Posted 3 months ago #
Since a week I've got some strange phenomenon with my website. Just sometimes a few people get an trojan horse message. Usually after I posted a new article.
After putting the site on maintenance mode and open it again, the message is gone. Nobody get's an alert, neither the ones who an alert before.
We couldn't find anything in the html code.
Does somebody has some idea what it might be? Or the same experience?
Thank you in advance!
Posted 3 months ago #
Ok, I've forgot to mention my site: http://www.weltenbummlermag.de
I'm afraid that your site has been hacked.
Scan report
Try working through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Posted 3 months ago #
Hey, thanks a lot for all the resources.
But where in the scan report is it mentioned, that my site might be hacked, I just see no threats found. ???
Right at the top:
web site: http://www.weltenbummlermag.de/
status: Site infected with malware
web trust: Not Blacklisted
Posted 3 months ago #
Thats crazy. I get exactly the opposite:
web site: http://www.weltenbummlermag.de
status: Verified Clean
web trust: Not Blacklisted
Does it have something to do, on which kind of a computer I use? I`m working with a mac.
Are you scanning it on windows?
But as it scans the site not my computer, it shouldn't play role. Am I wrong?
Posted 3 months ago #
I'll throw another advice besides Esmi's link, it may look trivial, but at times it helped me a whole lot : firefox's Adblock Plus plugin.
Open your infected website, right-click Adblock's icon in the status bar (control / to show that bar, you may configure Adblock Plus to make it display its icon down there), and ask Adblock to display the list of all blockable elements.
That will show you the various elements that are loaded when your website URL is loaded. You'll notice stuff that will not even be visible when you ask your browser to display the source code of your webpage. You'll notice more easily the problems.
Am I wrong?
Yes. sucuri.net scans your site - not me.
Posted 3 months ago #
@ Esmi : I also have another method to track where malware comes from, I always wondered if it wouldn't be worth being included in some official help page.
Could I ask you your opinion ?
It's an ugly lengthy method, but it does miracles, allowing to find EXACTLY what part of one's blog is loading malware. It worked several times on various websites.
The requirement : to be able to systematically get an "infection !!" alert, with your antivirus software, with Adblock's list of blockable elements, or whatever software you like.
- open your blog's homepage. Get the alert : good.
- ask your browser the source code of your blog, copy-paste it into your notepad (or any better text editor, all hail notepad++), save it as an .html file on your hard disk, let's say home.html
- make sure that opening the .html file triggers the infection warning (it should)
- now, using the text editor, split the html file in two halves, let's say home1.html and home2.html
- open each of them one after the other in your browser : only one of them should trigger the infection warning
- open again the html file triggering the infection warning, split it in halves again (like home2a.html and home2b.html)...
...
- and split it in as many halves as required, until the moment there's only a very short block of code that is triggering the infection. In the end, you may need to hit F5 a few times to trigger the infection warning.
At this point, this short block of code should be only the call for one precise plugin, or one wordpress function.
-> And voilĂ , you've got your culprit, and you know where to investigate the source of the mess.
Posted 3 months ago #
@emsi: yes, sorry. that's what I meant, it does not play role with system I'm working with.
But do I get another message from sucuri than you?
I'll try the firefox plugin suggested and method suggested by Sabinou.
THANKS SO FAR!
Am I the only one getting "verified clean" message with sucuri (for my blog)?
What you've described sounds perfectly reasonable and logical to me but it doesn't cover hacker back doors - which can masquerade as a .jpg file in wp-content/uploads, for example. Have you read Otto's post on this (linked above)?
Posted 3 months ago #
I will follow the links you mentioned as well.
it does not play role with system I'm working with.
It shouldn't matter what system you or I am using. The scan site is completely independent of operating systems. I'm seeing an "all clear" on your site now but I got 2 very clear malware scan reports previously. On that basis, I think it would best to proceed on the assumption that the site has been compromised.
Posted 3 months ago #
I opened that website, and Avast popped me an alert, refusing to load the website altogether, reporting the presence of
js:Redirector-NV [Trj]
I'm not sure the URL will work since it's super long, so I shorten it with bit.ly, and i'm not sure it will work for someone other than me, but, who knows, here is the Avast report I got.
http://bit.ly/y2IRwm
Posted 3 months ago #
ok. Thanks!
I take it offline. As I can't work through the links right now (leaving for the weekend). I start on that while I'm back.
Posted 3 months ago #
Thanks to all for helping. The problem is fixed - the blog is online and clean. The firefox add on was helpful! And in the end I could find the modified file with the wordpress exploit scanner.
the wp bookmark-template was modified by a hacker attack. Thats so mean.
Thanks one more!
You must log in to post.
