WordPress.org

Ready to get started?Download WordPress

Forums

Site hacked by Click feeds? (18 posts)

  1. Nami115
    Member
    Posted 1 year ago #

    Hi,
    My website, http://www.mbadecoder.com has been getting all kinds of virus scripts for some reason. The latest one is a message on Chrome which goes:

    http://www.mbadecoder.com contains content from click.clickfeeds.net, a site known to distribute malware. Your computer might catch a virus if you visit this site.
    Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.

    How can I figure out whats going wrong? For now it is working on other browsers but a couple of days ago it was just not working on any browser. At that time the message on the home page was:

    Warning: Can not modify header information - headers already sent by (........)

    Somebody, please help.
    Thanks.

  2. MissMaylis
    Member
    Posted 1 year ago #

    Hi,
    I've the same problem in my website: http://www.everythingislovely.fr.
    The problem occures since yesterday like you.

    I don't know how resolve this. Please, help me too!

    Thanks.

  3. cjchamberland
    Member
    Posted 1 year ago #

    First thing you need to do is FTP into your hosting account, check your main index.php, at the top will be a line of code that looks like

    <?php base64....

    Remove that. Also check the index.php and header.php of each of your theme directories, it's probably in there as well.

    Once you've cleaned it out, you need to locate the backdoor that allowed them to inject the code in your site, usually they hide this somewhere in your images, uploads or plugins directory. You also will need to upgrade wordpress to the latest version if you haven't already and change all your passwords.

  4. Nami115
    Member
    Posted 1 year ago #

    cjchamberland,

    Thanks for your reply. I have removed the extra code and the website is working fine right now.

    The second part that you have asked me to implement - Locating the backdoor to check for how this code came in- can you please tell me how I can go about that.

    Sorry for being silly and stupid, but this is just not my forte and the designer who put together my website is showing me the shoulder :(

    Thanks again!

  5. peosteve
    Member
    Posted 1 year ago #

    Nami115, my site was compromised to. I looked through my whole file structure and identified a few files in the cache directory as being suspicious. I've changed the names of those files, to see what happens, and while it's possible that the cache files are not the backdoor, they certainly look like they're up to no good.

    Cache can be found here: /wp-content/themes/yourtheme/cache

    You should be able to remove all the cache files without issue, but I renamed them to see if I got it right. There was also a suspicious file in the root that was created today and just had a bunch of IP addresses in it. Not sure what that's all about... will report back if this fix doesn't work.

  6. perezbox
    Member
    Posted 1 year ago #

    Nami115

    In terminal, try running this:

    grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval) *\(" /var/www

    Where /var/www is the directory path to your site. So if you download locally modify appropriately. This is not all encompassing but will give you a good idea of what is going on.

    Please note, you might get a lot of false positives so you'll want to go through each finding and verify what it reports. Working with backdoors is a bit of a bear, best of luck.

    That last file, peosteve, sounds like conditional malware. Parsing traffic by IPs.

    Cheers.

  7. peosteve
    Member
    Posted 1 year ago #

    perezbox, thanks for letting me know. I thought it was weird, but figured if there only a bunch of IP addresses in it, it couldn't do much on its own...

    what does that grep... command actually do?

    Nami15, still check the cache directory first for suspect entries...and if there's nothing there, or it's all normal, follow perezbox.

  8. perezbox
    Member
    Posted 1 year ago #

    GREP allows you to parse the content on your server by keying in for key words, phrases, patterns etc.. it'll actually go through the files looking to see what it can find.

    I wrote a post here that better explains what I was saying above: http://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html

    As for not doing anything, sure unless something is referencing it. But then again, it could just be your .htaccess, who knows.. anyway..

    And here is an article demonstrating the things you can do with grep: http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/

    Cheers

  9. peosteve
    Member
    Posted 1 year ago #

    It's a Window server, so there isn't an htaccess file. :) I'm guessing those files in cache referenced it, but who knows. Looks like the issue is gone, so I'm happy. :)

    Thanks for all the info about grep and for your suggestions!

  10. Shan
    Member
    Posted 1 year ago #

    @perezbox where do I find this "terminal" area you posted about? Is it in the MySQL or somewhere else in the CPanel? I actually looked in the MtSQL but see nothing called "terminal".

    I have the following tabs in the MySQL part of the CPanel:

    Structure
    SQL
    Search
    Query
    Export
    Import
    Operations

    Help?

  11. perezbox
    Member
    Posted 1 year ago #

    Hi Shan

    What operating system are you running?

    Thanks

  12. Shan
    Member
    Posted 1 year ago #

    WIn7Pro.

    So this is on my PC, NOT in the MySQL Database/PHPMyAdmin, correct? I'm not sure my client will know how to do this herself. LOL But I want to check my machine just to be safe.

  13. perezbox
    Member
    Posted 1 year ago #

    Hi

    Correct, its on your OS. The terminal on Windows is what you get when you run CMD from the start prompt.

    But the real question is, are you running WordPress on a Windows box or is that where you spend your time. Most WP instances are on a LAMP stack which means it's on some kind of NIX distro. What I mention above needs to be executed on the box that the site resides.

    Thanks

  14. Shan
    Member
    Posted 1 year ago #

    Uh...my WP is hosted at Hostgator. How would I find this info out?

  15. perezbox
    Member
    Posted 1 year ago #

    Hi Shan

    You're going to want to contact your host and ask that question.

    But here is my concern, if you're stumbling with this I would caution against fiddling on your server. There are a couple of steps you're going to have to take to connect and make use of the terminal environment, unfortunately each takes time to configure and understand.

    Its because of this that I'd recommend you reach out for help if you need, doesn't sound like you technical background to go at it on your end. I could be wrong though, if I am I apologize.

    The last thing I or any one wants is for you to blow up your server.

    Thanks

  16. Shan
    Member
    Posted 1 year ago #

    I'm fairly tech savvy, but the DB's scare me because I can ruin a site that way. I can follow a good tutorial pretty easily. I design for WP bloggers (not a theme developer). I can just about hold my own in PHP, HTML & CSS. But core files? I get hives. LOL Although I have repaired & optimized my DB myself several times & even changed my username via MySQL.

    I wonder if my host would do this for me.

  17. MickeyRoush
    Member
    Posted 1 year ago #

    @ Shan & peosteve

    You can grep files on a Windows Operating System with WinGrep. It's a freeware application that performs a similar Linux Grep function on Windows PCs.

    http://www.wingrep.com/

    Very easy to use. Just grab a copy of your whole site, backup or what ever to your desktop, and tell WinGrep to search for those terms that perezbox mentioned earlier.

Topic Closed

This topic has been closed to new replies.

About this Topic