WordPress.org

Forums

malware issue (22 posts)

  1. webtechdev
    Member
    Posted 3 years ago #

    i removed this malvare code from my sites index.php tops including admin/index.php as well .

    [Code moderated.]

    but it is still comming up again and again.
    Any idea how i can get rid of it.
    thanks

  2. iheartlolcats
    Member
    Posted 3 years ago #

    Same here.. I delete it and it comes right back :/

  3. jlauro
    Member
    Posted 3 years ago #

    Seen a similar issue, and traced it to what appears to be a brute force attack on logging into wordpress (thousands of POST /wp-login.php from the same IP in access_log), and then access to the /wp-admin/theme-editor.php which proceeded to GET /wp-admin/theme-editor.php?file=/themes/classic/comments.php&theme=WordPress+Classic&dir=theme and then post a new one. That is the root program that updates the other files.

    After removing any additional php code you missed, to fix (search access to wp-admin in access_log), restrict wp-login.php, or at least /wp-admin/ to trusted IPs.

    Having site under version control also helps identify any changed files.

  4. kmessinger
    Moderator
    Posted 3 years ago #

  5. jlauro
    Member
    Posted 3 years ago #

    Sorry, never meant to imply you can. The main fix was to lock down the point of entry not to just revert the files.

    That said, some of the steps listed in those are just shotgun approaches for if you don't know how the files were altered, and don't have some good way such as version control or differential backup comparison to tell what was altered, or log analysis tools, etc...

    You should still rebuild the server, change all the passwords, etc... However sometimes it's important to stop the problem and schedule the rest a little later.

    Just taking an immediate shotgun approach isn't perfect either, because if you are dealing with a 0 day exploit, you could be just as open after all that work of rebuilding. So it is still important to figure out what happened and know how to to block it.

  6. 1xxooxx
    Member
    Posted 3 years ago #

    Warning: Something's Not Right Here!
    xxxxMY-WESBITExxxxxx.com contains content from jqbttmjdxx.ddns.ms, a site known to distribute malware. Your computer might catch a virus if you visit this site.
    Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
    We have already notified jqbttmjdxx.ddns.ms that we found malware on the site. For more about the problems found on jqbttmjdxx.ddns.ms, visit the Google Safe Browsing diagnostic page.

  7. 1xxooxx
    Member
    Posted 3 years ago #

    On Sun, Feb 19, 2012 at 4:55 PM, WordPress <wordpress@xxxMY-WEBSITExx.com> wrote:

    This notice is to inform you that someone at IP address 216.21.58.26 tried to login to your site "MY WORDPRES BLOG" and failed.

    The targeted username was Admin

    The IP address has been blocked for 60 minutes.

    we recorded 4 different IP's trying to access our "admin" account. only one (that we know of) got through.

  8. Deleted the <script> stuff as you're making the spam filter flip out.

    Please post that one PASTEBIN.COM

  9. j0hnnyb0y
    Member
    Posted 3 years ago #

    Here is information regarding that specific malware... At the bottom there is a removal guide that helped me out.

    [Link removed]

    If all else fails, the company that wrote the article removes malware.

  10. tburdeinei
    Member
    Posted 3 years ago #

    J0nnyboy- that site has malware in it.

  11. kmessinger
    Moderator
    Posted 3 years ago #

    Where did this post go? [edit] Nevermind :^)

    tburdeinei wrote:

    J0nnyboy- that site has malware in it.

    tburdeinei is correct.

  12. j0hnnyb0y
    Member
    Posted 3 years ago #

    The site does not contain malware.. The content in the post contains snippets which are wrapped in code blocks.

    It's not even reported.

  13. esmi
    Forum Moderator
    Posted 3 years ago #

  14. j0hnnyb0y
    Member
    Posted 3 years ago #

    esmi, all sucuri does is parse the page... if that was truly a malware infection it would not even be able to read that, because that code snippet is written in php and wrapped in code tags. Sucuri can only detect client side malware and compare domain hashes to Google Safe Browsing API.

    The site is clean.

  15. kmessinger
    Moderator
    Posted 3 years ago #

    It also set off my virus software - Exploit:JS/Blacole.BV

  16. tburdeinei
    Member
    Posted 3 years ago #

    I just verified j0hnnyb0ys statement by wget and reading the code. It is the exploit code, but not active- wrapped in code blocks so you can see an actual example of what you are looking for. your (and my) antivirus/malware software isn't smart enough to tell that its not going to be parsed and run by the browser.

  17. j0hnnyb0y
    Member
    Posted 3 years ago #

    yup.... there is a snippet of that on there too. since its inception, i have been following the site. I am security consultant, and I met these guys at a conference.

    None of the snippets even execute. Therefore there is no threat.

  18. j0hnnyb0y
    Member
    Posted 3 years ago #

    What happened to tburdeinei's post?

    tburdeinei wrote:

    I just verified j0hnnyb0ys statement by wget and reading the code. It is the exploit code, but not active- wrapped in code blocks so you can see an actual example of what you are looking for. your (and my) antivirus/malware software isn't smart enough to tell that its not going to be parsed and run by the browser.

  19. kmessinger
    Moderator
    Posted 3 years ago #

    What happened to tburdeinei's post?

    There is a lag. Same thing happened with his first post. Give it some time.

  20. j0hnnyb0y
    Member
    Posted 3 years ago #

    kmessinger have you seen any infections like this out in the wild?

    This last week I came across 19 individual infections and 2 server wide infections. In regards to the server infections, one of those malicious plugins actually created a cron job that was copying the malware to every index.php, index.html, default.html, and main.html file in the webroot.

    Just wondering how many people have been dealing with this one in particular...

  21. kmessinger
    Moderator
    Posted 3 years ago #

    kmessinger have you seen any infections like this out in the wild?

    It seems more and more troubles are showing up here but I haven't hit any in my daily use of the web. I'm just an average user.

  22. j0hnnyb0y
    Member
    Posted 3 years ago #

    Just to help out... this is the link to the removal guide instead of the page with the malware snippets. Don't want to go through that confusion again :X

    http://www.malfarmed.com/blog/step-by-step-wordpress-malware-removal/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags