My site is now cleansed from this latest maleware infection, but please only go there if you have Malware Protection Active on your computer: InternationalChronicle.com (This is the 3rd time in 3 weeks that my site got these Malware Downloader infections) The malware downloads when you go to the site. My AVG virus protection tells me this about it: Name of Malweare: Exploit CrimeBoss Exploit Kit (Type 2238) 369solutions.com/.x/index.php?setup=d&r=498124 Also, what can I do to protect this site from this? Before this latest malweare was injected, I had already taken these steps last week after several previous similar Malware attacks: 1) Changed the FTP password. 2) I changed my own WordPress Admin password 3) Changed the Cpanel Password. 3) There was one other human user for the site. I changed his password so that he can't log in anymore. 4) Last week I upgraded the site to the newest version of wordpress. 5) I ran both Malewarebytes and Microsoft Security Essentials and AVG on my own computer (with their latest updates) to find and delete malware on my own computer. These 3 programs say my computer is clean. What else can I do to secure my site from these Maleware injections? Thanks!
As you have done many precaution what I see and I have experienced in past is this might be an issue of exploited plugin code. Have faced this kind of issue on my domain as well earlier and found exploited plugin issue. Kindly check your plugins which you are using and permission of each plugin. Good luck..
Search for the point of entry then remove any malicious backdoor code. Search for malicious code. [COLOR=#000000][FONT=Liberation Mono]grep -RPnDskip "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|popen|exec|eval|symlink|scandir) *\(" your/doc/roo[/FONT][/COLOR]t Code (markup): Now you can find the point of entry (search log files etc). Some points of entry could be: Insecure web application(File includes & code injections etc). - Search for patches from the vendor. Weak ssh/ftp/database passwords. Insecure shared server. - Move to a vps
There is a possible of shell script too inside your site which is commonly placed by the hackers to get to your hosting once they got the access. Later on they used the same script to corrupt your site again and again. Slackersecurity also mentioned the one way to detect those signature files. I agree with internetstormer that such sort of backdoor might be due to the plugin exploit. Your site need a check to find the exact issue and make it fixed in such a way so that it will not be hacked again. Please let me know if you want to hire me to fix those issues for you. Looking forward to hear from you. Best Aty
Sadly, most of the sites I've fixed with this similar situation were hacked due to outdated WordPress or plugins or outdated themes installed. Hackers then taking advantage of the situation by injecting their hacker back door scripts into numerous directories within the website. Suffice it to say, if you aren't checking your blog at least monthly and/or not keeping your blog updated weekly / monthly it's likely you'll be re-hacked in future. Your best course of action is first contact your host and get them to recover your website from backup. Once you have a clean copy in place then run (don't walk) in making sure all your stuff is updated, all user/passwords changed, etc. In your case it sounds like you haven't found the back doors yet, so your sites will likely continue to be re-hacked until you do so I'm afraid. Best Wishes, Jim Walker, The Hack Repair Guy
The bigger issue now is ensuring that the server is still secure. Once a hacker gets a foothold in you have to question everything.
I am expert in finding those backdoors in those cases where the user has no clean backup available with him. I will provide support for 1) CMS like: Joomla, Wordpress and Drupal 2) Ecommerce: Magento and OsCommerce 3) MVC: cakephp You can contact me on my skype...Hope we will work together and I will provide fixes to your issues. Best Aty
does the problem still persists? have you ran a clamav scanner? also i would suggest you to install wordpress firewall.