1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious scripts installed on my site. How do I fix it?

Discussion in 'Blogging' started by Joline86, Apr 29, 2012.

  1. Joline86

    Joline86 Newbie

    Joined:
    May 10, 2010
    Messages:
    43
    Likes Received:
    7
    Home Page:
    A few months ago I was notified by my host (Justhost) that they were informed of a problem with one of my sites and they suspended that domain. Unfortunately at that time I had other things going on and could not fix it. I now want to get it fixed and my host has provided my with access to the site based on my IP address. They gave me a list of pages where they are detecting the malicious scripts But I do not know where to begin addressing the problem. Initially it was one WP blog, but the list they just gave me references one of my other WP blogs as well. Is there a way I can edit the pages and delete just the script? Should I replace the entire page? Should I delete the blogs completely and start with a fresh install? I really do not have much experience in this area, but if anyone could give me some advice or point me in the right direction I would appreciate it. Thank you
     
  2. Danny1111

    Danny1111 Elite Member

    Joined:
    Jul 5, 2011
    Messages:
    2,096
    Likes Received:
    2,480
    just ftp to the site and delete the crap files causing the problem

    then have them rescan your sites to see what else you need to do.
     
  3. Joline86

    Joline86 Newbie

    Joined:
    May 10, 2010
    Messages:
    43
    Likes Received:
    7
    Home Page:
    Some of them are wp-conf.php files. If I just delete them won't that cause things to stop working?
     
  4. Danny1111

    Danny1111 Elite Member

    Joined:
    Jul 5, 2011
    Messages:
    2,096
    Likes Received:
    2,480
    well then you need to get to work and fix those and delete the others that tend to reside in the template files section.
     
  5. assphuck

    assphuck Senior Member

    Joined:
    Feb 22, 2009
    Messages:
    1,196
    Likes Received:
    905
    Restore from a backup and run a vulnerability scan. Identify and fix problems. Also lock down admin with .htaccess restrictions. Good luck.
     
  6. oxonbeef

    oxonbeef BANNED BANNED

    Joined:
    Jan 4, 2009
    Messages:
    2,242
    Likes Received:
    7,872
    Install this plugin
    Code:
    http://wordpress.org/extend/plugins/antivirus/
    And manually delete the lines of bad code.
     
  7. a_z_0_9

    a_z_0_9 Junior Member

    Joined:
    Jul 18, 2011
    Messages:
    110
    Likes Received:
    21
    my 6-7 sites were infected on justhost it happened to me 6-7 times after fixing them, first thing to do is disable anonymous ftp, i downloaded my files and i used search and replace tool to bulk edit all my files for malicious code, scan it locally for virus and delete any plugin/file that is infected, delete all spam folders in wp-content and then i delete my files from server and upload clean files. This is very important - I installed bulletproof security and changed folder permissions as mentioned in that plugin and my sites are safe now.
     
  8. TK421

    TK421 Junior Member

    Joined:
    Jul 10, 2011
    Messages:
    111
    Likes Received:
    103
    Occupation:
    IM
    Location:
    In Front of My iMac
    The first thing to do is get a new host. Justhost have to be one of the worst hosts on the web.

    Clean the infected files which are most likely the template files and then reupload.

    If it's the wpconfig file you said, find a clean wpconfig file and replace it with that. Make a note of the database username and password and copy them into the new wpconfig file. Then it should work just fine.

    Seriously though, get rid of justhost they are terrible.


    Sent from my iPad using Tapatalk HD
     
  9. Joline86

    Joline86 Newbie

    Joined:
    May 10, 2010
    Messages:
    43
    Likes Received:
    7
    Home Page:
    Thank you everyone for your help, and a special thank you to assphuck for making me chuckle at your screen name. :eek:
    @ a_z_0_9 - are you still with Justhost after getting hacked so many times?
    @ TK421 - do you have any recommendations for a better host? I don't remember why I went with them and really didn't know any better (I'm learning as I go). I need a host that is inexpensive (paying about $12 a month now), doesn't mind or doesn't pay attention to adult content, can easily change the A record for a website, and would make transferring to them quick and easy.

    Also, while attempting to fix all of this I realized in the list of affected pages it says

    PHP:
    public_html/mymainsite.com/wp-conf.php
    mymainsite.com (not the actual name) is not a wp blog. It is a white label store with the A record changed to point to my affiliate site. I don't know why it would even have a wp-conf.php file. There really shouldn't be any files associated with mymainsite.com in the file manager. The domain is hosted at Justhost but all of the content is controlled through my affiliate control panel on my affiliate site. Any idea on whether I can just delete that file without effecting mymainsite.com, which is still working fine at the moment? Thanks again!
     
    Last edited: Apr 29, 2012
  10. Joline86

    Joline86 Newbie

    Joined:
    May 10, 2010
    Messages:
    43
    Likes Received:
    7
    Home Page:
    Does anyone know how I can find these files? I have gone into my file manager and specified "show hidden files" but they do not seem to exist. This is the list I was provided:

    {HEX}php.cmdshell.rgod.324 : ./public_html/site1.com/wp-conf.php
    {HEX}base64.inject.unclassed.7 : ./public_html/index.php
    {HEX}php.cmdshell.rgod.324 : ./public_html/site2.com/wp-conf.php
    {HEX}php.cmdshell.rgod.324 : ./public_html/site3.com/wp-conf.php
    {HEX}php.exe.globals.373 : ./public_html/ff.php
    {MD5}base64.inject.unclassed.3519 : ./public_html/web_images/manager/images/gifimg.php
    {HEX}base64.inject.unclassed.7 : ./public_html/web_images/manager/images/image.php
    {MD5}base64.inject.unclassed.3519 : ./public_html/images/gifimg.php
    {HEX}base64.inject.unclassed.7 : ./public_html/images/image.php
    {MD5}exp.kernel.sendpage.872 : ./public_html/ext/wunderbar_emporium/wunderbar_emporium.sh
    {MD5}exp.linux.unclassed.1083 : ./public_html/ext/run.c
    {MD5}exp.linux.unclassed.1117 : ./public_html/ext/2009-proto_ops.tgz
    {MD5}exp.linux.unclassed.1117 : ./public_html/ext/exploit.c
    {HEX}gzbase64.inject.unclassed.14 : ./public_html/ext/1.php
    {MD5}exp.linux.unclassed.1109 : ./public_html/ext/run.sh
    {HEX}php.ircbot.sniper.458 : ./public_html/ext/sym4.php
    {HEX}perl.cmdshell.cbLorD.24 : ./public_html/ext/backdoor.pl
    {HEX}php.cmdshell.cih.210 : ./public_html/ext/se.php

    Sites 2 and 3 are not WP sites. Site 1 is and does have a wp-conf.php file, but I cannot find any of the other files. Any suggestions?