not clean

  • Resolved xaver06

    (@xaver06)


    7 years, 11 months ago

    hello again,
    my site was not clean anymore, so I did reinstall wp, deleted the sucuri-sitecheck.php and forced a re-scan. But nothing changed. The “site-not-clean” errors still exists.
    When checking the errors in detail with the informations on the payload and the site mentioned, the code can’t be found on the site.
    e.g. telling me that there is a script: window.location.replace before doctype
    But when scaning my source code, I can’t find this script. I was also scanning the whole site for the script and the replace link (here: [ redundant link removed ]…)
    Any suggestion what I can do now?
    Thanks

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter xaver06

    (@xaver06)

    7 years, 11 months ago

    update:
    (1) I have scanned offline (after downloding all files with ftp) with several scanners malwarebyte, sophos, and bitdefender – no infection found.
    (2) several online scans ( e.g.:

    • wpscans (nothing found),
    • virusTotal (bitdefender: malware, quttera: suspicious),
    • siteguarding: jquery.js?ver=1.12.4 roguads.unwanted_ads?9.4, the same on jquery-mgrate.min; even after re-installing the original files!! and foun redirect?crypper.1.3 on files, which doesN#t exists, like 4040testpage…, 4040javascript.js, or on wpsite/de/
    • redirects (nothing found) beside one blacklist (malware: bitDefender) at yandex (I already sign for a re-check there)
    • Google safe Browsing Check: nothing found
    • webInspector: nothing found
    • quttera: only potential found at /?share=google-plus-1 on two files

    Maybe this helps. I also scanned my website with some payloads advices. But couldn’t find any infections.
    Looking for some advice?
    Thanks in advance

    • This reply was modified 7 years, 11 months ago by xaver06.
    Thread Starter xaver06

    (@xaver06)

    7 years, 11 months ago

    I hae done that too.
    checked code for e.g. eval($_POST – nothing found, global $wpdb; – nothing unusual found, strrev command – nothing unusual found

    db: wp_commentmeta & comments – 0 entries 0kb
    DB Scan – Search
    base64_decode – nothing unusual
    gzdecode – nothing unusual
    exec – nothing unusual

    nothing found what sucuri say is infected. here, in my case, it say: amsorry.tk is forcing a lot of errors.

    yorman

    (@yorman)

    7 years, 11 months ago

    I just tried to access your website and got immediately redirected to another website that contains code written in JavaScript used to trick people to think that their computer got infected with a virus. Here is a copy of the code in case it gets deleted [1].

    The only thing I can recommend right now is:

    • Put your website in maintenance mode while you continue the investigation
    • Get rid of the redirection which I believe is part of the infection
    • Compare the source code for the WordPress files with a regular installation to see if there are differences
    • Reset all the plugins and themes that you have installed with a fresh copy from the WordPress repositories
    • Keep 3rd-party plugins and themes disabled for now
    • Download a copy of your database and reset all the data
    • Then start activating the plugins and themes one at a time
    • Migrate the tables in the database from the backup, one by one
    • Each time you migrate something, scan the website

    Trial and error is the only way I can offer you right now to find the source of the infection. There are thousands of different ways to hide malicious code. I cannot give you a better advice without having access to the code and database. See if you can get any assistance from your hosting provider, maybe they can run some scanner in the server as well, some times the malware is directly embedded in the web server modules.

    [1] https://pastebin.com/raw/DLHa7jKe

    Thread Starter xaver06

    (@xaver06)

    7 years, 11 months ago

    @yorman
    A big “thank you” for all your advice!
    I was able to fix the problem, as sucuri site scanner and yandex told me. Not really knowing what i have done right.
    Considering your suggestions and reviewing file by file with some tools (I was using Beyond compare) to compare each file side by side. Forced re-install of all plugins and checked my theme and also deleted unused theme by wordpress. Just keeping one, for security reasons.
    My last change was deleting one file within the formidable form plugin, called frm.min.js; but I am not sure if this was the file causing all the problems.
    Again thanks for your support!
    Cheers and greetings from Salzburg, Austria

    • This reply was modified 7 years, 11 months ago by xaver06.
    yorman

    (@yorman)

    7 years, 11 months ago

    Perfect! I am glad you were able to fix the issue 🙂

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    7 years, 9 months ago

    If you need support for this plugin then per the forum guidelines please start your own topic.

    https://wordpress.org/support/guidelines/#post-in-the-best-place

    You can do so here.

    https://wordpress.org/support/plugin/sucuri-scanner/#new-post

    If you do create a support topic, do not post any code samples of malware here.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘not clean’ is closed to new replies.