25 {{ upvoteCount | shortNum }}
25 {{ upvoteCount | shortNum }}

Help! My WP site is under a Malware attack

by Kevin Perry
21 replies
  • OFF TOPIC
    • |
Last week I tried to login to my WP Marketing business site, KTPMarketing.ca, but Google has listed this as an attack site. I checked with Google Webmaster tools and found that a Malware script has been inserted into several areas of my site.

I sent a report ticket to my host, VodaHost, and within an hour they told me to request a review from Google because everything looks fine. So I did, then changed my FTP and blog login info. My site was up for a few days and then I got the same message from Google saying my site was an attack site.

Sure enough, there was the same script all over my website. I managed to remove the script on a few HTML pages that I uploaded, but I cannot find where the code is being inserted on my Wordpress pages even though the malicious script is visible when looking at the source code. I can't even login to the admin panel anymore, because i'm directed by the damn script.

I need some help. I don't know enough about this sort of thing to do it myself. I have a custom template that I have made several changes to inside the admin panel, so I am afraid of erasing my hard work.

My host has been less than helpful this time, so I'm looking for some WF help to deal with this matter. This is my business website, and I don't need to tell you what this is doing to my credibility each day the site is down.

Thanks,

Kevin

EDIT: My host finally came through for me after repeated contact attempts....maybe just to shut me up, but who cares! Thanks to everyone who posted useful tips to try to solve my problem.
  • Profile picture of the author Kevin Perry
    yes, I can get into cPanel. And I didn't mean to post it as a link....most browsers should stop access if reported by google.

    Kevin
    Signature
    Owner and Operator of 6StarMedia.com - A website design and marketing firm
    Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
    Check out one of my clients for Database Services - Pebble IT
    {{ DiscussionBoard.errors[2273448].message }}
  • Profile picture of the author Kurt
    Your host should take care of security. Since they won't, you need to get a specialist or move your site to another host.

    Google something like "server security service" or "server admin service". But unless they have root access, they won't be able to do much.
    Signature
    Discover the fastest and easiest ways to create your own valuable products.
    Tons of FREE Public Domain content you can use to make your own content, PLR, digital and POD products.
    {{ DiscussionBoard.errors[2273544].message }}
  • Profile picture of the author Kevin Perry
    Moving my site to another host will not solve the problem I have right now....My webfiles would still be infected.

    I was hoping to find someone here to help me out....hence the creation of this thread.

    Kevin
    Signature
    Owner and Operator of 6StarMedia.com - A website design and marketing firm
    Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
    Check out one of my clients for Database Services - Pebble IT
    {{ DiscussionBoard.errors[2274654].message }}
    • Profile picture of the author Kurt
      Originally Posted by The Godfather View Post

      Moving my site to another host will not solve the problem I have right now....My webfiles would still be infected.

      I was hoping to find someone here to help me out....hence the creation of this thread.

      Kevin
      1. Moving your site to another host wouldn't be a problem if you backed up your files like you are supposed to. But that wasn't my point. My point was, it is your host's job to take care of security. If they don't do their job, don't stay with them.

      2. I did help you out, hence my response suggesting you hire a pro. No one can help you without being the admin for your site and checking things themselves. If your business is worth anything, pay an expert. If it isn't worth paying someone to save it, forget about it.
      Signature
      Discover the fastest and easiest ways to create your own valuable products.
      Tons of FREE Public Domain content you can use to make your own content, PLR, digital and POD products.
      {{ DiscussionBoard.errors[2277653].message }}
      • Profile picture of the author Kevin Perry
        Originally Posted by Kurt View Post

        1. Moving your site to another host wouldn't be a problem if you backed up your files like you are supposed to. But that wasn't my point. My point was, it is your host's job to take care of security. If they don't do their job, don't stay with them.

        2. I did help you out, hence my response suggesting you hire a pro. No one can help you without being the admin for your site and checking things themselves. If your business is worth anything, pay an expert. If it isn't worth paying someone to save it, forget about it.
        Sorry if I was harsh towards your previous comments. I'm just getting frustrated trying to get an answer from my host. The last message I got from them was yesterday evening, so I don't know if i'm going to hear from them again. I've sent a couple of emails since then and I will continue to do so until I get a response back.

        I recommend everyone steer clear of VodaHost.com. Good prices and good features, but terrible customer service. They have a phone number, but it just tells you to submit an online ticket. Terrible. I will be looking for a new host once I get this ironed out.

        Where do you find these pros? I figured somebody here on WF was an expert in this field. As I said before, I will pay someone to help me. This is my business website...it's killing my credibility.

        And yes, lesson learned about backing up files.

        thanks,

        Kevin
        Signature
        Owner and Operator of 6StarMedia.com - A website design and marketing firm
        Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
        Check out one of my clients for Database Services - Pebble IT
        {{ DiscussionBoard.errors[2277794].message }}
  • Profile picture of the author James Danh
    I've had this problem before I think. Luckily i didn't have the lastest wordpress uploaded so I just click update to newest version (in fantisco) and what happened is all the old wordpress files were overwritten and so the files with the malware were overwritten, maybe you could do this manually. Hope this helps you out, I feel your pain.
    {{ DiscussionBoard.errors[2274889].message }}
  • Profile picture of the author Kevin Perry
    Yeah, I upgraded to 3.0 from the admin panel...which made it worse I think! Before I was able to access the admin panel (if I turn off block attacking sites in Firefox), now the Malware script redirects me when I try to login.

    I'm losing my mind! If anyone can help me that would be great. I will pay you!

    Kevin
    Signature
    Owner and Operator of 6StarMedia.com - A website design and marketing firm
    Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
    Check out one of my clients for Database Services - Pebble IT
    {{ DiscussionBoard.errors[2275051].message }}
    • Profile picture of the author garyv
      Originally Posted by The Godfather View Post

      Yeah, I upgraded to 3.0 from the admin panel...which made it worse I think! Before I was able to access the admin panel (if I turn off block attacking sites in Firefox), now the Malware script redirects me when I try to login.

      I'm losing my mind! If anyone can help me that would be great. I will pay you!

      Kevin
      This is what I would do. Which may or may not work. But write down the name of all of your plugins, so that you can go back and get them later. And write down the name of your theme so you can get that again. Then export your database. After you've exported your database. Delete the entire wp site and re-install it w/ fresh files. After re-installation, import your database file.

      Also, here's a decent "how to" tutorial:
      How to Reinstall Wordpress After Hack | New Think Tank
      {{ DiscussionBoard.errors[2275181].message }}
    • Profile picture of the author John Henderson
      Originally Posted by The Godfather View Post

      I'm losing my mind! If anyone can help me that would be great. I will pay you!
      If I were you Kevin, I'd contact James (AKA "TheRichJerksNet").

      You can PM him from this thread...
      http://www.warriorforum.com/warrior-...ot-v3-0-a.html
      {{ DiscussionBoard.errors[2278920].message }}
  • Profile picture of the author seasoned
    In most cases, this is done through an EXPLOIT of a flaw in the software. You MIGHT want to check out:

    WordPress › WordPress Exploit Scanner WordPress Plugins

    I haven't really looked at it, but apparently THEY recommend it!

    THIS site lists some exploits, but apparently does NOTHING else:

    Wordpress Exploit - database of Wordpress exploits

    THIS site seems to give more help:

    Wordpress 2.8.3 Admin Reset Exploit | Darknet - The Darkside

    I DOUBT many hosts try to keep up on this. Fantastico may TRY, but they also want the latest, minimal updates, etc...

    AND, it is important to note that fixing an exploit usually limits their ability to FURTHER exploit a weakness. PAST attempts will liekely exist, so you must clean them up. It is almost like that oil spill. Fixing the exploit is like capping the well. You will likely STILL have to fix the pages that are affected(clean up the oil.)

    BTW it is a good idea to check patches and, if they are for security, APPLY THEM. One of the ironies of security is that publishing a fix publishes the flaw and people may THEN try to exploit it EVEN as many are trying to fix it.

    Steve
    {{ DiscussionBoard.errors[2275218].message }}
    • Profile picture of the author Kevin Perry
      Originally Posted by garyv View Post

      This is what I would do. Which may or may not work. But write down the name of all of your plugins, so that you can go back and get them later. And write down the name of your theme so you can get that again. Then export your database. After you've exported your database. Delete the entire wp site and re-install it w/ fresh files. After re-installation, import your database file.

      Also, here's a decent "how to" tutorial:
      How to Reinstall Wordpress After Hack | New Think Tank
      The trouble with that is that the theme is heavily modified from the original version. I had the site made for me, so i'm trying to get in touch with the creator to send me an unmodified theme so I can see if there are any differences to the core files.

      This would be easy if I could get into my admin panel. I would just copy the php pages that I made changes to then paste it into the new install. Without being able to get in the admin (just redirects), I don't know how to tackle this without losing everything.

      Originally Posted by seasoned View Post

      In most cases, this is done through an EXPLOIT of a flaw in the software. You MIGHT want to check out:

      WordPress › WordPress Exploit Scanner WordPress Plugins

      I haven't really looked at it, but apparently THEY recommend it!

      THIS site lists some exploits, but apparently does NOTHING else:

      Wordpress Exploit - database of Wordpress exploits

      THIS site seems to give more help:

      Wordpress 2.8.3 Admin Reset Exploit | Darknet - The Darkside

      I DOUBT many hosts try to keep up on this. Fantastico may TRY, but they also want the latest, minimal updates, etc...

      AND, it is important to note that fixing an exploit usually limits their ability to FURTHER exploit a weakness. PAST attempts will liekely exist, so you must clean them up. It is almost like that oil spill. Fixing the exploit is like capping the well. You will likely STILL have to fix the pages that are affected(clean up the oil.)

      BTW it is a good idea to check patches and, if they are for security, APPLY THEM. One of the ironies of security is that publishing a fix publishes the flaw and people may THEN try to exploit it EVEN as many are trying to fix it.

      Steve
      Those plugins really won't help me, because I can't get into the admin panel to activate them.

      I'm in way over my head here.

      Kevin
      Signature
      Owner and Operator of 6StarMedia.com - A website design and marketing firm
      Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
      Check out one of my clients for Database Services - Pebble IT
      {{ DiscussionBoard.errors[2275701].message }}
      • Profile picture of the author seasoned
        Originally Posted by The Godfather View Post

        The trouble with that is that the theme is heavily modified from the original version. I had the site made for me, so i'm trying to get in touch with the creator to send me an unmodified theme so I can see if there are any differences to the core files.

        This would be easy if I could get into my admin panel. I would just copy the php pages that I made changes to then paste it into the new install. Without being able to get in the admin (just redirects), I don't know how to tackle this without losing everything.



        Those plugins really won't help me, because I can't get into the admin panel to activate them.

        I'm in way over my head here.

        Kevin
        WOW, you REALLY need to make a backup with custom work. ALSO, with something like WP, you have to be careful HOW it is modified. ONE wrong step, and you may be DOOMED to hiring programmers to apply patches that should be easily applied for free.

        YEAH, I know, state the obvious, 20/20, etc.... BUT, it IS true, so I figured I should say it.

        Steve
        {{ DiscussionBoard.errors[2275753].message }}
        • Profile picture of the author Kevin Perry
          Originally Posted by seasoned View Post

          WOW, you REALLY need to make a backup with custom work. ALSO, with something like WP, you have to be careful HOW it is modified. ONE wrong step, and you may be DOOMED to hiring programmers to apply patches that should be easily applied for free.

          YEAH, I know, state the obvious, 20/20, etc.... BUT, it IS true, so I figured I should say it.

          Steve

          Thanks.

          Kevin
          Signature
          Owner and Operator of 6StarMedia.com - A website design and marketing firm
          Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
          Check out one of my clients for Database Services - Pebble IT
          {{ DiscussionBoard.errors[2275898].message }}
  • Profile picture of the author garyv
    Can you still use FTP to get into your site? You could copy the php files from there.
    {{ DiscussionBoard.errors[2275719].message }}
  • Profile picture of the author seasoned
    The Godfather,

    EVEN if kurt were right about the hosts responsiibility for security in general, though I don't feel he is, it is MEANINGLESS with custom code, as you said you have.

    You think they will support ANY program? GIVE ME A BREAK! Do you go to home depot to get support for M/S excel?

    MAYBE they have a backup. There is a CHANCE, as it is EASY to do through cpanel and/or whm. Other than that, unless they are the one that provided the code, you are probably out of luck. BTW the backups DO take space, resources, and time, so I'm sure many hosts still CHARGE for them. SO, if you didn't pay, don't EXPECT them to have it.
    Though they still MIGHT.

    And it IS possible that they backed up data, but I bet FAR less likely. You COULD try asking them nicely. If they saw what you just wrote, maybe they won't be quite so nice.

    As for pros? Your BEST bet is the person that gave you the original code. Failing THAT, I would suggest finding a WP expert. I'm obviously not in either area, and could maybe help, but you seem to expect too much from the getgo. AND, not knowing where you were, and right now where you're at, I, for one, would be hesitant.

    BTW WHOEVER you go to next, don't expect THEM to back up without being asked. Don't expect THEM to answer your every question. Don't expect THEM to support every app, and patch them.

    Steve
    {{ DiscussionBoard.errors[2277896].message }}
  • Profile picture of the author ChristinaVOS
    Kevin,

    There was recently a slew of hack attacks on Wordpress and other PHP websites. To see if it's the same attack, open up one of the theme php files through ftp and look at the top. Is there a large string of characters that starts with "eval(base64_decode"?

    If that's the case, get in touch with me and I'll see what I can do.

    ~Christina
    {{ DiscussionBoard.errors[2279045].message }}
    • Profile picture of the author Kevin Perry
      Originally Posted by John Henderson View Post

      If I were you Kevin, I'd contact James (AKA "TheRichJerksNet").

      You can PM him from this thread...
      http://www.warriorforum.com/warrior-...ot-v3-0-a.html
      Thanks John, I will look into that. I have finally heard back from VodaHost and I think they can help, but for a price. I'd pay anything at this point! If things don't work out I'll PM James for some advice.

      Originally Posted by ChristinaVOS View Post

      Kevin,

      There was recently a slew of hack attacks on Wordpress and other PHP websites. To see if it's the same attack, open up one of the theme php files through ftp and look at the top. Is there a large string of characters that starts with "eval(base64_decode"?

      If that's the case, get in touch with me and I'll see what I can do.

      ~Christina
      Thanks Christina, unfortunately I didn't find anything that looks like that.

      Kevin
      Signature
      Owner and Operator of 6StarMedia.com - A website design and marketing firm
      Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
      Check out one of my clients for Database Services - Pebble IT
      {{ DiscussionBoard.errors[2279154].message }}
  • Profile picture of the author Kevin Perry
    Problem solved. My host finally helped me out after repeated contact attempts. Thanks to everyone who offered support.

    Kevin
    Signature
    Owner and Operator of 6StarMedia.com - A website design and marketing firm
    Marketing Consultant for AuctionAutoBidder.com - An eBay Auction Sniper service
    Check out one of my clients for Database Services - Pebble IT
    {{ DiscussionBoard.errors[2280898].message }}
  • Profile picture of the author John Henderson
    That's great news, Kevin. Now perhaps you can sleep a little better!

    I'm sure that next time these s**t-heads try to hack your blog, you'll be ready for them!
    {{ DiscussionBoard.errors[2281133].message }}

Trending Topics