WordPress.org

Forums

Trouble finding malware on site (8 posts)

  1. CullenJWebb
    Member
    Posted 2 years ago #

    Hello,

    2 of my clients websites are being identified as suspicious by Google. Which is very, very bad. But when I scan the websites, and have our web host scan the websites, we can't find any malware. Nothing at all.

    So, if any of you are comfortable, please see if you can find something that we can't. Here are the URL's:

    cosensmma.com/
    flowwellness.co/

    It's some sort of a script.

    If you don't want to visit the sites yourself, how do you normally root it out?

    Thanks a ton!

  2. Krishna
    Volunteer Moderator
    Posted 2 years ago #

  3. cjchamberland
    Member
    Posted 2 years ago #

    Your going to have to have FTP or SSH access to the site in order to fix the issue. Below are some steps you can take:

    1) First, do you have a “clean” back-up of your site, if so, just restore it from that.

    2) If #1 doesn’t apply, do the following, check all .htaccess files, index.php files and any include files or theme files you may be using.
    3) Also, check above your web directory (usually above public_html, httpdocs, html, etc) for an .htaccess file that will override anything in your web directory.

    4) Remove any code that you find in your “legitimate” files that matches any of the following (Note – this isn’t an all exhaustive list, it’s the most common issues I’ve seen):
    a. “eval(base64_decode(…..”
    b. “edoced_46esab…”
    c. “getMama…”
    d. “115,99,114,105,112,116….”
    e. “document.write(‘<iframe…..”

    5) Look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

    6) Once you’ve cleaned your site – UPGRADE it if you are not running the latest version to remove any possible publicly available vulnerabilities.

    7) Also I would recommend checking permissions; files should be at 644 and directories at 755 (this depends on your hosting company/server – this is the most common setting). Change your cPanel and FTP passwords.

    8) Once you have completed all those steps, go to http://www.google.com/webmasters and if you don’t already have an account create one (Obviously if you have one – skip this step).

    9) Once you’ve created your account, add your site, then on the left hand side, click on “Health”, “Malware” . If they have you flagged, and you have cleaned your site, submit it for re-evaluation. This usually will take between 48-72 hours before you are cleared.

    Hope this helps

  4. CullenJWebb
    Member
    Posted 2 years ago #

    Thank you so much! It seams like every directory has the “eval(base64_decode(…..” malware in it.

    I'm going through and removing all the PHP files it created and edited.

    Is this normally a result of not updating WordPress? I'm always cautious when updating WordPress because of themes and plugins breaking.

  5. CullenJWebb
    Member
    Posted 2 years ago #

    Now I'm having a new issue.

    I have edited the PHP files with FileZilla to remove the malware, but now I'm getting an undefined PHP error.

    http://cosensmma.com/

    I tried downloading and manually uploading new WordPress files, except wp-content and wp-config.php, but there's no change.

  6. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    Please this link:
    http://wordpress.org/support/topic/site-hacked-by-b0y-h4ck3r?replies=8#post-2957552

    You need to go through all the resources mentioned there by Esmi.

  7. CullenJWebb
    Member
    Posted 2 years ago #

    My most recent post wasn't in regards to the malware. I'm able to remove that on my own now, but once I do it breaks the files.

    I just don't know why the files don't work once I remove the malware or replace them with new wordpress files.

  8. Krishna
    Volunteer Moderator
    Posted 2 years ago #

    Please see the link I posted above and follow the instructions there.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags