My site says reported attack

  • https://www.maryse-ouellet.com

    My site says reported attack. Google’s saying there’s

    Of the 3 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-08-14, and the last time suspicious content was found on this site was on 2011-08-14.

    Malicious software includes 3 scripting exploit(s), 2 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

    Malicious software is hosted on 2 domain(s), including orjnfj.com/, numudozaf.com/.

    1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including numudozaf.com/.

    This site was hosted on 1 network(s) including AS36351 (SOFTLAYER).

    I’m not sure if it’s because of WP but I saw something online saying it could be and I’m not sure what to do. I don’t want to lose my site.

Viewing 7 replies - 16 through 22 (of 22 total)
  • Thread Starter Amada

    (@amada)

    Eisd, thank you for your response, I did send you an email and thank you for all of your help pinkgothic. I have still not been able to solute this problem so hopefully soon. I am so upset, this is awful.

    It appears pinkgothic may be right and this isn’t a brute force but rather a decryption of saved FTP passwords.

    We just finished cleaning an entire server. Here are the steps:

    1) Change all your FTP passwords. Configure your FTP client to not save passwords. Write your passwords down instead or store them in a secure place. Use a strong random password generator. Your passwords should look something like: !@$(*cxz0

    2) If you have a Linux server and have SSH access, you can use the following command to locate all infected files:

    grep -nslPR “<script>[A-Za-z]\w+=” *

    It will search all subfolders as well. It will run incredibly slow, but it will find the exact infected files so you can clean them up.

    I wouldn’t run SSH from a possibly infected computer though.

    The command I gave is a search only. You can also try an automated find/replace:

    https://refactormycode.com/codes/1600-find-and-replace

    In order to use the above find/replace command, you should have a strong grasp of regular expressions (in which case, you should know not to use regex for HTML parsing). I chose to manually replace because if it detected the wrong scripts, I would be in trouble.

    If you need a more specific search (in the event you have safe JS code that starts off with an inconvenient implicit global):

    grep -nslPR “<script>(ti|wa)=” *

    3) Have your host ban the IP address I listed above. Check your FTP and SSH logs for suspicious activity from unrecognized IP addresses. Ban those IPs.

    4) Finally, once everything is clean, use Google Webmaster Tools to request a review of your website to remove the malware warning from Google Search and Google Chrome.

    I have this virus on three different servers on 10 different sites. I searched for:
    index.php,index.html,home.php,home.html,default.php,default.html,auth.php,auth.html & every page has the code snippet. I delete the virus, and 24hrs later the virus is back again. I have TMDHosting, Godaddy, & Dreamhost. I don’t have access to SSH, is there any other automated way of searching for the scripts with php? I’ve been searching with the regex search in my cpanel for file names, but unfortunately it doesn’t search the contents of the files.

    -ALbert

    @montoyamedia: the virus isn’t the code snippet, though it propagates that way; it’s an infection on someone’s computer. So, the first thing you should do is check yourself for malware, make sure you’re clean; when you’ve confirmed that, change your FTP password(s). Then clean out the infected files.

    As for how to do it, you can write yourself a PHP script that’ll remove that particular <script>. Anything that descends through your directory structure and opens every applicable file will do, for example: https://beaver6813.com/2010/04/php-search-and-replace-directory-recursively/ (Note: I haven’t tested this, I can’t vouch for it, but note it only touches .php files; you’ll want to adjust if(substr_count($sub,'.php') to be something like if (in_array($sub, $files)) or comparable, with $files populated at the start of the script like:

    $bases = array('index', 'home', 'default', 'auth', 'showthread');
$extensions = array('html', 'php', 'php5');
$files = array();
foreach ($bases as $base) {
  foreach ($extensions as $extension) {
    $files[] = $base . '.' . $extension;
  }
}

    (Or just hardcode the array if you’d rather.)

    Make sure you test your script in a sandbox first. If you run into trouble, try a website like stackoverflow for generic programming help. ??

    Thank you Pinkgothic!

    I appreciate all your words of advice. I will make sure to do a virus scan, and to think I thought I was safe because I had a Mac.

    -Albert

    @montoyamedia: one question.
    On your three different servers on 10 different sites, all of them the ftp are installed? or all of them wordpress installed? I just want to figure out what’s the root cause of this attack. is FTP password stolen? or WordPress bugs? or some malware sniffing on your local network traffic & capturing your ftp passwords?

    The last 5 days my site has been hacked removing my index file. I went in and checked all files removing some that had a edit date of 8/14/11. It appears they got in through either a FTP attack or through a vonerablity within a plug in. I added security plug in and will see if this works. Funny I got an email saying that WP locked out an IP address at 230am because of unsuccessfro attempts. Maybe i have them out of my site. I under stand there is a file called TinThumb and it has vulernabilities. There is a new 2.0 version that corrects the issue.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘My site says reported attack’ is closed to new replies.