nmarketers.com, WordPress 2.8.4, Malware Warning from Google

  • My website https://nmarketers.com was shown as Malware warning page in google. Google’s SafeBrowsing shows links to best-virus-scanner5.com/, indianapolis-sales.com/ from my site.

    I have searched all the posts, comments pages and found no links to the above site.

    Worpress installation is upgraded to 2.8.4, so I dont think there can be any issue there.

    WordPress Exploit Scanner shows no No suspicious plugins, Posts or Comments

    I got a detailed report from https://www.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=nmarketers.com, Its showing some links which are not present on my site now (they were unapproved comments).

    Now please help me if I need to do some steps to diagnose the problem fast

    Thanks!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    That’s cause you are still hacked.

    YOUR-URL/privacy.html
    YOUR-URL/pommo/user/process.php
    YOUR-URL/subscribe

    You get the idea. I used curl to pull those pages down.

    Those are “BAD-EVIL” pages and you need to delouse your website. Don’t forget to check the .htaccess file.

    See https://codex.www.ads-software.com/FAQ_My_site_was_hacked for what to do now steps.

    Good luck.

    It looks like the whole server is compromised. Not only your site, but every site on your server (500+).

    I’ve detected a malicious responce that was similar to responses in this attack:
    https://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/

    Then I checked other sites on your server and found (via Google’s Safe Browsing database) that it was affected by the goscanpark attack.

    Most likely your hosting provider failed to notice the hack (it is very elusive) and the server is still infected.

    This doesn’t have anything to do with WordPress. This doesn’t have anything to do with your site. The only way to resolve the issue is have the server administrator (hosting provider) find and remove the backdoor script and terminate malicious processes that hijack Apache responses.

    Have your hosting provider read the article above. Especially comment to that article where other server admins share their knowledge about how thay detected and stopped the attack.

    Thread Starter nmarketers

    (@nmarketers)

    Thanks. I have downloaded all the links from my website using Google Webtools and found the malicious attack is present in

    I check for this page in Pages, Posts but couldnt find.

    Now How to fix this ?.

    Thread Starter nmarketers

    (@nmarketers)

    hi,

    How did u find more than 500+ sites are affected with the same ?.

    My webserver persons are not agreeing to the same

    >How did u find more than 500+ sites are affected with the same ?.

    Because I’ve seen Google’s Safe Browsing diagnostic page for your site
    https://www.google.com/safebrowsing/diagnostic?site=www.nmarketers.com
    and I know the sort of attack those sites (mentioned on that page) involnved in. And I’ve detected a typycal response once.
    Moreover some other sites on your server had signes of the same attack in their diagnostic pages.

    I’ve been watching this attack since May and I know how hard it is to detect. And many server admins simply don’t believe this can happen. However if your read comments to that article, you’ll know that this is real.

    Basically, the site themselves are not infected. But the Apache web server is hijacked and legitimate responses for any site can be replaced by malicious code.

    The attack only works when hackers active it via a backdoor script and it can’t be easily detected. However a site admin can find the backdoor script (check commands in the comments https://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/#comment-1820 )

    Here’s another proof I was right:

    This is yesterday’s comment to my article about the Beladen exploit (the previous incarnation of the same attack):
    https://blog.unmaskparasites.com/2009/06/18/beladen-elusive-web-server-exploit/#comment-3824

    It says that the server redirected users to indianapolis-sales .com and best-virus-scanner5 .com – exactly the site that Google reports for your pages.

    So show it to your hosting provider, or move your site to another server.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘nmarketers.com, WordPress 2.8.4, Malware Warning from Google’ is closed to new replies.