1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"The site ahead contains malware" error on my site

Discussion in 'BlackHat Lounge' started by howard_hughes, Dec 14, 2014.

  1. howard_hughes

    howard_hughes Elite Member

    Joined:
    Jul 23, 2009
    Messages:
    5,048
    Likes Received:
    3,684
    Occupation:
    Just Another Digital Marketer!
    Location:
    "Insta Rank"
    Home Page:
    one of my wordpress sites is showing.. the error below. Any help?

    "The site ahead contains malwareAttackers currently on soaksoak.ru might attempt to install dangerous programs on your computer that steal or delete your information (for example, photos, passwords, messages, and credit cards)."
     
  2. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,796
    Likes Received:
    6,350
    Home Page:
    I can take a look in few hours if you PM me the WP login.
    but it's probably just some code been injected into header.
    need to find it , clean it, update WP and update your password I would imagine.
     
    • Thanks Thanks x 5
  3. BassTrackerBoats

    BassTrackerBoats Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    12,790
    Likes Received:
    22,039
    Occupation:
    I don't actually have a job
    Location:
    It's an Algo, of course it can be gamed.
    Home Page:
    That is why I don't go to any of your sites.
     
    • Thanks Thanks x 8
  4. Repulsor

    Repulsor Power Member

    Joined:
    Jun 11, 2013
    Messages:
    712
    Likes Received:
    267
    Location:
    PHP Scripting ;)
    Did you manage to get it fixed? You need to go through all your files and remove every instances of the injected code.

    I have cleaned some good number of sites for my clients.
     
    • Thanks Thanks x 1
  5. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    8,891
    Likes Received:
    7,492
    Occupation:
    ZLinky2Buy SEO Services
    Location:
    ⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
    Home Page:
    Last malware I had on a WP blog fucked my database beyond recognition. I dumped the articles, installed WP again on a NEW server, and then restored the articles after cleaning them up.

    The f'n thing got into every system library and would come back later I don't know how, it wasn't just PHP, it got to the top of plain html pages so it was somewhere inside web server.

    Personally I think malware writers should be hanged by their balls.
     
    • Thanks Thanks x 1
  6. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    3,708
    Likes Received:
    2,091
    Location:
    Buy Website
    Home Page:
    Hackers and outdated themes, plugins always sucks.
     
  7. howard_hughes

    howard_hughes Elite Member

    Joined:
    Jul 23, 2009
    Messages:
    5,048
    Likes Received:
    3,684
    Occupation:
    Just Another Digital Marketer!
    Location:
    "Insta Rank"
    Home Page:
    I've a premium theme.. I don't think its old but it'll double check.

     
  8. mktanny

    mktanny Regular Member

    Joined:
    Oct 22, 2009
    Messages:
    225
    Likes Received:
    62
    Occupation:
    Blog editor and IM
    • Thanks Thanks x 1
  9. howard_hughes

    howard_hughes Elite Member

    Joined:
    Jul 23, 2009
    Messages:
    5,048
    Likes Received:
    3,684
    Occupation:
    Just Another Digital Marketer!
    Location:
    "Insta Rank"
    Home Page:
    Not yet, But i discovered that its not showing the same error when I access my site from my other PC.
     
  10. salakau

    salakau Junior Member

    Joined:
    Oct 18, 2010
    Messages:
    134
    Likes Received:
    13
    I just got this fcking malware hitting on my site!
    Anyway i found a solution already.

    For those affected by soaksoak.ru:
    Go download the latest Wordpress from wordpress.org
    Open your File Client and login to your site that's affected.
    /wp-includes/template-loader.php
    /wp-includes/js/swfobject.js

    Replace them with the files from the fresh installation.
     
  11. HelloInsomnia

    HelloInsomnia Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Mar 1, 2009
    Messages:
    1,817
    Likes Received:
    2,913
    Even premium themes have vulnerabilities sometimes.

    Like David said its' probably some injected code.

    You can scan the site with online scanners and sometimes they will give you an idea of what is going on.

    Also, download all the files in the website and use Notepad++ to find in files then choose the directory your files are located in and search for: <iframe and base64_decode and eval

    Try and see which PHP files have been edited recently, this might give a good clue to where something went wrong.

    I'm no expert but that should be a good starting point for you.
     
  12. domainingin

    domainingin Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 8, 2014
    Messages:
    429
    Likes Received:
    182
    Occupation:
    Domainer
    Location:
    Seychelles
    Home Page:
    That could be the solution, but mostly you will need to reinstall your website and than take care of following:

    1) Keep wordpress updated and update your plugins and themes
    2) Delete all plugins and themes not used
    3) Change prefix of your DB in wpsomething_ instead of wp_
    4) Don?t use ?admin? for your ADMIN, instead something unusual
    5) Use good passwords
    6) Keep login.php safe, insert in .htaccess :
    <Files wp-login.php>
    Deny from all
    </Files>
    7) Keep your wp-config file one directory above your wordpress install
    8) Change permission of wp-config and .htaccess to 444
    9) Have a look on wp-settings.php in main directory which should not be larger than 11kB
    10) Check also update.php in /admin/, which should not be larger than 10kB.
    11) Use following plugins: Ultimate Security Checker, WordPress File Monitor Plus, Wordpress Firewall 2

    than you should be safe!

    Hope that helps
    Cheers
    Dan
    :drinking2
     
    • Thanks Thanks x 2
  13. abhi007

    abhi007 Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    5,303
    Likes Received:
    3,741
    Location:
    snip.li/TubH
    I will keep those in mind :)
     
  14. HelloInsomnia

    HelloInsomnia Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Mar 1, 2009
    Messages:
    1,817
    Likes Received:
    2,913
    Very nice I just have one thing to add change your nicename in the wordpress db because even if you change your username from admin if you post using that name the actual username (not the nickname) will show up in the source code.
     
  15. seoguy99

    seoguy99 Jr. VIP Jr. VIP

    Joined:
    Nov 6, 2010
    Messages:
    2,302
    Likes Received:
    513
    Occupation:
    SEO
    Home Page:
    I had this same issue earlier. here is what I did -->
    I did contact to my hosting company and told that someone has hacked their server and injected some malicious code in my wordpress site. I requested them to clean files.
    They found some bad codes in HEADER FILE of mine and removed that. After some days - Site issue was CURED!
    Idk if ur hosting company will do that... GOod luck!
     
  16. Prayerrr

    Prayerrr Newbie

    Joined:
    Feb 10, 2013
    Messages:
    38
    Likes Received:
    3
    Location:
    Bulgaria
    Still cant fix it , got the same error and did what Salakau said, it changed soaksoak name with my website name in the massage with the malware warnings.
    Any help or solution ?
     
  17. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    If you use a shared IP, sometimes the IP can get flagged because of someone else site and therefore affecting your one too.
     
  18. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    8,891
    Likes Received:
    7,492
    Occupation:
    ZLinky2Buy SEO Services
    Location:
    ⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
    Home Page:
    Someone else mentioned changing your username, I just remembered one more thing:

    Never reuse the same WP account for multiple blogs on one database server. The damn thing can then infect all other WP blogs as well.

    One DB password per WP blog. If you have many, then find a way to manage them securely.
     
  19. ouchthathurts

    ouchthathurts Regular Member

    Joined:
    Feb 16, 2011
    Messages:
    438
    Likes Received:
    654
    Occupation:
    SEO
    Location:
    Japan
  20. mahan_eesh

    mahan_eesh Regular Member

    Joined:
    Jul 7, 2008
    Messages:
    411
    Likes Received:
    806
    Occupation:
    FULL TIME IM
    Location:
    From the land of opportunities.
    I just read it now and checked mine.. My sites safe :)