perezbox
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Malware from wp-count.phpHi
Hard to give any advise without knowing the peculiars of what you have or haven’t done.
Thanks
Hey
Ah ok, yes, you’re referring to the plugin we have in the repo. Internally we have a premium plugin that builds on the free one, but this one works fine too. We just haven’t updated it, shame on us.
That being said, not sure about those constants and why they would break things. But it seems the issue is in the way we hardcoded to look for the plugins directory, probably need to handle that differently. This is a very uncommon configuration, but likely one to evolve with time.
Have already submitted to the dev team to look at though, see what we can do about it.
Thanks
Hi Brasofilo
Yes, a good portion of our team is made up of Brazilians.
As for the issue, let me get it to our dev team to see what they think about it.
Are you a client by chance? I just ask because if you are you’ll want to use the premium version, we’ll be updating this one in the coming months to be replaced by that.
Stay tuned.
Tony
Forum: Fixing WordPress
In reply to: Site hacked by Click feeds?Hi Shan
You’re going to want to contact your host and ask that question.
But here is my concern, if you’re stumbling with this I would caution against fiddling on your server. There are a couple of steps you’re going to have to take to connect and make use of the terminal environment, unfortunately each takes time to configure and understand.
Its because of this that I’d recommend you reach out for help if you need, doesn’t sound like you technical background to go at it on your end. I could be wrong though, if I am I apologize.
The last thing I or any one wants is for you to blow up your server.
Thanks
Forum: Fixing WordPress
In reply to: Site hacked by Click feeds?Hi
Correct, its on your OS. The terminal on Windows is what you get when you run CMD from the start prompt.
But the real question is, are you running WordPress on a Windows box or is that where you spend your time. Most WP instances are on a LAMP stack which means it’s on some kind of NIX distro. What I mention above needs to be executed on the box that the site resides.
Thanks
Forum: Fixing WordPress
In reply to: Site hacked by Click feeds?Hi Shan
What operating system are you running?
Thanks
Forum: Fixing WordPress
In reply to: Site hacked by Click feeds?GREP allows you to parse the content on your server by keying in for key words, phrases, patterns etc.. it’ll actually go through the files looking to see what it can find.
I wrote a post here that better explains what I was saying above: http://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html
As for not doing anything, sure unless something is referencing it. But then again, it could just be your .htaccess, who knows.. anyway..
And here is an article demonstrating the things you can do with grep: http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/
Cheers
Forum: Fixing WordPress
In reply to: How can I tell if my site has MalwareHi
Well, the best any scanner can give you is what it sees at a given time. It sounds like it could be conditional malware, only presenting itself if certain criteria are met. Desktop AV’s will do good for certain things, it’s likely picking up on a drive by download of some kind, unfortunately it’s likely not malicious in it of itself as presented in the file.
It’s impractical to go through each file, but I would encourage you start by looking at your index.php, header.php, footer.php and function.php. All in your theme file, see if you see anything that shouldn’t be.
Thanks
Forum: Fixing WordPress
In reply to: Site hacked by Click feeds?Nami115
In terminal, try running this:
grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval) *\(” /var/www
Where /var/www is the directory path to your site. So if you download locally modify appropriately. This is not all encompassing but will give you a good idea of what is going on.
Please note, you might get a lot of false positives so you’ll want to go through each finding and verify what it reports. Working with backdoors is a bit of a bear, best of luck.
That last file, peosteve, sounds like conditional malware. Parsing traffic by IPs.
Cheers.
Forum: Fixing WordPress
In reply to: Where is /category/…Hi
Quick question, is trendflux.com your domain?
Forum: Fixing WordPress
In reply to: WordPress Virus Redirects Links from Facebook & GoogleHi
Don’t know i you still have this issue, but this is pretty common conditional malware – the condition is waiting for the Facebook referrer then redirecting.
redleg talks to eval(base64 etc.. type stuff which is one type, but you might also want to look for things like this.
Here is an example of what I mean: http://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html
Understand that this example is not often obfuscated.
Cheers
Forum: Fixing WordPress
In reply to: Iframe Injection MalwareOh hey, just saw this, sorry for the delay.
You need to query your database. If you have wiped and gone through your files in detail then you need to try querying your database, willing to bet its in there. It’s likely embedded there and reinfecting your files. The other thing to check are the neighboring sites or files above the web directory.
While there is no silver bullet you might be reaching a point where you should seek help.
Cheers.
Forum: Fixing WordPress
In reply to: Malware from wp-count.phpHi Violaine12
Count20 can be a pretty persistent bugger. Here is something you want to try:
In terminal, try grepping for all count20.php instances:
grep -ri ‘count20.php’ .
The reason I say that is if you’re using an online scanner it might be pulling up the JS files, but more often than not you’ll find it in the index files as well. You want to be sure to remove all instances. Too often folks will remove the index instances or the JS instances, but not both.
The other thing you want to do is kill php execution in your uploads directory and wp-includes. You can try it in your theme directory, but some themes area bit finicky.
Also, I would take some time to go into your bluehost cpanel and download both your error and access logs – raw logs.
Not sure what all you have done, but seems that you might want to do some investigation to see what the source is, I’d be willing to bet its some kind of compromised credential.
Thanks
Forum: Fixing WordPress
In reply to: my site zappiertech.com is redirected to http://mercurytutors.comHi
I have yet to meet someone who hasn’t said their infection is urgent.. 🙂
Looks like you might not have gotten everything: http://sitecheck.sucuri.net/results/zappiertech.com
I’d start by looking at your .htaccess file.
Cheers.
Tony
Sucuri
Forum: Fixing WordPress
In reply to: Sucuri SiteCheck says infected with malwareHi
Tony here with Sucuri. Please if you ever feel we’re reporting something incorrectly send us a note at info@sucuri.net.
I’d be lying if I said we don’t make mistakes.
Take Care
Tony
Glad to see its better now. I do see that we’re blacklisting you in our own engine and I’ll pass it up to the engineers to take a look.