Is this base64 or something else?

  • Hi,

    A few weeks ago all the index.php and index.html files for 9 sites I maintain were swapped for a hacked pages. I quickly replaced these and changed all the passwords: FTP, wordpress accounts and Database.

    Godaddy my host confirmed only the index pages had been changed (I think weakpoint was an old wordpress site a client had not updated for a while and gave entry to the server?).

    Having had a flood of odd traffic the past few weeks prior to this I installed ‘Block Bad Queries (BBQ)’ and ‘Limit Login Attempts’ plugins. Also godaddy applied a recent update to the hosting server. 2 weeks I thought I was in the clear…

    But today I noticed the google ads I have on one of the site displayed the usual 4 words but last one was ‘viagra’ the website https://www.barbicanwaterfront.com is a community site setup to help people in the area. I did a search everywhere and the word Viagra does not appear.

    However on google it reports 2 pages where it appears the word had been injected into some text on news posts (again these all look clear now)

    After looking about I’ve ran a barrage of tests using plugins
    Exploit Scanner
    Sucuri Security – SiteCheck Malware Scanner (and their website)
    WebsiteDefender WordPress Security
    Wordfence Security
    WP Security Scan
    (also using godaddys daily site scanner)

    All have come back with no malware or file changes. I did have base64 in 4 files BUT on downloading fresh copies from wordpress.com (one is jetpacks file) I found the code in there already so it was not inserted.

    I have the server error logs and more running last 2 days but not sure what to look for to help see if something is going on.

    Question is, is this Viagra thing a one off and after installing exploit blocker and other things I’ve mentioned (including godaddy server upgrade and wordpress latest release) it won’t happen again?

    On saying that google have the site listed as “This site may be compromised.” but webmaster tools saying it’s clean (could my excessive scanning e.t.c on server today caused that) ??

    Can anyone help?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    None of the extra security you added will help eliminate pre-existing malicious code. By some miracle, the WP upgrade could have overwritten a hacked file, but it’s nothing to rely on. The only sure way to eliminate malicious code is to wipe everything and restore from backup.

    Manually cleaning a hacked site is a gamble at best. You can never be sure you weeded out every bit of malicious code. It does sound like you may have successfully cleaned out your site, the drug references could be a residual effect from before you cleaned the site. You could wait and see how things go, but if you want to be sure right now, restore from backup.

    As for the google tagging your site as compromised, I believe you need to request a review to get it removed, check their docs for the actual policy on this. The tag is probably also a residual from the hack. I may be paranoid, but I would be reluctant to request a review until I was sure the site is clean. I would fear getting a more severe designation if they turned up malicious code in a review. You’ll need to decide for yourself how sure you are the site is clean.

    Thread Starter grenocide

    (@grenocide)

    Thanks for reply bcworkz

    I’m crossing fingers your right and going to monitor the sites for a few days. I looked in the database and searched for common backdoor strings but nothing came up.

    Also can’t see any added or changed files in the wordpress folders.

    Unless… can somewhere else on the server be effecting the website? There are 8 other wordpress sites on my server, but again nothing obvious standing out (although I’ve not had a chance to check each folder or the databases)

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Is this base64 or something else?’ is closed to new replies.

Tags