Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked website? Blackhat SEO? Help??


  • Please log in to reply
23 replies to this topic

#1 therealtabby

therealtabby

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 15 March 2014 - 05:31 PM

I am completely at a loss -

I have three websites (www.hippieways.com) and (www.summerberryorganics.com).  I have a hosting account with Netfirms, and my sites are built in Wordpress and I've used the Customizr theme.

 

This all started when I googled my hippieways site (just for fun) and the little blue line that read "this site may be hacked" showed under my site.  I did the same thing for my summerberry site and sure enough - there's the "may be hacked" again. I went to the third site we have on my hosting account (the kid's site) www.loonielivestock.ca (note the .ca vs. .com) and there's no "...may be hacked".

 

So, I clicked on the link to see where it went and it took me to a google site that says I need to verify my sites and my ownership.  I immediately contacted my hosting company (who's support people are usually VERY good with idiots such as myself) and they in turn told me that I had been hacked and sent me back a support ticket showing a TON of code, which of course I don't understand. 

 

They were VERY happy to recommend a "website security" company that I could consult, but they wanted in excess of $700 to "scrub the sites" - that did not include "monitoring". 

 

Thus far, I have done nothing - not even posted to my blogs for fear of this thing.  I have, however, discovered that the Blackhat SEO "virus" only pops up on peoples computers that run the AVG anti-virus software.  A friend that knows a fair piece about computers has e-mailed AVG twice now, but to no avail.  Since my friend has personal issues to deal with at the moment, I don't want to be a PIA over this, so I'm asking here...my questions are as follows:

 

1.  How can my website be hacked?  I pay for backups with my hosting company, yet they say they were unable to find a "clean" back up.  

2.  What is the "google verification process" and should I attempt to follow their instructions to verify my sites?

3.  What is this "Blackhat SEO"?  And why does it only show up on OTHER computers if they run AVG?  I run Microsoft Security Essentials on MY OWN PC, and have scanned it using Housecall and BitDefender and NONE of them have shown that I have an infection of any sort. 

4.  It is possible that the Customizr theme is the problem?  This has only come about since I changed themes.

5.  What can I do to get this sorted out?

6.  How can I prevent this from happening again?

 

Obviously, I know just enough about computers to get myself into a whole lot of trouble.  I actually understand VERY little about the behind the scenes workings of websites and so forth.

 

Any input, advice, or all out genius would be GREATLY appreciated!! 

Eternally grateful

Tabby

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 16 March 2014 - 09:10 AM

1. How can my website be hacked? I pay for backups with my hosting company, yet they say they were unable to find a "clean" back up.


Unfortunately security vulnerabilities are commonly found in web applications. If a security vulnerability was discovered for wordpress, for example, then a hacker could use that vulnerability to modify your install or install other files on your site. Only way to fix these issues is to update the affected application.

2. What is the "google verification process" and should I attempt to follow their instructions to verify my sites?


Google verification allows you to prove to google that you are indeed the owner of the site. This also gives you access to their Webmaster Tools, which provides details and data about your site. It also allows you to submit reconsideration requests when your site has been hacked or distributes malware.

3. What is this "Blackhat SEO"? And why does it only show up on OTHER computers if they run AVG? I run Microsoft Security Essentials on MY OWN PC, and have scanned it using Housecall and BitDefender and NONE of them have shown that I have an infection of any sort.


If it is what I think it is, it is a method for the hacker to use your site to increase rankings on particular keywords. If your site is hacked with a SEO tool, then its most likely wordpress that was compromised. It is common to see these on Wordpress sites with vulnerabilities.

4. It is possible that the Customizr theme is the problem? This has only come about since I changed themes.


No, most likely a vulnerability was discovered in your version of wordpress.

5. What can I do to get this sorted out?


Upgrade wordpress and find the inserted code and remove it.

6. How can I prevent this from happening again?


Join wordpress' mailing list so you know when new security updates/versions are available.

#3 therealtabby

therealtabby
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 16 March 2014 - 09:37 AM

I have rather an interesting assortment of goodies (in code...of course) from the support people at Netfirms.  Is there anyone that can talk me through fixing this?   As much as I think I'm smart enough to build my own sites...I am stymied by the code.

 

I've made a point of keeping wordpress up to date, so I'm not sure when any of this happened.  There was one day (when this was first discovered) that my sites were showing up with STRANGE stuff where there should have been text (viagra, cialis...etc.) but that seems to have disappeared. 

 

Should I go through the google process?  Or should I fix this first, THEN verify the site?

 

I am truly grateful for bleeping!!! 

Many thanks

Tabby



#4 MakeItBetter

MakeItBetter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 16 March 2014 - 05:04 PM

1.  How can my website be hacked?  I pay for backups with my hosting company, yet they say they were unable to find a "clean" back up.  

 

...there are many, many ways your sites can be hacked.

...infections often occur far in the past before making a website an "attack" site (that is, with customer-facing evidence of infection)

 

2.  What is the "google verification process" and should I attempt to follow their instructions to verify my sites?

 

Google verification is a good thing to do, it generally requires you adding your site to Google WebMaster Tools...then they give you a file to upload to your website, after which you click "verify".

 

Safe.  AS LONG AS YOU'RE SURE IT'S A Google Site

 

While I've not seen a blue line (I typically see, on hacked sites, what I call the "red screen of death", from what is called Google's SafeBrowsing API)...

 

3.  What is this "Blackhat SEO"?  And why does it only show up on OTHER computers if they run AVG?  I run Microsoft Security Essentials on MY OWN PC, and have scanned it using Housecall and BitDefender and NONE of them have shown that I have an infection of any sort. 

 

While it's possible for your websites to be infected from your PC, it's not at all a requirement, and a relationship between the two is less common that it was ... 

 

4.  It is possible that the Customizr theme is the problem?  This has only come about since I changed themes.

 

Is it a FREE theme?  Where did you get this theme?

Many "free" wordpress themes carry hidden ridealongs...

 

5.  What can I do to get this sorted out?

 

There are many good suggestions on the WordPress.org site, under "hardening WordPress"...

...if you installed using fantastico or something similar, if you use "admin" for your administrator username, all make you more vulnerable.

 

6.  How can I prevent this from happening again?

 

There are a number of excellent free WP security plugins available in the WordPress "plugins" directory...those would be a start...

 

I don't know of the propriety of indicating this, but I have provided a service of cleaning up hacked websites for around 5 years now...

 

Cheers!

 

Jann



#5 therealtabby

therealtabby
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 16 March 2014 - 05:19 PM

Jann - MANY thanks for the offer - but it's a matter of not having cash to pay someone to do it - or trust me, I would have!!  I found the Customizr theme via the wordpress site, and yes it was a freebie.  The hosting company sent me a "support ticket" with the affected code in it - would you be able to read it?  it might as well be written in Kanji for all the sense it makes to me!



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 17 March 2014 - 10:23 PM

Feel free to post the code here so we can take a look.

#7 therealtabby

therealtabby
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 18 March 2014 - 07:15 AM

Grinler - we meet again!!  It look me a while, but I finally figured out that you'd assisted me previously.  Make It Better has also offered to help, but the way I see it, you folks know a TON more about this than I, and frankly many hands make for light work.

 

This is what my hosting company sent me...

 

P12426681000000000] Hacked Account Report

Comment:

Hello,

A scan of your account has found the malicious or infected files present.

/home/users/web/b237/nf.summerberryorganics/public_html/loonie/wp-content/themes/mantra/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/index_old.htm: SiteLock-JS-SEOSPAM-d.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-rss3.php: SiteLock-PHP-INJECTOR-1.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test.summerberryorganics.com/wp-content/themes/meganews/footer.php: LONGDEF.PHP.Backdoor-Shell-23N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test.summerberryorganics.com/chpass.sh: SiteLock-PHP-BACKDOOR-GENERIC-md5-qr.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-content/plugins/weather-de.php: SiteLock-PHP-MINISHELL-1-g.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-content/themes/customizr/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/chpass.sh: SiteLock-PHP-BACKDOOR-GENERIC-md5-qr.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test/chpass.sh: SiteLock-PHP-BACKDOOR-GENERIC-md5-qr.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test/wp-content/themes/arras-theme/library/timthumb.php: EIG.PHP.TimThumb-108.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test/wp-content/themes/meganews/footer.php: LONGDEF.PHP.Backdoor-Shell-23N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/test/chpass.sh: SiteLock-PHP-BACKDOOR-GENERIC-md5-qr.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/test/wp-content/themes/meganews/footer.php: LONGDEF.PHP.Backdoor-Shell-23N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/test/wp-content/themes/arras-theme/library/timthumb.php: EIG.PHP.TimThumb-108.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/wp-content/themes/customizr/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/wp-content/backup-db/1301673625_-_d60638767.sql: {HEX}php.cmdshell.egyspider.225.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/wp-content/backup-db/1302278342_-_d60638767.sql: {HEX}php.cmdshell.egyspider.225.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/chpass.sh: SiteLock-PHP-BACKDOOR-GENERIC-md5-qr.UNOFFICIAL FOUND

Some ways this can happen:
- a computer infected by viruses.
- poor scripts and/or applications, which allow hackers to remotely execute/inject code
- Virus infected theme selection for applications
- Installing applications, add-ons or modules which are downloaded form third-party locations and may be infected.

We will suspend the account if no response is received within 24 hours, ensuring that you are notified of the malware.

We recommend you delete all files on your account, then upload a known clean copy of your site.

Most importantly, you need to make sure any applications in your account are completely up-to-date. This applies not just to the core application, but also plugins, themes, modules, etc.

** If this is not done, your account will remain vulnerable to future attacks of this kind. **

If you are not comfortable securing your web applications, we have a partner company who can assist with cleaning, hardening, and monitoring your sites. Hello,

A routine scan of your account has found the following malicious or infected files present:


As a result, we have had to suspend your account, to avoid problems for site visitors or other customers. Please remove the malicious code, through FTP or the file manager. I would recommend deleting and republishing your entire site from a clean copy; this should then erase any other code which may have been injected into your pages to allow 'back-door' access by unauthorized people.

You should immediately change your password through the control panel for the account
, and most importantly, you need to make sure any applications in your account are completely up-to-date as far as versions, security patches, etc. are concerned. This applies not just to the core application, but also plugins, themes, modules, etc. ** If this is not done, your account will remain vulnerable to future attacks of this kind. **

If you are not comfortable securing your web applications, we have a company we endorse who can assist with cleaning, hardening, and monitoring your sites.

https://secure.ipage.com/product/sitelock/
 

What I don't understand in this particular item (other than the code, which might as well be in Chinese) if a "routine" scan found this mess, why didn't my hosting company advise me there was a problem?  NONE of this came to light until I contacted them about the google SE showing me "this site may be hacked".  I find that rather frustrating!



#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:45 AM

Posted 18 March 2014 - 01:28 PM

It is the site owner's responsibility to monitor their websites, not the hosting company. If they detect a problem, they shut down the site and assume that the owner is practicing due diligence and monitoring their site. That has been my experience with everyone I have every hosted with anyway.

 

It also looks to me like Grinler's initial assessment is probably correct. Your Wordpress install is corrupt. There are a ton of threads on the Wordpress forum that will probably be helpful:

http://wordpress.org/support/topic/ive-been-hacked-15



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:45 AM

Posted 18 March 2014 - 01:50 PM

Cant help you as to why they are not performing regular scans or if that is even part of their service. You may also want to review this link as it appears Wordpress was hacked:

http://codex.wordpress.org/FAQ_My_site_was_hacked

Typically these hacks are in the wordpress files/themes and changes are not made to your actual data. The scanner results below, though, do show that your database data may have been compromised:
 

/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/wp-content/backup-db/1302278342_-_d60638767.sql


If you want, I can take a look at the file if you submit it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

The 1302278342_-_d60638767.sql is a text export of your mysql database. So be sure to open it with notepad or other program first and see if there is any sensitive info in there you do not wish me to see. I can honestly say you can trust me, but if there are any concerns, please dont send me the file. Otherwise, feel free to submit and I will take a look.

I then suggest you perform a complete backup of your wordpress files and database. Download all the files on your site and a backup of your database.

Now perform an upgrade of your site using these instructions:

http://codex.wordpress.org/Upgrading_WordPress_Extended

When the upgrade is finished, change all of your site's passwords. These include ftp login, wordpress login, etc.

When that is done we have to clean up the infected files. Please delete the following files.
 
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-rss3.php
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test.summerberryorganics.com/chpass.sh
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-content/plugins/weather-de.php
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/chpass.sh
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test/chpass.sh
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/test/chpass.sh
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/chpass.sh
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/index_old.htm
The chpass.sh file is a script that changes your mysql password, so we definitely need to make sure that has been changed. You will probably have to ask your ISP to help you with that as if the password has been changed you will now be able to do it on your own, unless you can get it from your control panel.

The code of the chpass.sh is:
 
query="update wp_users set user_pass=MD5('$__ADMINPASSWORD__') where user_login='admin' limit 1";
echo ${query} | mysql -u$__DBUSERNAME__ -p$__DBPASSWORD__ -hmysqlhost $__DBNAME__
The rest of the detected files are legitimate files for your themes and install but may have been compromised:
 
/home/users/web/b237/nf.summerberryorganics/public_html/loonie/wp-content/themes/mantra/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/index_old.htm: SiteLock-JS-SEOSPAM-d.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test.summerberryorganics.com/wp-content/themes/meganews/footer.php: LONGDEF.PHP.Backdoor-Shell-23N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-content/themes/customizr/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/test/wp-content/themes/meganews/footer.php: LONGDEF.PHP.Backdoor-Shell-23N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/test/wp-content/themes/meganews/footer.php: LONGDEF.PHP.Backdoor-Shell-23N.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/test/wp-content/themes/arras-theme/library/timthumb.php: EIG.PHP.TimThumb-108.UNOFFICIAL FOUND
/home/users/web/b237/nf.summerberryorganics/public_html/summerberryorganics.com/wp-content/themes/customizr/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
Unfortunately without seeing these files, I will have no idea what was done to them. You have two choices. You can remove the themes altogether and then manually remove the leftover folders if they exist or send me the above files and I will take a look. I think you are better off just completely removing the themes and the associated folder and then just reinstalling the ones you need. When removing the themes they need to be removed for the test and regular wordpress installations for:

summerberryorganics.com
hippieways.com


I know there is a lot of info here, so please let me know if there is any confusion.

#10 MakeItBetter

MakeItBetter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 18 March 2014 - 02:58 PM

Looks to me like the vulnerability could be in the timthumb.php files found on the test versions of the sites...(it's hard to tell without looking at the code itself...)

 

While the version of timthumb.php (with the vulnerability that TRULY put a dent into web universe) HAS BEEN UPDATED...many, many (including some PAID) themes have been using a vulnerable version as recently as last year ... (pretty sad, considering the vulnerability was found in 2011...)

 

...you can use this plugin to determine if you have a bad version...

https://wordpress.org/plugins/timthumb-vulnerability-scanner/

 

...however, I would recommend removing any version of wordpress you are not actively using...

 

The "beginners triad" for website security is...

  1. keep everything updated...
  2. remove anything (sites, themes, plugins, test files, "old" files, etc) that you are NOT using...
  3. take and keep regular backups...

 

that will keep you out of the "ridiculously easy to hack", to just "low hanging fruit"...

...and reduce time and damage in case you should get hacked...(the attack attempts are many and ongoing)

 

...there are, of course, lots of additions and nuances to those 3 rules, they are the barest BASIC things you should be doing.  As someone else pointed out...don't trust your backups to your hosting company...

 

I make a backup before any plugin theme or wordpress upgrade...it really doesn't take too long...

 

Depending on your site you may just wish to start over from scratch...but wait, it may not be QUITE as bad as that sounds, as you can export your pages and posts and import them to a different install...

 

(WordPress themes are frequently sold where the developer provides an "xml" file  of "demo" content which can be imported, so the buyers can reproduce the site as the developer showed it off on their sales page.  Whether that would re-infect your database would depend on a number of factors, however.)

 

I recommend, when developing websites, to keep a changelog, so you know what changes you've made so you can re-build or reproduce your sites (in addition to backups; because, by knowing what you DID, you can use the same techniques on other sites you might want to build.)

 

Good luck!

 

Jann

 

P.S. I second Grinler's advice (although I would probably have just recommended removing the "test" versions of your site)...especially his advice about changing usernames & passwords.  If you are on a cpanel site, changing your cpanel password usually changes a number of other passwords at the same time.

Basically...there are 3 sets of "login" credentials:

1. cpanel/ftp/etc (and usually includes the master password for all your site's mysql databases)

2. your wordpress login...

3. your wordpress installation's database username & password


Edited by MakeItBetter, 18 March 2014 - 03:05 PM.


#11 therealtabby

therealtabby
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 18 March 2014 - 10:28 PM

Well, gentlemen...

If you have the time and are agreeable, I would DEEPLY appreciate you're assistance to get these sites back on track.  I suspect you could accomplish more in 15 minutes that I could in a month (you have NO idea what it took for me to build what I have!!)

 

I don't really see trust as too much of an issue - frankly, I trust y'all at bleep more than I trust my hosting company right now!

 

At your mercy

Tammy



#12 MakeItBetter

MakeItBetter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 18 March 2014 - 10:34 PM

So...Tammy...

 

...are you able to move forward with Grinler's recommendations?

(Don't get caught up in the fact that you already upgraded WordPress...you can re-install it from the dashboard.)

 

...or are you having a problem somewhere along the way?

 

Cheers!

 

Jann



#13 therealtabby

therealtabby
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 19 March 2014 - 05:44 PM

Moving forward?  Yer funny!!  I'm sitting here reading, and then re-reading, and reading again hoping that HALF of what you and Grinler have written sinks in!  I understand hippies and gardening...computers, not so much.  I know (quite obviously) just enough to land my hippie-*ss in hot water and have to beg assistance from those that do know! 

 

What I DO know is that I have three files that I "downloaded" from Netfirms that are apparently my "databases".  As long as my writing and photos aren't lost, I can rebuild the sites if need be (**sigh**).  Both sites are still live...I just checked.  Outwardly there are no signs of trouble. 

 

Based on what you know, would it be possible for someone with the skill to get in there, fish out the bad stuff and carry on from there?  I'm pretty sure I can (without a migraine) back up my "databases" to my PC.  I'm hoping beyond all hope that these "databses" are actually all of my bloggin, etc....

 

Your wisdom is most certainly appreciated!

Tammy



#14 MakeItBetter

MakeItBetter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 19 March 2014 - 10:46 PM

Okay...let's take it one at a time ...

 

1. ...updating WordPress...can you do that?

 

Go into your WordPress dashboard, click on updates, you can see the option to re-install WordPress.

 

2. Your database files -- the .sql files, are readable in any text editor, so you can see if there's anything in there you might not want Grinler to see while he looks for the baddies...

 

3. let's look at one of the lines in the output you were given ... (first,without the sitelock information)...

 

/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-rss3.php

 

...any file it the folder "public_html" (e.g., wp-rss3.php) is "visible" or at least accessible on the web (generally; there are some exceptions...but that would get far more technical than we'd need to get here.)

 

This is the location, the full path, where you can find this file on your hosting account.

Generally, hosting accounts have a graphical user interface called something like "file manager", that you can navigate to find the specified file.

 

You can also use FTP, and similarly navigate to the location.

 

The files are stored in a hierarchical manner, just like they are on your pc ...

...if you can navigate your pc's file system, your hosting file system is not much different...

 

4. Taking the same file, WITH the sitelock complaint...

 

/home/users/web/b237/nf.summerberryorganics/public_html/hippieways.com/wp-rss3.php: SiteLock-PHP-INJECTOR-1.UNOFFICIAL FOUND

 

pretty much the complaint is identifying the finder (SiteLock), PHP-INJECTOR-1 is the "type" of malware...

and while I don't know for certain, I suspect the "UNOFFICIAL FOUND" means that it's not an official WP file (again, I'm guessing)...but either the file or the malware is something it's seen before (again, a guess on my part.)

 

5. Let's take another one ...

 

/home/users/web/b237/nf.summerberryorganics/public_html/loonie/wp-content/themes/mantra/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND

 

Not sure what LONGDEF means...but I suspect it pertains to the fact that this is a LONG piece of Malware...

PHP.Spam-Links-009N -- means it's found spammy links (at least that's what I would take this to mean, having looked at some of your pages on your sites.

 

SUMMARY:

Trying to find what you know, and what you don't know, so that you can implement some of these fixes yourself...

 

In the long run, you will be much better off...

 

I'm guessing your hosting company might have some education on how to use the software they have installed to help make hosting easier (usually this is cPanel ... but based upon the pathnames, I'm guessing it's not...)

 

Does this help?

 

Jann



#15 therealtabby

therealtabby
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Central Canada
  • Local time:03:45 AM

Posted 20 March 2014 - 08:45 PM

Jann..this seems like a great start.  I work some strange hours, but am off this weekend.  I will sit down and try to make heads of this mess on Saturday!!

 

I'd be so lost with you!!

T.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users