[resolved] Site Listed as Containing Malware. (13 posts)

  1. SoMVeritas
    Posted 2 years ago #

    I've had my site (http://www.StateOfMindGaming.com) running since December with no issues (aside from the fact that my web development skills are sub-par). However, over the past week the people who visited my site, as well as myself, have been getting a Malware notice from Chrome and Firefox. I looked into the issue and it seems that (and I hope that this is the entire issue) there is a string of code at the beginning just after the start of the body:

    [ Please do not post malware/exploit code here. ]

    A friend of mine said that by having the "botsdarehere.com" link it is registering the website as having Malware. I'm not sure how if this is the result of being hacked, updating something improperly, or another way, but I would like to somehow remove the code.

    I have tried the following:

      Removing all files from the FTP and restoring to previously used files
      Importing all files into Dreamweaver and searching for the code within one of the files

    I'm sad to say both attempts have gotten me nowhere due to my lack of web development and WordPress knowledge. I've heard these forums have an excellent community and give excellent feedback so I would greatly appreciate it if anyone could help me resolve this issue.

    Please let me know if there is any other helpful information about the site that I can provide and I will be happy to do so.

  2. SoMVeritas
    Posted 2 years ago #

    Thanks for the information Songdogtech!

    As previously stated, I tried removing the files and doing a restore point like some of the website you linked recommended, but it still came up with the same response.

    I'm currently in the process of scanning my computer and waiting to change the passwords until after the scan is completed and the located malware is quarantined.

    I read on the Sucuri site you linked that the code for this is commonly hidden within .php and .js files and have been trying to search for it.
    I've used both <iframe src> and the botsdarehere.com url as search criteria. Sadly, I'm not seeing anything come up as being related to the search. Is there some other method that could be used to write this code that I could search for to find it?

  3. solutionsphp
    Posted 2 years ago #

    I've had a couple of sites get hit with this over the past few days. WordPress and plugins are all up to date, and some sites that were hit are not running WordPress at all. No issues with my local system. I haven't found the hole yet.

    @SoMVeritas: Go through every directory and look at the last modified dates on the files. This is one way to locate hacked files, however some hacks don't leave the footprint of a modified date. To be safer then, delete all files you can off your server and re-upload them fresh. This includes theme files (the header.php file was likely injected with the IFRAME code.) If you're using a cache plugin, delete the cache, and delete your browser cache too. Visit your site and verify that the injected code is gone.

    This won't close the security hole on your site, but it will help clean up the injected code.

  4. solutionsphp
    Posted 2 years ago #

    ps. Also look for files you don't recognize. I'm seeing files with jquery file names that I didn't upload, stuff like jquery.effects.bounce.min.js, and these contain injected code too -- delete them.

  5. perezbox
    Sucuri.net CEO
    Posted 2 years ago #


    Are you still having an issue with this?

    Thing to note with the SiteCheck result is that its showing the client display, in other words if its encoded you won't have much luck finding it via terminal.

    Look like you might have had some luck though from what I'm seeing: http://sitecheck.sucuri.net/results/www.stateofmindgaming.com/

    But you'll want to submit to Google if you haven't already. Diagnostic page: http://www.google.com/safebrowsing/diagnostic?site=www.stateofmindgaming.com

    You'll want to clear this so that your reputation doesn't get dinged too bad.


  6. perezbox
    Sucuri.net CEO
    Posted 2 years ago #

    @solutionsphp you still having the reinfection problem?

  7. solutionsphp
    Posted 2 years ago #

    @perezbox FWIW, Securi's Sitecheck didn't even pick up this injected IFRAME. It listed sites as clean that were infected.

    My sites are as clean as can be, though I still don't know for certain how they were infected.

  8. perezbox
    Sucuri.net CEO
    Posted 2 years ago #

    @solutionsphp yes that happens some times, depends what it is and what referrers its depending on.


  9. @solutionsphp: are you on dreamhost? Or another shared host?

  10. solutionsphp
    Posted 2 years ago #

    I had several sites hit, on different hosts: Dreamhost, ANhosting, HostGator. Each of these accounts allow for add-on domains under the same user, so one infected WordPress website could contribute to the infection of other sites under the user, whether or not they had WP installed.

  11. Insecure WP sites in completely different accounts can be the vector into your account, too. That's the nature of shared hosting. Some shared hosts also sacrifice some security with permission schemes that are needed to enable the shared setups.

    https://www.whitefirdesign.com/blog/2012/03/09/dreamhosts-gross-negligence-to-blame-for-recent-hacks/ among other google results.

  12. solutionsphp
    Posted 2 years ago #

    Very interesting, thank you for that info.

Topic Closed

This topic has been closed to new replies.

About this Topic