?>

    If so, why would this be flagged by sucuri.net as out of date? I think it's just a false positive. Joy.

    [Bumps deleted. Hacked or not, please don't bump. It annoys people and is against the rules - Moderators.]

  4. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    Many of us believe that having the version number in the source code gives hackers an edge.

    If I were you I would add, remove_action('wp_head', 'wp_generator'); to your theme's functions.php file. That would get rid of the version number.

    When I run my site thru sucuri without a version number nothing is flagged

  5. MickeyRoush
    Member
    Posted 2 years ago #

    I'm not sure if the sucuri scanner looks for certain .js files or not. But it's a way to fingerprint the version of WordPress as well. It's not that accurate, but can give someone the idea, that the version is older or newer than another, as a newer WordPress version have/use different versions of certain files.

    When replacing all WordPress core files, you may want to manually delete them before replacing, in case one is accidentally or maliciously been set to a 444 file permissions, etc. Make a backup first!

    UPDATE! Yes the sucuri does look for certain .js file. Ooops! :)

  6. robthecomputerguy
    Member
    Posted 2 years ago #

    Why would you think that Google's database would be instantly updated when you cleared out your malicious code? That seemed like a lot of concern waiting for people at WordPress to solve your Google problem - that is not an instantaneous message, unless you take steps to get Google to update your crawl results ASAP you'll easily be marked as a compromised site for weeks.

    Everything else discussed made sense, but I'm pretty sure it was not the source, or the solution, of the problem. Yes a hacker may pass you over if they don't know your WP version number from the header, but I just did a reveal source on your site and I saw WordPress 3.3.1 in line 8.

    And right now, Friday at midnight EST, your website still shows as compromised in my Google search results, and there is a link to what to do in Google's Webmaster tools for you to resolve it.

    I don't think you'll be able to force the cache to update, but it would seem to me that if you delete and resubmit a sitemap for the clean site, that you can get your results updated faster. (In addition to the instructions Google provides at http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634 for cleaning up the site.)

    I tried to edit this to not sound completely annoying, but you really need to take action otherwise your site will sit as labeled with malware for quite a long time, for small sites, Google isn't coming every day to get an update from your site, so you have to put all of that in motion.

Topic Closed

This topic has been closed to new replies.

About this Topic