redleg-too
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: My site appears to contain malware?This link will open the URL https:// blog . craigstyle . com/ in a tool that will list out the code returned by the request
https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fblog.craigstyle.com%2F&ref_sel=Google&ua_sel=ff
The block of script locate after the </html> tag is malicious.
Forum: Fixing WordPress
In reply to: Blacklisted / Post contains a suspected malware URLSorry, Just realized that is the wrong link should be
Forum: Fixing WordPress
In reply to: Blacklisted / Post contains a suspected malware URLUse this on-line tool to take a look at the code being returned by a request for your homepage
scroll down to about line 638: The block of script that starts out
func?tion n36e75bf28(v15b5f3c8173a732,p820787a9028,c...........That block of code is malicious
Forum: Fixing WordPress
In reply to: Malware on wordpress siteIf you can’t find the line of code as it is appearing in your pages then the hackers are likely using some obfuscated php code to write the line if code into your files. A line of code that starts out
eval(base64_decode(‘ then a long string of seemingly random characters.
Since it is getting inserted right after the </html> tag maybe in your footer??
Forum: Fixing WordPress
In reply to: WordPress Virus Redirects Links from Facebook & GoogleRedirects to aozpta .mrbonus . com are typically done using a b1t of obfuscated php code. The line of code will start out
eval(base64_decode(‘DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ ……….
the string of seemingly random characters will be pretty long. Check your homepage, common files such as headers/footers, themes plugins and so on fro something like that.
Forum: Plugins
In reply to: Malware on wp site?? Unfortunately the page is hacked. There is a block of (somewhat) obfuscated script being inserted into the page. When I check the code being returned by a request for the page right after this line of code (which is a legitimate line)
<img src=”https:// ad . retargeter . com /seg?add=394782&t=2″ width=”1″ height=”1″ />
there is some script being inserted, the script starts with
<script type=’text/javascript’>var fsiwuk= “Eri”
+””+”da”+””+
“hat”+”e” +””+ “s” ;var xzz1bpx3oI say somewhat obfuscated because most of the lines are like this
(“”+”src” ,””+”h”+””+””+ “t” +””+”tp”+””+”:/”+””+””+ “/w” +
They have broken up https:// by adding it togeter with +
From where it appears in the page it looks like possibly it is in your footer?? I suggest you start by checking there. It is alos possiblr the hackers would use some obfuscated php code to write the script, use something like
eval(base64_decode(‘ then a long string os seemingly random characters.
You can see the entire block of script as it is appearing in the page here
Typically with this hack there are 2 parts, the first is the conditional redirect and that is done in an Apache system file named .htaccess. The second part is to insert a block of script into your index files, usually all of them. There is a copy of the script in pastebin https://pastebin.com/j3jrsPrS for the script that gets inserted into the files and https://pastebin.com/iZggTndj for a copy of what gets inserted in the .htaccess file.
Forum: Fixing WordPress
In reply to: Blackhole Exploit Kit in my site, no clue about how to remove itThe code you have listed above is malicious.
Forum: Fixing WordPress
In reply to: Malware Script generated by WP_HEAD() in Header FileThanks very much!
Forum: Fixing WordPress
In reply to: Malware Script generated by WP_HEAD() in Header File@f0urfingeredfish, Would greatly appreciate it if you would post the code in pastebin!
Forum: Fixing WordPress
In reply to: Malware Script generated by WP_HEAD() in Header File@screenname Thanks!
Forum: Fixing WordPress
In reply to: Malware Script generated by WP_HEAD() in Header File@screenname, Thanks much for checking and confirming! There are 4-5 sites posting on Badware and 4-5 more on Google Forum and so far no one has been able to pin this one down. Would appreciate knowing the file names where you found the base64 stuff so I can pass then on in the other forums.
There are some on line tools to decode base64 lines, I have one at https://redleg-redleg.com/base64/
To use it you have to select the type of encoding using the radio buttons at the top and then paste the long character string into the box. If it is able to decode anything it returns the output as an image so it is reasonably safe to use.
Forum: Fixing WordPress
In reply to: Malware Script generated by WP_HEAD() in Header File@screenname, Would really appreciate it if you would post the malicious code sample to pastebin or maybe just take a quick look at this post on Stopbadware
https://badwarebusters.org/main/itemview/29055#itemblock-29059
and post back if the code is the same or at least similar.
Forum: Fixing WordPress
In reply to: Malware redirect hacks – specific question regarding vulnerabilitiesSorry to hear this is still happening, I know it must be very frustrating. The issue with GoDaddy and the .htaccess certainly kinda leaves you in limbo. As you have deleted everything there are not a lot of other possibilities. Here are a couple of more links on the Google form
https://www.google.com/support/forum/p/Webmasters/thread?tid=34a0198f8400bdae&hl=en
https://www.google.com/support/forum/p/Webmasters/thread?tid=61c2f6b272287c1a&hl=en
https://www.google.com/support/forum/p/Webmasters/thread?tid=703ea962ad70b07a&hl=en
The bottom line in all of them is basically the same. Maybe contact GoDaddy again, explain that you have deleted everything and requests still redirect, ans send them links to the threads.
Forum: Fixing WordPress
In reply to: Malware redirect hacks – specific question regarding vulnerabilitiesAs you are hosted on GoDaddy if you have not read through this thread
https://www.google.com/support/forum/p/Webmasters/thread?tid=5ed4ca0696a2e5ad&hl=en
probably should scan through it.