UseShots
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Files being added to one of my sitesHi,
Do you have raw access logs for the last couple of days? Log analysis usually helps reveal backdoors.
If you are not comfortable with analyzing raw logs you might want to contact me https://www.UnmaskParasites.com/contact/
Forum: Fixing WordPress
In reply to: HELP PLEASE! malware ruining my life@rxdlr: I see this malware on many sites.
The malicious code is usually at the very top of the index.php file.
By the way, is the “you need to pay for this crypt” still there? Do you see it in the index.php?
The malicious code is usually injected by backdoors. On WordPress sites it pretends to be a plugin. Please check if you have the following “plugin” /ToolsPack/ToolsPack.php ?
Forum: Fixing WordPress
In reply to: Dealing with exploit related issuesThat PHP code seems to inject spammy links from “genshop .org” into web pages.
It doesn’t have anything to do with the “press.js”.
In my experience, there should be some backdoor script on your site that hackers use for their attack. Check raw access logs for suspicious POST requests.
The can all so be some spammy rogue pages (I’ve seen this on other site that pull spammy links from “genshop .org”)
Could you share any additional information you might have? I’m especially interested in the “press.js” code and other suspicius files.
You can contact me here: https://www.unmaskparasites.com/contact/
Hi,
How Google can know that you no longer want those old page to be indexed? That sitemap is only used for new URL discovery, not to remove unexisting URLS.
There probably still some external links to those old URL and Google still tries to index then. If they return the “404 Page not Found” errors, they will be eventually removed from index. Not immediately though (what if you temporarily removed them?).
You can expedite the removal process though:
1. Create 301 redirects from old URL to new URLs. So that Google knows that the pages have permanently moved to new URL and at the same time all external URL will still work correctly.
https://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=936332. If you don’t care about external URL and the “link juice” they pass to your site, you can simple use the URL removal tool in Webmaster Tools
https://www.google.com/support/webmasters/bin/answer.py?answer=164734Forum: Fixing WordPress
In reply to: sh: /usr/local/bin/pythonHi,
Here’s a link to Sucuri’s post about this:
https://blog.sucuri.net/2011/07/python-no-such-file-or-directory-your-site-is-likely-compromised.htmlIn my experience. most of such hacks involve backdoor scripts.
Make sure there are no suspicious files and there is no suspicious code in legitimate files. (Check themes, plugins and uploads directories).
You can also scan raw log files for suspicious POST requests – this way you may find backdoor file.Of course, changing all site passwords is a very good idea after such incidents.
Forum: Themes and Templates
In reply to: Theme decoding threadThis was an interesting obfuscation technique.
I gather, this site repackages someone else’s themes and adds their own links there? And they force you to sign up with scammy services to be able to download rogue themes? Nice!
Forum: Fixing WordPress
In reply to: XML parsing errorThanks!
So there were 2828 requests to those deleted 51.php pages? Correct?
Interesting, how many “51.php?q=” pages has Google indexed on your site?Forum: Fixing WordPress
In reply to: XML parsing errorI guess these stats include visits to legitimate pages?
It would be interesting to have stats to the malicious .php file only. It redirects real visitors so I doubt WassUp plugin can account them.What does the “2828(5.7%) Spams” mean?
Forum: Fixing WordPress
In reply to: XML parsing errorHi,
I’ve finally published results of my investigation:
https://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/The article contains detailed information on how the hack work and what what exactly it does.
There are also some detection and clean up instructions at the bottom of the article.
P.S. I still need some help from webmasters of affected sites. Specifically, stats on how many cached files you have in .log/<domainname> directories and how many visits from Google have the malicious .php script attracted (you can this in raw access logs). Ballpark numbers are fine.
You can contact me here https://www.unmaskparasites.com/contact/Thank you!
Forum: Fixing WordPress
In reply to: XML parsing error@iciman:
Here are a few of my blogposts that show how malware steals passwords saved in FTP clients:https://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
https://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/
https://blog.unmaskparasites.com/2011/04/13/unused-programs-real-threats/You don’t have to work with sites. It’s enough that their credentials are saved somewhen on your computer (and malware know where). So it it only take a few minutes to steal everything. So if you find malware on your computer it you can safely assume that all your saved passwords have been compromised already (of course if they are not protected with a master key, which many webmaster usually forget to do).
By the way, that .php script has a file upload function and I have proofs that hackers use it to upload a web shell. (Check logs for requests with the &up100500 parameter)
P.S. If someone wants to help me with my investigation you can contact me at https://www.UnmaskParasites.com/contact/
I’m particularly interested in access log analysis. E.g. number of requests to that nn.php script. Or the .htaccess code if the filename is not nn.phpThanks
Forum: Fixing WordPress
In reply to: Blog Hacked – Need AdviceDo you have a recent database backup?
Forum: Fixing WordPress
In reply to: XML parsing errorHi,
I checked hundreds of infected sites (with nn.php scripts) and almost every one of them contained the “.log/<domain_name>” directory next to that script. The directory contains cached spammy pages and attack maintenance files (e.g. malicious scripts).
Can anyone who found such nn.php files on their site please contact me?
https://www.UnmaskParasites.com/contact/ (even if you’ve already removed them). I need some additional information.Thanks for your help!
Forum: Fixing WordPress
In reply to: XML parsing errorThanks @jbekker and @abdessamad Idrissi.
Did you notice the .log/ directory or some other directory whose name begins with the “.”?
Forum: Fixing WordPress
In reply to: XML parsing errorHi,
Can anyone send me this 96.php (or whatever it is called on your server) file? I believe, there may be some more files involved. You can contact me here.
https://www.UnmaskParasites.com/contact/@jbekker: How do you know about the “win32/kryptik”? (I agree that passwords stealling malware may be involved. I just want to know how you figured out it was “win32/kryptik”. Did you find it on computer of webmasters?)
Forum: Fixing WordPress
In reply to: I've been hijackedYou should find out how those files got there. If you don’t close the security hole, you site will get reinfected again and again