WordPress.org

Support

Support » How-To and Troubleshooting » My site says reported attack

My site says reported attack

  • http://www.maryse-ouellet.com

    My site says reported attack. Google’s saying there’s

    Of the 3 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-08-14, and the last time suspicious content was found on this site was on 2011-08-14.

    Malicious software includes 3 scripting exploit(s), 2 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

    Malicious software is hosted on 2 domain(s), including orjnfj.com/, numudozaf.com/.

    1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including numudozaf.com/.

    This site was hosted on 1 network(s) including AS36351 (SOFTLAYER).

    I’m not sure if it’s because of WP but I saw something online saying it could be and I’m not sure what to do. I don’t want to lose my site.

Viewing 15 replies - 1 through 15 (of 22 total)
  • Do a scan: http://sitecheck.sucuri.net/scanner/

    But it’s possible that your server or software have been compromised.

    Sucuri
    web site: http://www.maryse-ouellet.com
    status: Site infected with malware
    web trust: Site blacklisted.

    Blacklisted javascript included on:
    http://maryse-ouellet.com/
    Javascript included from a blacklisted domain.
    Details: http://sucuri.net/malware/entry/MW:BLK:2
    Javascript: maryse-ouellet.com

    That’s what it says, I’m not sure what that means.

    Amada, first, check your computer for malware, then, when you’re certain you’re clean, change your website passwords (especially FTP, this may be a variant of gumblar); then, in your FTP, check every folder and subfolder and sub-subfolder (and so on) of your site, for these files:

    • index.html
    • index.php5
    • auth.php
    • index.php
    • home.php
    • showthread.php

    If you edit them, you’ll find that they’ve had a <script> injected into them; in the PHP/PHP5 files, it’ll be the last line(s), after the ?>; in the HTML files, it’ll be just before the closing </body> tag – remove those. Be thorough about it – it’s tedious work, but it pays off.

    Ack, a kindgom for an edit button! I forgot to add (albeit kind of obvious): If you sort your files in your FTP by date, then you can find the infected files easier, they’ll have timestamps denoting a change today.

    May I ask who your host is? The sites of a friend of mine were infected, all hosted by Gridstar, hence the enquiry. (It’s unlikely that has anything to do with it, but right now we’re still trying to figure out what exactly happened).

    …kingdom^. I’ll just shoot myself now.

    The edit button is under your ‘posted X ago’ and is available for 60 minutes from your post 😉

    My host is hostgator and like you mentioned, something happened because it wasn’t only my site on the server, it happened to others and the hosts are not particularly making it a priority. I will do what you said to do and see if I can help resolve it quicker. I appreciate your help very very much. Hopefully I can find this.

    It looks as if someone was in the index pages as they all have 08/14 as the last date but I am not finding any scripts.

    I will keep looking, thanks again, I hope this gets resolved, it is irritating and makes me upset.

    Amada – Same to you. PLEASE don’t double post like that, you make our spam filter get worried.

    My host is hostgator and like you mentioned, something happened because it wasn’t only my site on the server, it happened to others and the hosts are not particularly making it a priority.

    Are you using TimThumb as a plugin or theme? There’s a known security hole with that.

    Sorry…

    And no I don’t have that as a plugin or theme.

    @amada: Thanks for the heads-up with your host, it’s somewhat ‘soothing’ to know it’s not an issue of a specific host, even if that implies a bigger problem.

    (I should probably add this doesn’t look like a WordPress vulnerability, either, this happened to sites without WordPress, also. Most of the ones my friend had weren’t WordPress; three of them didn’t even share a webspace with a WordPress installation. My money is still on a gumblar derivate.)

    Amada,

    We are having this problem too.

    I can confirm it’s not a WordPress security hole. We have a dedicated server, and we don’t even run a hint of WordPress on our servers.

    However, being that I actually know how to locate the source of security problems, I wasn’t going to just sit around and let support try and figure it out while our sales plummeted. So I just finished working with SoftLayer Live Support to determine the root cause of the problem.

    It appears there is malware which is using a brute force attack via FTP to gain access to and modify your files.

    We have multiple servers – all of which have very strong passwords and were attacked within the span of a single day. We checked the SSH logs and, fortunately, there was no SSH access. However, based on the FTP log activity, we were able to determine the type and nature of the attack.

    Finally, we reach the IP address you’ll need to ban:

    204.12.252.138

    This was the IP address responsible for the script injections on our dedicated server. It may be some variant for your own server.

    However, SoftLayer says I need clearance to get an IP banned.

    I sent the live support chat log and how we were able to deduce the source of the problem to their ticketing system.

    If you want to message me or discuss this further, send an email to rogjunk@gmail.com

    That’s my junk email inbox, but I’ll reply with my real email address.

    Cheers.

    Guys, just so you know, there’s a thread on Google Webmaster Central’ “Malware & hacked sites” forum, too, in case someone wants to take a look at that.

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘My site says reported attack’ is closed to new replies.
Skip to toolbar