1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Please Help, Malware Got Onto My Site AGAIN

Discussion in 'Security' started by WebmasterPost.com, Oct 5, 2012.

  1. #1
    My site is now cleansed from this latest maleware infection, but please only go there if you have Malware Protection Active on your computer: InternationalChronicle.com (This is the 3rd time in 3 weeks that my site got these Malware Downloader infections)
    The malware downloads when you go to the site. My AVG virus protection tells me this about it:

    Name of Malweare:
    Exploit CrimeBoss Exploit Kit (Type 2238)
    369solutions.com/.x/index.php?setup=d&r=498124

    Also, what can I do to protect this site from this?
    Before this latest malweare was injected, I had already taken these steps last week after several previous similar Malware attacks:
    1) Changed the FTP password.
    2) I changed my own WordPress Admin password
    3) Changed the Cpanel Password.
    3) There was one other human user for the site. I changed his password so that he can't log in anymore.
    4) Last week I upgraded the site to the newest version of wordpress.
    5) I ran both Malewarebytes and Microsoft Security Essentials and AVG on my own computer (with their latest updates) to find and delete malware on my own computer. These 3 programs say my computer is clean.

    What else can I do to secure my site from these Maleware injections?
    Thanks!
    SEMrush
     
    Last edited: Oct 5, 2012
    WebmasterPost.com, Oct 5, 2012 IP
    SEMrush
  2. internetstromer

    internetstromer Member

    Messages:
    19
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    38
    #2
    As you have done many precaution what I see and I have experienced in past is this might be an issue of exploited plugin code.

    Have faced this kind of issue on my domain as well earlier and found exploited plugin issue.

    Kindly check your plugins which you are using and permission of each plugin.

    Good luck..
     
    internetstromer, Oct 5, 2012 IP
  3. slackersecurity

    slackersecurity Peon

    Messages:
    10
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    Search for the point of entry then remove any malicious backdoor code.

    Search for malicious code.
    
    [COLOR=#000000][FONT=Liberation Mono]grep -RPnDskip "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|popen|exec|eval|symlink|scandir) *\(" your/doc/roo[/FONT][/COLOR]t
    
    Code (markup):
    Now you can find the point of entry (search log files etc).

    Some points of entry could be:

    Insecure web application(File includes & code injections etc). - Search for patches from the vendor.
    Weak ssh/ftp/database passwords.
    Insecure shared server. - Move to a vps ;)
     
    slackersecurity, Oct 6, 2012 IP
  4. WebmasterPost.com

    WebmasterPost.com Active Member

    Messages:
    234
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    58
    #4
    Thanks for your advice InternetStoromer and SlackerSecurity!
     
    WebmasterPost.com, Oct 8, 2012 IP
  5. aty24x7

    aty24x7 Greenhorn

    Messages:
    40
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #5
    There is a possible of shell script too inside your site which is commonly placed by the hackers to get to your hosting once they got the access. Later on they used the same script to corrupt your site again and again.

    Slackersecurity also mentioned the one way to detect those signature files.

    I agree with internetstormer that such sort of backdoor might be due to the plugin exploit.

    Your site need a check to find the exact issue and make it fixed in such a way so that it will not be hacked again.

    Please let me know if you want to hire me to fix those issues for you.

    Looking forward to hear from you.

    Best
    Aty
     
    aty24x7, Oct 10, 2012 IP
  6. hackrepair

    hackrepair Member

    Messages:
    47
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    40
    #6
    Sadly, most of the sites I've fixed with this similar situation were hacked due to outdated WordPress or plugins or outdated themes installed. Hackers then taking advantage of the situation by injecting their hacker back door scripts into numerous directories within the website. Suffice it to say, if you aren't checking your blog at least monthly and/or not keeping your blog updated weekly / monthly it's likely you'll be re-hacked in future.

    Your best course of action is first contact your host and get them to recover your website from backup. Once you have a clean copy in place then run (don't walk) in making sure all your stuff is updated, all user/passwords changed, etc.

    In your case it sounds like you haven't found the back doors yet, so your sites will likely continue to be re-hacked until you do so I'm afraid.

    Best Wishes,
    Jim Walker, The Hack Repair Guy
     
    hackrepair, Oct 10, 2012 IP
  7. SolidShellSecurity

    SolidShellSecurity Banned

    Messages:
    262
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    45
    #7
    The bigger issue now is ensuring that the server is still secure. Once a hacker gets a foothold in you have to question everything.
     
    SolidShellSecurity, Oct 10, 2012 IP
  8. aty24x7

    aty24x7 Greenhorn

    Messages:
    40
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #8
    I am expert in finding those backdoors in those cases where the user has no clean backup available with him. I will provide support for

    1) CMS like: Joomla, Wordpress and Drupal
    2) Ecommerce: Magento and OsCommerce
    3) MVC: cakephp

    You can contact me on my skype...Hope we will work together and I will provide fixes to your issues.

    Best
    Aty
     
    aty24x7, Oct 11, 2012 IP
  9. webmaster1189

    webmaster1189 Well-Known Member

    Messages:
    460
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    110
    #9
    does the problem still persists? have you ran a clamav scanner? also i would suggest you to install wordpress firewall.
     
    webmaster1189, Oct 13, 2012 IP
  10. hostechsupport

    hostechsupport Well-Known Member

    Messages:
    413
    Likes Received:
    23
    Best Answers:
    7
    Trophy Points:
    138
    #10
    You can also scan your server using maldet . I have used it and it worked great for me.
     
    hostechsupport, Nov 7, 2012 IP