UseShots
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: How to clean hacked WPHi,
Unfortunately your site is still hacked. It redirects search engine traffic to “bad” sites.
Here you can see the redirects
http://www.UnmaskParasites.com/security-report/?page=www.kendoguayas.comIt happens when hackers modify your .htaccess file.
You should remove malicious redirect rules from your .htaccess file.
Your FTP credentials have been stolen. So scan your computer for malware.
Then change site passwords and refrain from saving them in your FTP programs (of course if you don’t want reinfection).
Finally request a malware review via Google’s Webmaster Tools. Your site is currently blacklisted by Google and web browsers like Firefox, Safari and Google Chrome
http://www.google.com/safebrowsing/diagnostic?site=www.kendoguayas.comP.S. Upgrade Abobe Acrobat, Flash and Java on your computer – older versions are vulnerable.
Here’s another proof I was right:
This is yesterday’s comment to my article about the Beladen exploit (the previous incarnation of the same attack):
http://blog.unmaskparasites.com/2009/06/18/beladen-elusive-web-server-exploit/#comment-3824It says that the server redirected users to indianapolis-sales .com and best-virus-scanner5 .com – exactly the site that Google reports for your pages.
So show it to your hosting provider, or move your site to another server.
>How did u find more than 500+ sites are affected with the same ?.
Because I’ve seen Google’s Safe Browsing diagnostic page for your site
http://www.google.com/safebrowsing/diagnostic?site=www.nmarketers.com
and I know the sort of attack those sites (mentioned on that page) involnved in. And I’ve detected a typycal response once.
Moreover some other sites on your server had signes of the same attack in their diagnostic pages.I’ve been watching this attack since May and I know how hard it is to detect. And many server admins simply don’t believe this can happen. However if your read comments to that article, you’ll know that this is real.
Basically, the site themselves are not infected. But the Apache web server is hijacked and legitimate responses for any site can be replaced by malicious code.
The attack only works when hackers active it via a backdoor script and it can’t be easily detected. However a site admin can find the backdoor script (check commands in the comments http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/#comment-1820 )
It looks like the whole server is compromised. Not only your site, but every site on your server (500+).
I’ve detected a malicious responce that was similar to responses in this attack:
http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/Then I checked other sites on your server and found (via Google’s Safe Browsing database) that it was affected by the goscanpark attack.
Most likely your hosting provider failed to notice the hack (it is very elusive) and the server is still infected.
This doesn’t have anything to do with WordPress. This doesn’t have anything to do with your site. The only way to resolve the issue is have the server administrator (hosting provider) find and remove the backdoor script and terminate malicious processes that hijack Apache responses.
Have your hosting provider read the article above. Especially comment to that article where other server admins share their knowledge about how thay detected and stopped the attack.
Forum: Everything else WordPress
In reply to: Am I being hacked?Does those files really not exist? Did you check if your WordPress directory structure is intact?
Forum: Fixing WordPress
In reply to: My site was HackedDo you have any other scripts on your site? Forums? What plugins do you use?
You might want to contact your hosting provider to investigate the issue.
Forum: Everything else WordPress
In reply to: My Permalinks changed, hacked?Really strange.
Here is a topic with similar problem (eval code in permalinks)
http://wordpress.org/support/topic/307518Please, post updates here if you manage to find out what caused such strange permalinks
Forum: Fixing WordPress
In reply to: Removing a go00ogle.net infection@ambanmba: Thanks for the tutorial!
@tommix: Malware simply steal your FTP credentials from your FTP program configuration files. Everything you save in your FTP programs is easily accessible for malware.
For example, FileZilla stores your passwords in plain text and don’t protect them “by design”. Other FTP clients are no better. So don’t save your passwords in FTP programs if you don’t want to see your sites hacked.
Forum: Fixing WordPress
In reply to: Website hackHardening WordPress is a good this. Unfortunately, it won’t help in this particular case.
This iframe is injected using FTP credential stolen from your local computer.
So make sure to scan your computer for malware.
Once you are sure your computer is clean, change FTP passwords.
And don’t save passwords inside your FTP program if you don’t want them to be stolen again.Here you can find more information about this attack:
http://blog.unmaskparasites.com/2009/06/25/hidden-cn-iframes-are-still-prevalent/Forum: Everything else WordPress
In reply to: WP 2.8.2 bug?Thanks. Looks like the bug fix will be available in 2.8.3
Forum: Fixing WordPress
In reply to: Malicious code in blog – but where?@royal: Check theme files and other wordpress files.
The links can be injected by some obfuscated php code, so search for strings like base64_decodeAnother good solution is to try the Wordpres Exploit Scanner plugin
http://wordpress.org/extend/plugins/exploit-scanner/
It should be able to locate this sort of malicious code.Forum: Everything else WordPress
In reply to: Virus AlertHi,
At the very bottom of your pages’ HTML code you will find this obfuscated iframe:
<iframe src =”& #104;& #116;& #116; & #112; & #58;& #47;& #47;& #103;& #111;& #111;&#…
If you decrypt it you’ll see that it loads something from a blacklisted domain (google-traff .cn):
http://www.google.com/safebrowsing/diagnostic?site=google-traff.cnForum: Everything else WordPress
In reply to: WP 2.8.2 bug?It’s indeed a bug.
I checked the change in the source files and found the bug in /wp-admin/edit-form-comment.php file.
In the previous version they had a variable $url
$url = get_comment_author_url();But in WP 2.8.2, they removed that line but still use the (now undefined) $url variable as a value of the “URL” edit box:
<td><input type="text" id="newcomment_author_url" name="newcomment_author_url" size="30" class="code" value="<?php echo esc_attr($url); ?>" tabindex="3" /></td>Not sure how to submit it to WordPress developers. I checked the latest SVN version and the bug is still there.
Forum: Everything else WordPress
In reply to: WP 2.8.2 bug?It’s not plugins. It’s the WP admin itself. It’s the admins “Edit Comments” form that loses the URL of the commenter.
Anyway, I tried to disable all plugins and it wouldn’t help.
Forum: Alpha/Beta/RC
In reply to: WP 2.8 Beta 1: Pasting bug?Looks like the issue has been resolved in WP 2.8 beta 2