BenSucuri

Hmm I forgot to ask, is retailandrestaurant your website, or is that image being grabbed from another domain? If the latter, you can just host that image on your server instead of loading it from external site.

Oh I see. That WordFence flag is generating because your website is blacklisted by Google ?? The image itself is fine, there’s no exif data or script code in it from what I see here.

Once the infection is removed from your website and blacklist removal request submitted to Google, that will fix the WordFence warning. But it seems there are much bigger issues here, unless you’ve already removed the malware.

SiteCheck doesn’t seem to be flagging the malware itself:

https://sitecheck.sucuri.net/results/www.retailandrestaurant.co.za

So it’s hard to say what the root of the problem is. I’d suggest taking a look here and follow this guide:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Also, if you head over to https://archive.org/web/ you might be able to find old, cached versions of the images before the hack occurred.

What is the warning generated from WordFence, can you supply a sample?

It’s not uncommon for attackers to insert backdoors into images. Usually in the form of EXIF data which can be removed without hurting the source of the image.

I think this link should help:

https://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/

Sounds like the malware is probably located in your .htaccess file (that tends to be where those mobile-only .ru redirects hide)

Try scanning your site with https://sitecheck.sucuri.net and see if it finds anything.

what does the WordFence scan report? Which files are suspected malware?

I’m afraid that your site is infected with bogus jquery malware:

https://sitecheck.sucuri.net/results/3moonscoffee.com

There’s a blog article about this malware here:

https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html

It’s almost always hidden in the theme header.php files so you should be able to remove it from there (that article has the code posted so you can recognize it when you see it) and that should remove the redirects.

Just removing the header.php injection probably won’t suffice though as there are probably some backdoors uploaded to the website so the attackers can maintain access.

Also, this malware is notorious for very aggressive cross contamination, so if you have any other websites hosted in the same account (subdomains, etc) then they are likely pwned as well ??

W00t! Awesome to hear ??

Make sure to get that wp-mobile-detector plugin updated as soon as possible, as that seems like a likely attack vector:

https://wpvulndb.com/vulnerabilities/8505

They probably replaced your website’s index.php file with their own. Try replacing it with the default WordPress index.php – if it’s not there try also your theme’s index.php file the content may be in there.

If it’s just the title, you should be able to change that back in wp-admin settings.

You can work yourself through these steps:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Main problem will be preventing them from accessing your site going forward. They may have placed some backdoors on the site or perhaps a bogus wp-admin administrator user so be sure to check for those.

https://blog.sucuri.net/2011/09/ask-sucuri-what-about-the-backdoors.html

@24eagle1989 the malicious code could be in a few different places, but it’s common to find this infection within theme files. Try uploading a fresh copy of your theme and see if that helps. Be sure to flush any cache you are using on the site before rescanning with Sitecheck.

Glad to hear you were able to find a solution ??

Looks like your site is up and running, although it looks a bit different from the archived version of the site.

Did you end up rebuilding or did you find what was causing the white screen of death?

I’m afraid that your website has been attacked by ransomware ??

The best thing to do would be to restore a recent backup, update all your software and change your passwords. If you’re not sure whether or not you have backups I’d recommend contacting your hosting provider.

If you don’t have any backups there is a chance that you might be able to decrypt those files, but it’s not an easy task. Here is some relevant info:

https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

https://vms.drweb.com/virus/?i=7704004&lng=en

If you don’t have a backup or are able to decrypt those files then I’m afraid there’s not much that can be done.

I’m a bit late to the party here but (if you’ve not already found a solution) would you be able to provide more information? What are some examples of files / warnings you are getting?

What software/service are you using that is showing you these warnings?

Any other weird behavior the site is exhibiting? Is it redirecting visitors to other places?

Sitecheck tool doesn’t seem to be flagging anything:

https://sitecheck.sucuri.net/results/www.mamalovesparis.com/