Forums

WordPress › Support » How-To and Troubleshooting

Malware on site ... but where is the script!!!! (8 posts)

  1. jabbamonkey
    Member
    Posted 8 months ago #

    If I go to my site in Chrome, I get a message that my site contains malware. I scanned the source of the page, but I don't see any code in the page that links to malware ... So, I checked some of the templated files in WordPress ... but I couldn't find any malicious scripts. Technically the site is only one page (the homepage, with NO blog posts) .. but WordPress has tons of files running the CMS, so it is hard to track down a specific piece of code.

    Can someone tell me how to find this malware script that has attacked my page so I can remove it?!? I did some online diagnostics, and they say its a javascript malware script ... but I just can't find it...

    Here is the site...
    http://nyacwomenslax.com/

  2. otuatail
    Member
    Posted 8 months ago #

    Strange fails in
    Safari 5.1
    Firefox 6
    Chrome 14

    Ok in
    IE 8
    Opera 11.51

    Maybe browser settings?

    Desmond.

  3. otuatail
    Member
    Posted 8 months ago #

    It also says that there is Malware on the computer. I don't think we both have malware on both our PCs

  4. jabbamonkey
    Member
    Posted 8 months ago #

    In MY browser settings? Either way, I don't want ANY user to see a malware message. That's just bad. So the script exists somewhere, I just need to know how to find it and then get it out of my files...

  5. esmi
    Theme Diva & Forum Moderator
    Posted 8 months ago #

    What to do if you've been hacked:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

  6. jabbamonkey
    Member
    Posted 8 months ago #

    Most of those links provide little instruction on REMOVING malware scripts from an existing site. Yeah, the standard "change your passwords" is pretty obvious ... but that only avoids future attacks (for a time). As for restoring a backup ... not an option, since I don't have access to a backup (it's not my site, it's someone who asked me to help them).

    So, I need to find the malicious script in the files, and remove it.

    One thing I'm trying down is downloading the current site, and doing a scan (however, a standard scan wont pick up most web scripts ... and sometimes malware is hidden). Once I have this "bad" backup, I'm going to try and reupload a clean version of WordPress.

    However, if anyone has any idea how to FIND this code in my files, let me know (if not for NOW, then for a future time). Thanks.

  7. esmi
    Theme Diva & Forum Moderator
    Posted 8 months ago #

    There's no easy way to do this. Or a stereotypical solution because hacks vary so much in terms of how the hacker gained entry to your site/server, what files they targeted etc etc.

    You could try replacing all core WordPress files with a fresh upload which would mean deleting and then uploading all files & folders - except the wp-content folder - from a fresh download of WordPress. Ditto with any themes or plugins.

    Replace your database contents with a recent backup file taken from before the hack. Double-check your users and delete any that you cannot verify as being genuine.

    Finally, use the last link in the list I gave to help you to look through your wp-content folder - especially anything in the uploads folder - for any remaining back doors.

    Good luck.

  8. dd@sucuri.net
    Member
    Posted 8 months ago #

    Hey,

    I did a quick scan of your site and it is indeed compromised:

    http://sitecheck.sucuri.net/scanner/?scan=http://nyacwomenslax.com/

    Simple steps you can take:

    -Remove your .htaccess and all plugins/themes you have (hopefully you have a clean backup of your theme).

    -Login to wp-admin and force an update on WordPress. Reinstall the plugins you need and your theme. It will overwrite most of the bad stuff. Re-generate your .htaccess.
    -Change all your passwords.

    Now, it won't guarantee that you don't have backdoors hidden in there, but it is a good start and will probably remove most of the bad stuff...

    thanks,

Reply

You must log in to post.

About this Topic

Tags