Possible Virus? Users are getting a pop-up porn message

Crud, now my site is simply forwarding to https://vuhoops.com/wp-admin/install.php

Yes, it’s compromised. If you have host access, I’d take it down immediately. Also, test it here. I did, and it shows malware in your javascript.

Do you have a backup you can restore from? A backup of both the files and the database. It’s often easier to “roll the clock back” to a clean copy of your site.

Also, good idea, for anyone else here, to NOT click on the link above or visit vuhoops.com

Thank you Fitting sites. I’m affraid I am way in over my head now. ??

You’ve been hacked. See:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Ok, so I’ve actually gone w/ a complete new installation and new db. and restored my posts.

But users are still reporting the issue. Any ideas at this point???

I hope that my activity from the past few years shows I’m not trying to draw people to my site to spread anything but simply to ask for help at this point.

There’s a solution, if some of your visitors are nerdy enough to do the test for you, you can find from where the call to the problematic content is coming.

I wrote this for my blog, I’ll copy-paste, just removing the name of my blog :

– first, open the blog and get the virus warning.

– then ask your browser to give you the source code of the website.

– then open your favorite text editor (not Word, a simple text manager, like Notepad or Notepad++ for MS-Winwows OSes), create a new text file, and paste inside it the code source you just obtained

– save that file as 1.html to a folder on your hard disk

– to make sure, open 1.html inside your browser : it should open a weird copy of the blog, and also trigger the virus warning

*** Now we’ll track which part of the source code calls for the virus ! ***

– with copy, cut and paste, create a new text file with the first half of the code of your 1.html file, and another new file with the second half of the code of 1.html. Save them as 2.html and 3.html

– Open 2.html in your browser, if it doesn’t trigger the virus warning, then it’s 3.html that should trigger it. If none of them triggers it, hit F5 with each of the pages a few times. You should find which of these two files will trigger the virus warning.

– And then again, you divide the culprit file in two halves (for instance 2a and 2b.html), and so on, and so on, until you have a very small html file responsible for the virus warning !

– ideally, that final virus-causing file should contain just a few lines of code, allowing to see precisely what item within the website is calling for a virus attack

the XMLPRC is yielding this if it helps…

XML-RPC server accepts POST requests only.<script src=”https://sweepstakesandcontestsinfo.com/js.php?s=1″></script&gt;

@vuhoops – The process of restoring from backup is complicated enough to require a fair amount of confidence and expertise, so if you are not technically-minded, don’t muck about; have someone help you with this.

I recommend you contact your hosting provider and asked them to roll you back to a date that is prior to being hacked. Mosts web host will do this for you (they may charge, but it’s worth it in this instance) so you don’t have to worry about being in over your head.

Bottom line: You need to fix this ASAP, and if you can’t do so right away, take the site down for maintenance. As we speak, your site is causing visitors computers to be open to god know what kinds of attacks.

I just wanted to thank everyone for their help and support. I was able to roll the site back, so I think we’re better.

Thanks again.

+1