Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Please Help - virus/malware problem (7 posts)

  1. dizzybigfish
    Member
    Posted 1 year ago #

    I have a blog.... http://dizzybigfish.co.uk/ which is hosted by JustHost.

    The site uses the Neoclassical theme with 5 Widgets

    About Me 3000
    Video Sidebar widget
    Random Video Sidebar Widget
    Moo Collapsing Archives
    Smart YouTube

    I am using WordPress 3.0.

    My problem is that some (but not all) virus checkers arte reporting a problem with the site....

    AVG Virus Scan...
    "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D7DNY1BS\dizzybigfish_co_uk[1].htm";"Virus found

    JS/Redir";"Moved to Virus Vault"

    And, from virus scanner at work....
    WARNING: ProxyAV has detected a virus in this
    file!
    File has been blocked:
    ProxyAV Administrator:

    2010-10-21 11:42:44+01:00BST
    Hardware serial number: 4709220074
    ProxyAV 3.2.5.1(44989) - http://www.BlueCoat.com/
    Sophos, Plc.
    Scan Engine Version: 3.12.1
    Pattern File Version: 4.58G.2032713.3225757327 (Timestamp: 2010/10/21 03:49:00)

    Protocol: ICAP

    Virus: "Mal/Badsrc-F" found!
    URL: http://dizzybigfish.co.uk/

    However, my virus scanner at home (Avast) is not reporting a problem.

    I FTP'ed all of the files from the website to my PC and scanned them with Avast and Malware bytes - but nothing was found.

    Then I wondered if the problem was in the SQL database...

    A SQL injection of some kind ? I need some help to track down the cause and solve the problem (without binning the website and starting again please !).

  2. Cathy Tibbles
    Member
    Posted 1 year ago #

    The first step would be to notify your host. If you are on a shared host, they can & will scan your site for infections. Ask them for a security scan.

    Also, you can check the files wp-config.php, and in your theme folder - header.php, index.php, functions.php, footer.php for weird-looking lines of code. or do a search on the file for eval(base64 - that is almost surely a hack of some sort.

    Database hacks I've dealt with recently are this Pharmahack http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

  3. dizzybigfish
    Member
    Posted 1 year ago #

    Thanks Cathy - I had already contacted my web hosts to ask them to check my site; their response was...

    Unfortunately we cannot check your site for viruses.
    I advise you to download your website files to the local pc and scan them with some good antivirus software.
    If you need more help please let me know.
    Thank you.,
    --
    Kind regards,

    Ken Alexander,

    Just Host
    http://www.justhost.com

    So I downloaded (ftp'ed) the files and checked them on my PC - nothing found (checked using malwarebytes and Avast).

    I also checked the files you mentioned (wp-config.php, and the theme files) for anything suspicious - they all seemed fine.

    Also followed the instructions in your Pharmahack link (great link) - could not find any dodgy looking files and also did their database search - again nothing found.

    Can anyone else see if my site http://dizzybigfish.co.uk/ is being blocked by their virus checker, becuase I am wondering if it is a false positive ?

    Many thanks in advance - Ian

  4. Cathy Tibbles
    Member
    Posted 1 year ago #

    I dont get any warnings on visiting your site.

  5. songdogtech
    Member
    Posted 1 year ago #

    You were hacked. I see a malware link in your footer to utmost.dawnandjimmy.

    See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex

  6. dizzybigfish
    Member
    Posted 1 year ago #

    Thanks songdogtech - I will check out the FAQ's you have listed.

    Do you mind me asking - how did you spot this - and where do I look to find it ? I have looked in footer.php and there is nothing unusual (just a link to my YouTube channel)

  7. songdogtech
    Member
    Posted 1 year ago #

    View source on your page in your browser. The malware link will be in htaccess or the database or a core WP file. That's why you need to follow all the instructions to check everywhere to delete it. And tell your host, too, but it depends on how good they are as to how much help they will be.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags