WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Redirected page to a virus warning for other website (11 posts)

  1. tarambana
    Member
    Posted 4 years ago #

    Hi,
    These are the simptoms:
    Fron some computers (i.e: on our mac, using safari) the blog address is redirected to a google diagnostic page FOR A DIFFERENT website (statisticpossibly.com). I can't access neither the pages nor the admin on that computer.

    OPn a PC, using firefox, once passed the admin log in, the dashboard loads but the page goes blank after a brief instant and stays like that, with the browser busy downloading nothing for ever.

    After using some of the admin pages (like inserting a photograph on a post) the same ocurrs: the page blanks and the browser keps busy with no stopping.

    Is this a virus?

    How can I get rid of it?

    Any advice desperatedly needed!

    Thanks

  2. esmi
    Forum Moderator
    Posted 4 years ago #

  3. tarambana
    Member
    Posted 4 years ago #

    Thanks esmi, I'm going to take a look.

  4. idea15
    Member
    Posted 4 years ago #

    I have just cleaned a WP install that was hacked to hell four days ago. A visitor alerted me to the hacking tonight by saying that he got the same message that Tarambana saw - containing a reference to statisticpossibly.com.

    When I took a look, virtually every .php file in the entire install (including plugins and themes) had been altered with base64 code.

  5. tarambana
    Member
    Posted 4 years ago #

    I got the same base 64 code.
    You seem to know far more than me Idea15. I wondered whether that was there because it have to or if it was something added maliciously.
    Any information you can share will be most appreciated.
    I'm trying to find if there is any infections on the computers I use to update and manage the blog,
    but hoaw can I scann for viruses and remove them from the website (server)?
    Thank a lot

  6. idea15
    Member
    Posted 4 years ago #

    This particular install already had all the major WP security precautions and plugins, and I upgraded the install and plugins while doing some site maintenance as recently as two weeks ago. So I strongly suspect that the infection came from one of the computers the client's company was using. The hack happened within a few hours of them updating their web site, and they only do it once or twice a month, so I don't think it's a coincidence.

    To clean your site you will need to follow the advice in the links above. Here is another tutorial:
    http://knowit.co.nz/2010/01/8-steps-to-clean-a-hacked-wordpress-blog
    You'll have to delete ALL WP files (plugins, templates, the WP install itself), then reinstall everything from scratch. Export your data (under Tools) from the old site and import it into the new install. Create a fresh database as well.

    Becuase this client's theme was heavily customised I manually removed all the base64 code from the template files and double checked all files within it (including images).

  7. tarambana
    Member
    Posted 4 years ago #

    Thank you Idea15,
    I was planning to overhawl everything and re-install fresh.
    before I'm cleaning both computers used for access. And that's what's more strange. One is a Mac laptop. The antiviruses used say is clean. The other one a pc. I've scanned it with Norton antivirus 2010, Spyware Doctor, Sophos trial tool, and comes out clean. Norton recently detected and stopped a couple of "atacks" it call them on my computer but there were no consequences.
    So, I have no clue how it could have got to the website.

    Still, I have a Q:

    After reinstalling fresh wordpress and plugins and provided that everything on the home computers check clean, can I upload safely the images folders and the database files? They where backed up after the infection had taken place (unfortunatedly).
    What can or can not be uploaded back from all the backed up files?

    Thanks a lot.

  8. idea15
    Member
    Posted 4 years ago #

    I really can't say what may be safe and what may not. I would suggest that you not rely on antivirus scans to review your files. Manually review them to see anything suspicious like an odd date/time stamp.

  9. tarambana
    Member
    Posted 4 years ago #

    Hmmm... What does a time stamp looks like?
    The thing is I'm not sure I can tell what is good code from something inserted maliciously unless it's very obvious and I don't trust my very, very limited knowledge. So far I have not reinstalled anything old... but I have an empty blog!!
    Thanks again.
    The WordPress community must be praised for these pages!
    Thanks Idea15, Esmi, Samboll and everyone publishing answers here and in their own blogs.
    Thank you.

  10. idea15
    Member
    Posted 4 years ago #

    It's no bother at all, the ability to both give and receive help is what makes this community what it is.

    A time stamp would simply be the date and time the file was last modified. If you have a folder full of files that are dated, say, 2009/08/12 and yet one file is dated 2010/03/05, that might be suspicious.

    Here is a plugin you can add that will also give you some protection in future.
    http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/

  11. tarambana
    Member
    Posted 4 years ago #

    Thanks Idea15.
    One of the coincidences in all this was that when I started noticing something strange going on, which first sign was that the admin dashboard page loaded then went all blank or sometimes loaded but never finished loading keeping the browser engaged, I noticed the amount of hits on the website increasing dramatically.
    I checked and the responsible was a "bot". I copy its name and google it. It belonged to what some described as a "Scrapper" website. Unfortunatedly I didn't write down the name. But when I googled it it came as a posibly malicious bot and therte where articles preventing about it.
    If I see tha name again I'll try to print it here, just in case it helps.

Topic Closed

This topic has been closed to new replies.

About this Topic