Site Hacked - Java Applet Installed Somewhere (6 posts)

  1. echofloripa
    Posted 3 years ago #


    I am using wordpress in my server, last version (3.3.1)

    A few days ago I noticed that someone created an account in my blog, I received an email, but didn't pay much attention to it. Later I saw the name of the user was root and it had the administrator role

    I was then told by a reader of my blog that the browser was notifying that the blog had a malicious script.

    I had taken the blog down since then (two days), just got it back now to better analyse and ask for help here.

    The URL is:

    There is no change to the file system since the day the user was created. I was backing up all DBs in my server, but unfortunately it seems that my backup script called via cron wasn't working properly.

    I couldn't find any clue in the source of the malicious call to the malicious java applet. Neither where is is located in the blog. I checked the posts, and couldn't find any change done to them. The java applet shows up in every single page int he blog, main page and post pages.

    I already read the help pages on hacking but nothing helped to find the culprit.

    help please....

  2. The Hack Repair Guy
    Posted 3 years ago #

    I've done a quick malware scan of your website and I see no obvious malware. Are you sure you are running the latest version of WordPress?

    In my scan it shows some older version of WordPress installed. Recommend you go to Updates then re-install to start.

    Then I recommend you create a new Admin account then set all others to a lower setting.

    Once done, updating your secret keys won't hurt as well.
    Google this to learn more: WordPress.org secret-key service

  3. bstharp
    Posted 3 years ago #

    Hi - I am using a Mac and have been recently contacted by a PC user who has received the alert "Malicious Java Class Download 2" when he tries to access my site - not every time, but pretty regularly. I ran a quick test from a link to Macafee Site Advisor and they found no problem. My support team at Graph Paper Press (for the theme I'm using) tried viewing my site and had no problems; noone else has contacted me that there is an issue. But I don't know how else to know if there is a malware installed. Can you help Mr "Hack Repair Guy"? I'd surely appreciate it.

  4. adpawl
    Posted 3 years ago #

    @bstharp, what's your blog address?

  5. bstharp
    Posted 3 years ago #

    http://www.brendatharhp.com/blog - and thank you for your help!

  6. MickeyRoush
    Posted 3 years ago #

    @ bstharp

    It's probably better if you start your own thread.

    But here is a list of links that should help you. I've compiled them here in one list so that you won't have to scour the net looking for them.

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):

    Backup everything and put that backup somewhere safe. This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/
    5. http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
    6. http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read this:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories

Topic Closed

This topic has been closed to new replies.

About this Topic