WordPress.org

Ready to get started?Download WordPress

Forums

Malware Attacks on Admin , Can't Locate Source (18 posts)

  1. Jan Harold
    Member
    Posted 1 year ago #

    Hi everyone,

    I've been dealing with my wordpress malware infection for days. I was successful to remove the redirection scripts (htaccess attacks) and was scanned cleaned by Sucuri.

    Currently, my problem is in the admin section. But haven't succeed locating the source of the weird malware detections(again, on some parts of the admin section only).

    Things that I've tried but failed :
    (note: I already changed all my passwords including AUTH Keys and SALT Keys for the wp-config.php [FTP/User Account/SQL])

    • Installed a lot of anti malwares, security and scanners plugins
    • Restoring Back-ups 1-2 Weeks before the Malware Attack(A lot of times)
    • Clean Install - Several times (malware detected even before I install any plugin/theme)
    • Tried locating the scripts by Chrome's console, I saw that It was from load-scripts.php, So I opened the file but didn't see anything suspicious (same script detected even after a clean install)

    My only remaining suspect is the database/sql (I'm not 100% sure if they can alter this or altered it already to produce the said malware scripts, but already done a few reading about it, returning with a positive).

    I ruled out my hosting because apparently, I installed another blog(clean install) on it, and everything is functioning well w/o any malwares admin or not.

    I'm no developer, so I actually had no idea how to deal with sqls. So what do I do now?

  2. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    From a clean download on a clean computer, upload (and overwrite complete folders) the two folders wp-admin and wp-includes...only those two...if you overwrite wp-content you will lose your plugins and themes...

  3. Jan Harold
    Member
    Posted 1 year ago #

    Hi, Thanks for the response but I already did. I know my computer is clean and the files are clean because apparently it is working on the other blog that I installed without any problem at all, If it wasn't clean, it should be infected as well.(same machine, same files but different database).

    Also, I'm not having any problem losing uploaded files on wp-content because I have backups.

  4. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    So we have now noted what the difference is for two sites? We need to clean up the db?

  5. Alex Tabony
    Member
    Posted 1 year ago #

    Currently, my problem is in the admin section. But haven't succeed locating the source of the weird malware detections(again, on some parts of the admin section only).

    But what are the symptoms? How are you detecting the malware?

  6. Jan Harold
    Member
    Posted 1 year ago #

    Yes. I'm suspecting that the only thing remaining is the db. BUT. I have no idea how to clean it without losing all the posts/data.

  7. Jan Harold
    Member
    Posted 1 year ago #

    @Alex Tabony
    I can only see (google warns me) it when I access some of the plugin pages like jetpack stats, (not all of them that's why I find it weird).

    Screenshot of the malware detection (including the url)

  8. Alex Tabony
    Member
    Posted 1 year ago #

    Ok, there you have the domain with the source of the malware. You could search the database to locate it if it is in your database.

    There may be other plugins to do this better, but the search and replace plugin will allow you to search your database for the domain name in that screenshot. Just use the plugin to search and not replace unless you are sure you know what you are doing.

    Or if you are handy with sql you could use myphpadmin.

    http://wordpress.org/extend/plugins/search-and-replace/

  9. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    Try removing the 'daily-free-apps' plugin or theme or what is calling it...

  10. @Jan Harold: who is your webhost?

    You need to search in your database for php eval strings and any instance of javascript functions.

  11. Jan Harold
    Member
    Posted 1 year ago #

    @Alex Tabony : I tried, but I haven't find anything. (The malware domain is changing and not static). But this could be useful for my further searches! Thanks :)

    @Seacost Web Design : Im really sorry, but If you have read carefully what I have said. I've done clean install, without installing anything(theme or plugins) and the symptoms still exists

    @songdogtech : I'm with 1and1.com, can you be more specific (i'm no back-end pro)
    Thanks!

  12. Neal Bloome
    Member
    Posted 1 year ago #

    Songdogtech means you have to login to your hosting account and find your PhPMyAdmin link, click it which will bring you to your database tables and from there you need to search through the tables (typically the wp_posts, wp_postmeta, wp_comments, wp_commentmeta) for something that starts with eval() or any javascript in those tables and remove them.

    If your symptoms still exist after a clean install like you stated (clean meaning new database, new everything, every last detail new) then it's not a database issue it's 95% chance your web host is infected or being attacked.

    1and1 web hosting might not be secure and at that point your only option is to change hosting providers because nothing you do will help if there servers are insecure.

    Sorry I couldn't be of more help I know this was a little broad.

  13. Alex Tabony
    Member
    Posted 1 year ago #

    Adam, that search and replace plugin will let him do the DB search from the WordPress admin panel.

  14. Neal Bloome
    Member
    Posted 1 year ago #

    @Alex - Oops missed that part of the thread lol.

  15. Jan Harold
    Member
    Posted 1 year ago #

    Hi @Adam Losier, I already said that I ruled out 1and1 because I have another blog on my hosting and its clean.

    Another weird thing, I can't seem to bump with the problem right now.

  16. @Jan Harold said:

    I already said that I ruled out 1and1 because I have another blog on my hosting and its clean.....

    Nope. Search these forums and you'll find 1and1 had a bad rep as a host. Find another host, someone like bluehost.com (Not dreamhost, even though they are a "recommended" host.) Recommended WordPress Web Hosting

    @Alex and @Adam: http://wordpress.org/extend/plugins/search-regex/ allows search with grep, which is more powerful than other search plugins. That said, phpmyadmin is the way to go to be able to search the complete database in one pass and search in tables the plugins won't hit, like options and meta. Try WordPress › Portable phpMyAdmin « WordPress Plugins.

  17. Neal Bloome
    Member
    Posted 1 year ago #

    @Jan - songdogtech mentioned that people in the forums give 1and1 a bad rep that is your first clue, just because you have two sites on the same hosting account doesn't mean those two sites are on the same shared servers.

    They might be stored on different servers and it's possible that only certain servers have been infected (i.e. your one site and not your other).

    You can try to ask 1and1 support if they have had any hacks or malware problems done to them but they are trained to tell you no, it'll take a lot of work to get them to tell you what really goes on.

    I mean only other thing I could think of is to ask them to move your infected domain to another shared server, they may or may not do it but if they've been hacked or have insecurities in there software then moving to a clean server just might be putting a bandage over a gun shot wound.

  18. Jan Harold
    Member
    Posted 1 year ago #

    @songdogtech - Will consider that sir, Thanks :)

    @Adam Losier - Yeah, I get that. But those two sites that I mentioned are actually in the same account and folder, sorry If It wasn't that clear :D

Topic Closed

This topic has been closed to new replies.

About this Topic