WordPress.org

Ready to get started?Download WordPress

Forums

My site says reported attack (23 posts)

  1. Amada
    Member
    Posted 2 years ago #

    http://www.maryse-ouellet.com

    My site says reported attack. Google's saying there's

    Of the 3 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-08-14, and the last time suspicious content was found on this site was on 2011-08-14.

    Malicious software includes 3 scripting exploit(s), 2 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

    Malicious software is hosted on 2 domain(s), including orjnfj.com/, numudozaf.com/.

    1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including numudozaf.com/.

    This site was hosted on 1 network(s) including AS36351 (SOFTLAYER).

    I'm not sure if it's because of WP but I saw something online saying it could be and I'm not sure what to do. I don't want to lose my site.

  2. Do a scan: http://sitecheck.sucuri.net/scanner/

    But it's possible that your server or software have been compromised.

  3. Amada
    Member
    Posted 2 years ago #

    Sucuri
    web site: http://www.maryse-ouellet.com
    status: Site infected with malware
    web trust: Site blacklisted.

    Blacklisted javascript included on:
    http://maryse-ouellet.com/
    Javascript included from a blacklisted domain.
    Details: http://sucuri.net/malware/entry/MW:BLK:2
    Javascript: maryse-ouellet.com

    That's what it says, I'm not sure what that means.

  4. Amada
    Member
    Posted 2 years ago #

  5. pinkgothic
    Member
    Posted 2 years ago #

    Amada, first, check your computer for malware, then, when you're certain you're clean, change your website passwords (especially FTP, this may be a variant of gumblar); then, in your FTP, check every folder and subfolder and sub-subfolder (and so on) of your site, for these files:

    • index.html
    • index.php5
    • auth.php
    • index.php
    • home.php
    • showthread.php

    If you edit them, you'll find that they've had a <script> injected into them; in the PHP/PHP5 files, it'll be the last line(s), after the ?>; in the HTML files, it'll be just before the closing </body> tag - remove those. Be thorough about it - it's tedious work, but it pays off.

  6. pinkgothic
    Member
    Posted 2 years ago #

    Ack, a kindgom for an edit button! I forgot to add (albeit kind of obvious): If you sort your files in your FTP by date, then you can find the infected files easier, they'll have timestamps denoting a change today.

    May I ask who your host is? The sites of a friend of mine were infected, all hosted by Gridstar, hence the enquiry. (It's unlikely that has anything to do with it, but right now we're still trying to figure out what exactly happened).

  7. pinkgothic
    Member
    Posted 2 years ago #

    ...kingdom^. I'll just shoot myself now.

  8. The edit button is under your 'posted X ago' and is available for 60 minutes from your post ;)

  9. Amada
    Member
    Posted 2 years ago #

    My host is hostgator and like you mentioned, something happened because it wasn't only my site on the server, it happened to others and the hosts are not particularly making it a priority. I will do what you said to do and see if I can help resolve it quicker. I appreciate your help very very much. Hopefully I can find this.

  10. Amada
    Member
    Posted 2 years ago #

    It looks as if someone was in the index pages as they all have 08/14 as the last date but I am not finding any scripts.

  11. Amada
    Member
    Posted 2 years ago #

    I will keep looking, thanks again, I hope this gets resolved, it is irritating and makes me upset.

  12. Amada - Same to you. PLEASE don't double post like that, you make our spam filter get worried.

    My host is hostgator and like you mentioned, something happened because it wasn't only my site on the server, it happened to others and the hosts are not particularly making it a priority.

    Are you using TimThumb as a plugin or theme? There's a known security hole with that.

  13. Amada
    Member
    Posted 2 years ago #

    Sorry...

    And no I don't have that as a plugin or theme.

  14. pinkgothic
    Member
    Posted 2 years ago #

    @Amada: Thanks for the heads-up with your host, it's somewhat 'soothing' to know it's not an issue of a specific host, even if that implies a bigger problem.

    (I should probably add this doesn't look like a WordPress vulnerability, either, this happened to sites without WordPress, also. Most of the ones my friend had weren't WordPress; three of them didn't even share a webspace with a WordPress installation. My money is still on a gumblar derivate.)

  15. eisd
    Member
    Posted 2 years ago #

    Amada,

    We are having this problem too.

    I can confirm it's not a WordPress security hole. We have a dedicated server, and we don't even run a hint of WordPress on our servers.

    However, being that I actually know how to locate the source of security problems, I wasn't going to just sit around and let support try and figure it out while our sales plummeted. So I just finished working with SoftLayer Live Support to determine the root cause of the problem.

    It appears there is malware which is using a brute force attack via FTP to gain access to and modify your files.

    We have multiple servers - all of which have very strong passwords and were attacked within the span of a single day. We checked the SSH logs and, fortunately, there was no SSH access. However, based on the FTP log activity, we were able to determine the type and nature of the attack.

    Finally, we reach the IP address you'll need to ban:

    204.12.252.138

    This was the IP address responsible for the script injections on our dedicated server. It may be some variant for your own server.

    However, SoftLayer says I need clearance to get an IP banned.

    I sent the live support chat log and how we were able to deduce the source of the problem to their ticketing system.

    If you want to message me or discuss this further, send an email to rogjunk@gmail.com

    That's my junk email inbox, but I'll reply with my real email address.

    Cheers.

  16. pinkgothic
    Member
    Posted 2 years ago #

    Guys, just so you know, there's a thread on Google Webmaster Central' "Malware & hacked sites" forum, too, in case someone wants to take a look at that.

  17. Amada
    Member
    Posted 2 years ago #

    Eisd, thank you for your response, I did send you an email and thank you for all of your help pinkgothic. I have still not been able to solute this problem so hopefully soon. I am so upset, this is awful.

  18. eisd
    Member
    Posted 2 years ago #

    It appears pinkgothic may be right and this isn't a brute force but rather a decryption of saved FTP passwords.

    We just finished cleaning an entire server. Here are the steps:

    1) Change all your FTP passwords. Configure your FTP client to not save passwords. Write your passwords down instead or store them in a secure place. Use a strong random password generator. Your passwords should look something like: !@$(*cxz0

    2) If you have a Linux server and have SSH access, you can use the following command to locate all infected files:

    grep -nslPR "<script>[A-Za-z]\w+=" *

    It will search all subfolders as well. It will run incredibly slow, but it will find the exact infected files so you can clean them up.

    I wouldn't run SSH from a possibly infected computer though.

    The command I gave is a search only. You can also try an automated find/replace:

    http://refactormycode.com/codes/1600-find-and-replace

    In order to use the above find/replace command, you should have a strong grasp of regular expressions (in which case, you should know not to use regex for HTML parsing). I chose to manually replace because if it detected the wrong scripts, I would be in trouble.

    If you need a more specific search (in the event you have safe JS code that starts off with an inconvenient implicit global):

    grep -nslPR "<script>(ti|wa)=" *

    3) Have your host ban the IP address I listed above. Check your FTP and SSH logs for suspicious activity from unrecognized IP addresses. Ban those IPs.

    4) Finally, once everything is clean, use Google Webmaster Tools to request a review of your website to remove the malware warning from Google Search and Google Chrome.

  19. montoyamedia
    Member
    Posted 2 years ago #

    I have this virus on three different servers on 10 different sites. I searched for:
    index.php,index.html,home.php,home.html,default.php,default.html,auth.php,auth.html & every page has the code snippet. I delete the virus, and 24hrs later the virus is back again. I have TMDHosting, Godaddy, & Dreamhost. I don't have access to SSH, is there any other automated way of searching for the scripts with php? I've been searching with the regex search in my cpanel for file names, but unfortunately it doesn't search the contents of the files.

    -ALbert

  20. pinkgothic
    Member
    Posted 2 years ago #

    @montoyamedia: the virus isn't the code snippet, though it propagates that way; it's an infection on someone's computer. So, the first thing you should do is check yourself for malware, make sure you're clean; when you've confirmed that, change your FTP password(s). Then clean out the infected files.

    As for how to do it, you can write yourself a PHP script that'll remove that particular <script>. Anything that descends through your directory structure and opens every applicable file will do, for example: http://beaver6813.com/2010/04/php-search-and-replace-directory-recursively/ (Note: I haven't tested this, I can't vouch for it, but note it only touches .php files; you'll want to adjust if(substr_count($sub,'.php') to be something like if (in_array($sub, $files)) or comparable, with $files populated at the start of the script like:

    $bases = array('index', 'home', 'default', 'auth', 'showthread');
    $extensions = array('html', 'php', 'php5');
    $files = array();
    foreach ($bases as $base) {
      foreach ($extensions as $extension) {
        $files[] = $base . '.' . $extension;
      }
    }

    (Or just hardcode the array if you'd rather.)

    Make sure you test your script in a sandbox first. If you run into trouble, try a website like stackoverflow for generic programming help. :)

  21. montoyamedia
    Member
    Posted 2 years ago #

    Thank you Pinkgothic!

    I appreciate all your words of advice. I will make sure to do a virus scan, and to think I thought I was safe because I had a Mac.

    -Albert

  22. chriskatz
    Member
    Posted 2 years ago #

    @montoyamedia: one question.
    On your three different servers on 10 different sites, all of them the ftp are installed? or all of them wordpress installed? I just want to figure out what's the root cause of this attack. is FTP password stolen? or WordPress bugs? or some malware sniffing on your local network traffic & capturing your ftp passwords?

  23. vwelch
    Member
    Posted 2 years ago #

    The last 5 days my site has been hacked removing my index file. I went in and checked all files removing some that had a edit date of 8/14/11. It appears they got in through either a FTP attack or through a vonerablity within a plug in. I added security plug in and will see if this works. Funny I got an email saying that WP locked out an IP address at 230am because of unsuccessfro attempts. Maybe i have them out of my site. I under stand there is a file called TinThumb and it has vulernabilities. There is a new 2.0 version that corrects the issue.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.