1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site infected with malware - Please help, how to cleanup?

Discussion in 'Blogging' started by cpawinnerkz, Sep 15, 2013.

  1. cpawinnerkz

    cpawinnerkz Newbie

    Joined:
    Sep 6, 2013
    Messages:
    20
    Likes Received:
    6
    Occupation:
    Full-time internet marketer
    Location:
    USA
    Hi all,

    I've just scanned my blog with Sucuri and got red flat that my blog infected with malware. How to cleanup it? Thanks
     
  2. sn0rt

    sn0rt Elite Member

    Joined:
    Jun 12, 2012
    Messages:
    1,705
    Likes Received:
    3,502
    Occupation:
    "Most obstacles melt away when we make up our mind
    Location:
    "Knowing is not enough; we must apply. Willing is
    I personally haven't heard or sururi. Have you tried virustotal?

    Try googling for what you're looking for, you'll probably get a quicker answer.
     
  3. kosher_12

    kosher_12 Newbie

    Joined:
    Aug 9, 2011
    Messages:
    25
    Likes Received:
    11
    would help if you can give more details about your site..

    is it a custom coded php website? or uses CMS like joomla, drupal or wordpress?

    Infected websites contains an injected base64 encoded code probably at the on the beginning of PHP script.

    what I usually do cleaning up these infected websites is download the whole site then scanned the files using AVAST.

    Avast dekstop anti-virus can detect malware infected files which I then manually removed injected codes from individual files,

    If you are using a CMS, a quick fix is to update or re-install the CMS version you are using and manually clean those custom coded PHP srcipt

    and/or you can contact your host if they can clean files from your server... HOSTGATOR have anti-virus and they can also clean my clients server saving me a lot of time and hassle.
     
    • Thanks Thanks x 1
  4. nichelinks

    nichelinks Junior Member

    Joined:
    Jan 11, 2013
    Messages:
    118
    Likes Received:
    37
    Occupation:
    SEO Analyst
    Location:
    IM
    I would advice you to follow the below steps to recover your website back.

    1 Detecting (discovering) that you are hacked

    Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any strange titles or spammy results returned on your search. If you see Viagra, Cialis or any other flavor of medicine returned by Google on your search, you’re probably dealing with the Pharma Hack.

    2 Fixing Vulnerabilities

    · Make sure your WordPress install is upgraded up to date. If not, update it ASAP. Even before you start cleaning up the malware.
    · Change your WordPress password (for all admin / editor accounts) and your FTP (or SSH) password.
    · Update all your plugins.

    3 Removing backdoors

    4 Cleaning up the file system

    5 Verifying it all

    Thanks
     
    • Thanks Thanks x 1
  5. DebtFreeMe

    DebtFreeMe Regular Member

    Joined:
    Mar 14, 2010
    Messages:
    418
    Likes Received:
    363
    Occupation:
    Military
    Location:
    Earth
    When this happened to me I had to go through and delete the crap by hand. Unfortunately I tried many different plugins to find the virus, and thought I had it cleaned up multiple times, but in the end it would come back and I ended up losing my adsense account.

    If you know when you where hacked you can see if your hosting company can revert back to a pre-hack backup.

    Good luck, I hate hackers....
     
    • Thanks Thanks x 1
  6. tnhomestead

    tnhomestead Regular Member

    Joined:
    Oct 9, 2011
    Messages:
    385
    Likes Received:
    253
    Location:
    Tenneessee USA
    Home Page:
    Sucuri means hes running wordpress. Google what comes up, and see what it says. If you have a backup(and you should) delete the whole site, database and all, and reinstall it. Thats the easiest and best way to insure your safe. I have gone so far as to get the hosting deleted and reinstalled to make sure there was nothing put into the levels above www.

    Dont forget, you could have been hacked in multiple ways some of which include
    Your host was hacked
    you used a free template/plugin that was infected
    your home computer could have a trojan etc on it
    Old version of plugins/themes
    bad password
    default wp install, ie keeping admin for a user name, leaving the db with a wp_ prefix, etc etc

    Each of those determines the best or easiest way to clean up.
     
    • Thanks Thanks x 1
  7. hackerzonline

    hackerzonline Newbie

    Joined:
    Sep 19, 2011
    Messages:
    21
    Likes Received:
    4
    Occupation:
    blissfully unemployed
    Location:
    India
    can you post the sucuri report to identify the level of malware. most cases, it would be some javascripts hidden inside the theme. IN that case , you need to manually remove them. posting your malware report would help us give a specific advice. thanks
     
  8. taamitpoddar

    taamitpoddar Newbie

    Joined:
    Sep 8, 2010
    Messages:
    12
    Likes Received:
    0
    I have gone through this couple of times and got my sites running in 2-3 days,

    But I did simple things, like contacted my Hosting Provider (Hostgator) and they scanned site for virus and fixed any issue.

    and then I contacted the sites which do the review and thats all.

    Hope this will help
     
  9. hostmela

    hostmela BANNED BANNED

    Joined:
    Aug 13, 2012
    Messages:
    140
    Likes Received:
    83
    Download your all file in your pc then scan it by kaspersky definitely virus will be detect after that re-upload your file then notice google. its simple step i have done same way.
     
  10. kosher_12

    kosher_12 Newbie

    Joined:
    Aug 9, 2011
    Messages:
    25
    Likes Received:
    11
    Just wanted to clarify that Sucuri have nothing to do with wordpress, yes, there is a sucuri plugin for wordpress, but it doesn't mean you can only scan wordpress website with Sucuri. Sucuri can able to scan any type of website from ASP, HTML, PHP etc.


    They have online scanner where you only place you're domain name and they'll scan it same with VirusTotal
     
  11. 7thAmigo

    7thAmigo Jr. VIP Jr. VIP

    Joined:
    Dec 4, 2011
    Messages:
    965
    Likes Received:
    63
    Location:
    Area 51
    If you are not technical enough to clean the site, I suggest using sucuri's paid services. $89.99 for one site / year or $289.99 for 10 sites / year will save you a lot of time.
     
  12. cpawinnerkz

    cpawinnerkz Newbie

    Joined:
    Sep 6, 2013
    Messages:
    20
    Likes Received:
    6
    Occupation:
    Full-time internet marketer
    Location:
    USA
    Thanks to all for advice, I'll follow eacn advice

    hereis what I got after scanning via Sucuri, yes I've just entered my domain name and got status that mt wp blog infected with malware, also got these details:" known javascript malware...."

    I made a screencast, but cannot still post urls....:-(
     
  13. kosher_12

    kosher_12 Newbie

    Joined:
    Aug 9, 2011
    Messages:
    25
    Likes Received:
    11
    you can do these things below to fix it up
    go to
    your-site/wp-admin/update-core.php

    -update/re-install wordpress (that would clean any php files inside wordpress except the themes and plugins directory)
    -get a clean copy of all the theme installed on your site and re-install (or you can just delete all the themes and only leave the one you are using)
    -get a clean copy of all the plugins installed on your site and re-install (just delete all the plugins and install the one you used one by one).

    If you can able to do all those things I mentioned properly, your wordpress installation would surely be free from malware

    now the thing left are the remaining directory on your host (if you have another directory/files outside wordpress) which you need to manually clean to stop from infecting your wordpress files again.


    codes injected on php files look like this

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb2..........................
     
    • Thanks Thanks x 1