Support » Everything else WordPress » How do I find and remove a virus

  • I found out my blog has a virus, because the company network for my day job want let it open. I get a message at work that it has a virus or malware.

    But, I can view my blow and work in WP-Admin without any problem at home. When I open a feedburner email the avira anti-virus software bleeps and says the feed has JS Agent.1366.

    Does anyone know how I can find and remove this? Any help will be appreciated because I don’t know what steps to take. Will upgrading to 2.6 fix this? Should I find and remove the virus before upgrading to 2.6? Thanks.

Viewing 15 replies - 1 through 15 (of 17 total)
  • Thanks for the link. I’ll check it out.

    I read all of the instructions on http://www.malwareremoval.com and it appears that they will check and repair my home desktop computor. But, I have antivir antivirus software on my home computer and it runs automatically every night. I may be misunderstanding something, but it seems to me that the infected files are on my host’s server either in the wordpress installation or in the mySql server installation. What steps should I take to clean the host server files? Thank you.

    Does anyone know how I can find and remove this

    http://wordpress.org/search/2.5.1+hacked+?forums=1

    http://wordpress.org/search/virus?forums=1

    The link to the infected files, or the code setting off virus detection, is most likely planted firmly in your own website. 2.5.1 is a version of WordPress with documented security weakness.

    post a link to the site in question please.

    The site is hXXp://coalgasificationnews.com

    Should I update to 2.6 immediately or try and find the infected file beforehand?

    Thanks.

    updating wont fix the problem. it may close a hole, but it wont remove the threat. Do you need to update? yes. should you do it now? It’s up to you.

    Take a look at these:
    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://coalgasificationnews.com/

    My guess, and it’s only a guess, without scouring your site post for post, is that somewhere there may be one or more unwanted iframe’s injected. Perhaps someone else can confirm if that is likely or not in this case.

    As a side note, I went to see if I could find the last cached page that may have set off Google, hoping to zero in on the offending post if it exists, and I can find no cached pages of your site. I don’t know if that is Google related, or if they really aren’t being cached, but here is your robots.txt file if you are concerned about that as well.

    User-agent: *
    Disallow:

    <!– Page not cached by WP Super Cache. No closing HTML tag. Check your theme. –>

    Thank you, that explains why my day job company network will not let the website open and displays the “dangerous site” warning. What is the best way to find the malicious iframe code?

    Can I ftp the site to my desktop and run a virus software? Should I search for a text string with ‘iframe’.

    I appreciate your help.

    re: WP Super Cache – I attempted to install the WP Super Cache plug-in but my host servers are not set up properly for Super Cache and the plug-in wouldn’t run.

    What is iframe and how is the best way to find the code?

    Time for a few hours of Google search and catching up on the basics. iframe is html code. it allows one to “frame” content from one source and show it at another location. Long story short, you could show content from my site on your site using an iframe. When the frame size is set to “1” by “1”, it becomes invisible to the naked eye.

    Can I ftp the site to my desktop and run a virus software

    If it is an iframe, it is only pointing to a malicious location, and, in and of itself, it is not a virus. For most purposes, that is probably ineffective. But I won’t go so far as to say that scanning your files for anything that may trigger anti-virus is a bad idea.

    Should I search for a text string with ‘iframe’.

    That may be a help, if you search the posts and comments tables in your database, it may pop up, if it is the problem. Not all iframes are bad. But people are usually well aware of the legit ones.

    I’m afraid at this point, you have some reading to do, and I am quickly approaching the limits of my knowledge on the subject. I hope you find the culprit.

    Good luck to you.

    I’m going to check out all of the posts tonight. Thanks for the assistance.

    Hi,

    Upgrade to the latest version of WordPress is a must. Unfortunately, it won’t fix your issue.

    Hackers have added conditional redirects to your site. When new users come to your blog from search engines, a chain of redirecs occur.

    89. 28 .13 .202/in .html?s=ix ->
    viewallclicks .com /soft .php?aid=0147&d=6&product=XPA&refer=bb1f0c2b3
    pro-scan-online .com/ 2009/1/freescan.php?nu=880147

    You can see this chain of malicious redirects in this report:
    http://www.unmaskparasites.com/security-report/?page=www.coalgasificationnews.com
    (sometimes it may not work, when your server is too slow)

    What you should do is check your .htaccess file and WordPress .php files (including theme files) for conditional redirects and remove them.

    Then change all passwords and upgrade WordPress.

    I’m cleaning files and updating WordPress today. Thanks.

    I have located the problem and it appears to be repaired. The link above (http://www.unmaskparasites.com/security-report/?page=www.coalgasificationnews.com) now checks out OK and the links it reports are legitimate links in my posts.

    The 3rd time I called my web host, I got lucky and talked to a technical service rep who said that he thought he knew what the problem was, because he’s been seeing a lot of it. For the benefit of others that may have this problem, I will provide the details:

    The technical service rep said that the malware is being spread through google, msn, yahoo during searches and when you click on a link it loads on your desktop machine. Then the malware sits there until you ftp some files. When I ftp’d some files to my website it captured my ftp information including password and installed on my website.

    The malware installs a htaccess file in the root directory with the redirect code. It was easy to tell the htaccess file was malware, because it was blank when opened, but if you scrolled down the redirect code was there at the very bottom.

    The fix was too (1) delete the bad htaccess file(s) in the root directory. In my case there were several, because I have more than one website. (2) Change the ftp password for the account. (3)The technical service rep said to go to http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009/ and follow the directions. This is freeware and I ran the scan as directed and it discovered – TrojanZolb. FYI – I ran a complete scan using both Avasta and Antivir the day before and neither of these found TrojanZolb.

    Thanks to all for the help. I hope this helps others.

    If your website is infected, cleaning it manually would be really difficult for large websites. Here is one site that gives detailed technical information and some automated removal procedure as well:

    http://paramprojects.com/website/badwarefaq

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘How do I find and remove a virus’ is closed to new replies.