Trying to solve virus/malware problem (4 posts)

  1. dkyy
    Posted 5 years ago #

    I've got some sort of malware or virus on my site - http://www.inventinginteractive.com - and am hoping that if I describe what's going on someone can help me find a fix.

    - I first noticed this after receiving a "Malware Notification" email from Google

    - The only visible thing I notice, occasionally, when I look at the site, is a small black dot in the top-left corner of the page, above any other content.

    - When I view the page in Firefox and use the Firebug plugin to examine the dot, I see that it's a 1x1 pixel iFrame with a src link to another site. The link varies, I've noticed it pointing to corneliuspropertyvalue.com and pi.mecklenburgpropertyvalue.com. The link is located at the top of the <body> tag, just below a <block><ad><script src="/wp-content/themes/jquery.min.php"> set.

    - When I choose "view source" from the browser menu, the code I described above doesn't appear.

    - If I reload the page, the iFrame is no longer there -- it's gone.

    - I had noticed a bunch of accounts in the Users page that I hadn't created. So I deleted them. I also changed my passwords.

    - I've looked at all the template files in the Appearance->Editor area and had removed a couple blocks that looked like base-64 text. But several days later the iFrame still is appearing.

    - I've noticed a strange behavior when I first go to the admin page. Occasionally it will show that there is 1 update -- with a (1) button next to the Updates link. But there are no (1) buttons anywhere else on the page. (ie. usually if there is an update with a plugin, there'll also be a (1) next to plug-ins.) If I click on the Updates link it says that everything is up to date, and if I return to the home admin page the update button is gone.

    - I've read that I should look through my database for bad info -- but I'm not sure what to look for, and if I do find something suspicious, how do I safely remove it without messing everything up.

    - I'm running the latest version of WordPress, and all my plugins: Akismet, Auto Thickbox, Clicky for WordPress, Google Analytics for WordPress, ShareThis, WP to Twitter, and Yet Another Related Posts Plugin. As part of tracking this down I've also installed these security plugins: TAC (Theme Authenticity Checker), WP Security Scan

    - I'm hosting the site using a Mediatemple.net shared Grid Service server.

    Any help would be appreciated -- thanks,


  2. esmi
    Forum Moderator
    Posted 5 years ago #

  3. cwcage
    Posted 5 years ago #

    I've been having this same problem, although you've figured out more than I had. I haven't found the pixel in an iframe, although I've looked.

    First Google was telling me my site had elements from this IP - Today, I'm being told I have elements from null.corneliuspropertyvalue.com. I can't find anything in the generated source code or the source files, that references either of these locations.

    I don't know if it is just a coincidence, but I'm hosting on the GS server as well with Media Temple.

    I follow up with some of the links that esmi posted and see if it helps.

  4. cwcage
    Posted 5 years ago #

    Update: Thanks esmi. I followed the links - did a scan of my local machine with ClamWin and found an infected file in the tinymce directory.

    \wp-includes\js\tinymce\utils\eject.php: PHP.ShellExec FOUND

    This seems similar to a problem mentioned recently in this post:
    WordPress 3.0.1 Intrusion through TinyMCE

    Seems like it might be a good idea to put in a fresh copy of the tinymce files.

Topic Closed

This topic has been closed to new replies.

About this Topic