Malware on my wordpress blog - need help! (2 posts)

  1. gaylea
    Posted 6 years ago #

    I am really hoping someone with experience in this can help me.

    I have got the iframeF-MalF malware on my blog and i can't log in to the back end at all (if you log in - after logging in the screen goes white/blank and just stays that way - forevermore!!).

    After doing lots of research on the internet I downloaded the entire site to my computer and using notepad (a nonexecutable program) found the following code eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCd - blah, blah goes for 25 lines............ inserted into the top of many pages - including all themes especially.

    As you can image in have also made sure there is no local infection on my computer (have used programs like malwarebytes, a-squared emsi, ad-aware, spybot, zemana anti-logger - you name it!!)

    I could not find the iframe malware even though I did do a "find/search" to locate them (all iframes were legitimate).

    Before I got completely shut out of the back end I found someone had hacked in and set themselves up as a user with admin rights (which i deleted).

    I have downloaded the log files from my ftp and i have NOT been hacked via FTP.

    So I have since cleaned through EVERY SINGLE FILE - gotten rid of the eval(base64 stuff from EVERY PAGE... then I re-uploaded the entire site last night but two of my anti-mal programs STILL give me the error message that I have got the iframe malware on there and I STILL CANT LOG INTO THE BACK END.

    Any experienced advice would be graciously received right now.

    Many Thanks Gaylea

  2. Len
    Posted 6 years ago #

    Hi gaylea,

    Sucks doesn't it? Unfortunately the rogue code could be in ANY file - theme files, uploads folder, WordPress core files, the database itself. You have some work to do.

    Try reading through some of these links. Lots of good info can be gleaned from them.


    As to how the attacker got in it could be any number of ways. It may be a vulnerable plugin, your FTP credentials may have been compromised, perhaps there is malware on your very PC which allowed the attacker access to login info etc. Are you on shared hosting? If so, they could have successfully attacked your site by first breaching another on the server.

    Study your server logs for any hints. And peruse the links I gave you.

Topic Closed

This topic has been closed to new replies.

About this Topic