My site says reported attack

Do a scan: https://sitecheck.sucuri.net/scanner/

But it’s possible that your server or software have been compromised.

Sucuri
web site: https://www.maryse-ouellet.com
status: Site infected with malware
web trust: Site blacklisted.

Blacklisted javascript included on:
https://maryse-ouellet.com/
Javascript included from a blacklisted domain.
Details: https://sucuri.net/malware/entry/MW:BLK:2
Javascript: maryse-ouellet.com

That’s what it says, I’m not sure what that means.

List of javascripts included
https://fastwebcounter.com/secure.php?s=www.maryse-ouellet.com
https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
https://html5shiv.googlecode.com/svn/trunk/html5.js
https://connect.facebook.net/en_US/all.js#xfbml=1
https://platform.twitter.com/widgets.js
https://widgets.twimg.com/j/2/widget.js
https://st1.freeonlineusers.com/on3.php?id=650718

Those are my lists of Javascripts — I can’t even login to my WP, I’ll have to try to remove it through FTP if I can find out how

Amada, first, check your computer for malware, then, when you’re certain you’re clean, change your website passwords (especially FTP, this may be a variant of gumblar); then, in your FTP, check every folder and subfolder and sub-subfolder (and so on) of your site, for these files:

• index.html
• index.php5
• auth.php
• index.php
• home.php
• showthread.php

If you edit them, you’ll find that they’ve had a <script> injected into them; in the PHP/PHP5 files, it’ll be the last line(s), after the ?>; in the HTML files, it’ll be just before the closing </body> tag – remove those. Be thorough about it – it’s tedious work, but it pays off.

Ack, a kindgom for an edit button! I forgot to add (albeit kind of obvious): If you sort your files in your FTP by date, then you can find the infected files easier, they’ll have timestamps denoting a change today.

May I ask who your host is? The sites of a friend of mine were infected, all hosted by Gridstar, hence the enquiry. (It’s unlikely that has anything to do with it, but right now we’re still trying to figure out what exactly happened).

…kingdom^. I’ll just shoot myself now.

The edit button is under your ‘posted X ago’ and is available for 60 minutes from your post ??

My host is hostgator and like you mentioned, something happened because it wasn’t only my site on the server, it happened to others and the hosts are not particularly making it a priority. I will do what you said to do and see if I can help resolve it quicker. I appreciate your help very very much. Hopefully I can find this.

It looks as if someone was in the index pages as they all have 08/14 as the last date but I am not finding any scripts.

I will keep looking, thanks again, I hope this gets resolved, it is irritating and makes me upset.

Amada – Same to you. PLEASE don’t double post like that, you make our spam filter get worried.

My host is hostgator and like you mentioned, something happened because it wasn’t only my site on the server, it happened to others and the hosts are not particularly making it a priority.

Are you using TimThumb as a plugin or theme? There’s a known security hole with that.

Sorry…

And no I don’t have that as a plugin or theme.

@amada: Thanks for the heads-up with your host, it’s somewhat ‘soothing’ to know it’s not an issue of a specific host, even if that implies a bigger problem.

(I should probably add this doesn’t look like a WordPress vulnerability, either, this happened to sites without WordPress, also. Most of the ones my friend had weren’t WordPress; three of them didn’t even share a webspace with a WordPress installation. My money is still on a gumblar derivate.)

Amada,

We are having this problem too.

I can confirm it’s not a WordPress security hole. We have a dedicated server, and we don’t even run a hint of WordPress on our servers.

However, being that I actually know how to locate the source of security problems, I wasn’t going to just sit around and let support try and figure it out while our sales plummeted. So I just finished working with SoftLayer Live Support to determine the root cause of the problem.

It appears there is malware which is using a brute force attack via FTP to gain access to and modify your files.

We have multiple servers – all of which have very strong passwords and were attacked within the span of a single day. We checked the SSH logs and, fortunately, there was no SSH access. However, based on the FTP log activity, we were able to determine the type and nature of the attack.

Finally, we reach the IP address you’ll need to ban:

204.12.252.138

This was the IP address responsible for the script injections on our dedicated server. It may be some variant for your own server.

However, SoftLayer says I need clearance to get an IP banned.

I sent the live support chat log and how we were able to deduce the source of the problem to their ticketing system.

If you want to message me or discuss this further, send an email to [email protected]

That’s my junk email inbox, but I’ll reply with my real email address.

Cheers.

Guys, just so you know, there’s a thread on Google Webmaster Central’ “Malware & hacked sites” forum, too, in case someone wants to take a look at that.