WordPress.org

Ready to get started?Download WordPress

Forums

Malware on a WordPress theme (4 posts)

  1. delikasi
    Member
    Posted 1 year ago #

    Dear Friends,

    Kindly help how to address this issue (see email from hosting company below). How do i resolve without messing up the existing theme? Is it safe to just delete the theme and install a fresh one? I'm worried I might mess up the site. Please help. Thanks.

    Sincerely,

    Jovel

    -----------------------------
    Dear Jovel,

    We have requested google to review your site and still Malware URL exist. We have checked further and found the malware injection to your "NewsSpot" theme/template. You could verify here the sample injection./home/magicmel/public_html/blog/wp-content/themes/NewsSpot/index.php

    Please change your theme and delete the entire files/folder under "NewsSpot" theme.

    Please get back to us when done.
    ++++++++++++++++++++++++++++

    Thank you.

  2. How do i resolve without messing up the existing theme?

    Where did you get that theme and can you share a link to your site?

    The normal way to do it is get original copies of everything and give these links a good long read as you probably need to delouse your web server.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

  3. delikasi
    Member
    Posted 1 year ago #

    Thanks for the quick reply Jan. Below is the complete details of the incident.

    Regards,

    Jovel

    -------------------------

    Dear Jovel,

    We have received a complaint regarding magicmelt.com which has been compromised. With this, we have temporarily suspended the hosting account. Please let us know when you are ready to fix the site so we can unsuspend. Below is the report.

    -----------------------------------------------------------------
    ---- Original message ----

    > This is an automated email alert; please do not reply to this email as
    > replies will not be answered. To get in contact with us, use the links
    > and contact details, mentioned in the text below instead!
    >
    > ************************************************************************
    >
    > TO WHOM IT MAY CONCERN:
    >
    > The security experts of cyscon GmbH like to ask you to remove/review
    > the below mentioned file from/on your servers. At least one of our
    > scanners detect it, and we consider it as malicious:
    >
    > ########################################################################
    > # begin logs
    >
    > IP: 67.215.234.180
    > URL: http://magicmelt.com/blog/
    > Port: 80
    > Tested on: Sat, 29 Sep 2012 12:33:19 +0200
    > Result: JS/Redirect.CG
    >
    > # end logs
    > ########################################################################
    >
    > Also, please check if your machine has been compromised and is now
    > being used by intruders in malicious activities, or if a legitimate
    > user is engaged in activity that is probably in violation of your
    > terms of service agreement. In either case, please investigate this
    > matter. Further details on this project & advisories may be found
    > here: http://www.c-sirt.org/faq-section/
    >
    > The incident is already solved? Then just visit the following url and
    > trigger a rescan of your file:
    > http://www.c-sirt.org/incident/?incident=da11a27d14a5c0cca800f9255956eee5
    > When the problem is solved the field "Solved" will be set and
    the
    > color changes to green. If this does not happen, a virus-scanner still
    > detects malicious content.
    >
    > You received this message because you are listed as the contact for
    > this network (AS# AS29761). This message is intended for the person
    > responsible for computer security at your site. If this is not the
    > correct address, please forward this message to the appropriate party.
    >
    > Please note: If more than one IP address at your site is involved, or
    > malicious code/malware is detected in more than one file, you may/will
    > receive more than one message, each one with different content.
    > Additionally you may found a X-ARF report attached to this document,
    > with all relevant details for automated complaint parsing. Learn more
    > about X-ARF: http://www.x-arf.org/specification.html
    >
    > We hope this important information regarding the security of your
    > customers/clients content is/was useful/helpful for you. In case of
    > further questions, of if you need any help in resolving this issue,
    > please feel free to contact us at <sitesecurity@cyscon.de>. We, the
    > C-SIRT team of cyscon GmbH, will assist you in any questions regarding
    > this incident [SIRT#0001208564].
    -----------------------------------------------------------------

    ########################################################################
    # begin logs

    IP: 67.215.234.180
    URL: http://magicmelt.com/
    Port: 80
    Tested on: Sat, 29 Sep 2012 12:33:44 +0200
    Result: Redirects.To.JS/Redirect.CG

    # end logs
    ########################################################################

  4. According to Sucuri SiteCheck, your site is black listed.

    http://sitecheck.sucuri.net/results/magicmelt.com

    I suggest you start going through that reading list just in case.

Topic Closed

This topic has been closed to new replies.

About this Topic