Malware in my Wordpress Sites

Hi all,

I have a cloud Web Server 2008 and I have had a popup widget appear in some (not all) of my wordpress sites on (around 4 out of 6-7??)

I have re-updated wordpress which has eliminated the popups I am just worried is it held somewhere on the machine?

Is there anything I can do to eliminate this completely?

Has anyone seen this before?
screenshot.png
flynnyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter HartCommented:
there are steps you can take to 'harden' your wordpress install these steep are described on the wordpress site here:

http://codex.wordpress.org/Hardening_WordPress

also there are firewalls and other plugin you can add to increase security . a good list is here:
http://www.problogger.net/archives/2013/01/08/10-essential-wordpress-security-plugins-for-2013/
0
Jason C. LevineDon't talk to me.Commented:
0
flynnyAuthor Commented:
Thanks for the replies guys (sorry i didnt  get the email saying comments had been left!).

Would you say that this is sley a wordpress based hack and not a server hack?

Reason I asked is because it appeared across multiple sites, but only the worpdress ones.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Jason C. LevineDon't talk to me.Commented:
It's most likely a server hack that then targets WordPress sites (because odds are the server is running WordPress sites). Almost as likely is this is a targeted hack to WordPress based on previous scans to make sure it's present.
0
flynnyAuthor Commented:
ok is there anything I can do to check the issue is removed and its not still stored away on the server somewhere?

I assume they have performed a brute force hack on the server then. But the password was secure on the users (i.e. Capitals Numeric and Symbols, and is not a word or anything like that??)

Thanks for the help guys.
0
Peter HartCommented:
Other than removing the site and reinstalling from a clean backup or looking in every folder and comparing the sizes of the files against a clean backup version not really... some malware embed them inside the system files.

some hosts provide regular malware checking.
but you can get third parties to scan your website for malware
see this link to Sitelock:
(maybe use the 30 day free trial ;-)

https://www.sitelock.com/malware-removal.php?utm_source=Google&utm_medium=ES&utm_campaign=Expert%252BServices&gclid=CNmHmfum77wCFTCWtAodC0YAtA

remember to back up once its clean
I found the process of downloading a site to my PC was a good way of my PC antivirus s/w detecting malware in the files I was download, it simply deleted them which allow me to find the rogue files
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason C. LevineDon't talk to me.Commented:
I assume they have performed a brute force hack on the server then. But the password was secure

Your password is probably irrelevant.  They are not logging in as you.  Instead, they have found an insecure something and used it to inject and execute code.  This can be be done without a login to the server or to the site backend. If they get into the backend, it just makes their life easier.

I can do to check the issue is removed and its not still stored away on the server somewhere?


Other than hiring a pro?  Not really.  Server and script security is very, very tough to do unless you specially trained on how to do it and you are likely to miss something critical if you try to follow a guide without a full understanding of what you are doing.

Your best bet is to follow the best practices listed in the Hardening WordPress Codex article the first Expert linked to and adding your own security measures such as the ones I list in my article.  Stick with known, good plugins that are regularly updated and themes from reputable theme developers and you will probably be okay.
0
flynnyAuthor Commented:
Hi there,

many thanks for your reply.

reinstalling the wordpress plugin (I did this through the wp-admin backend). sorted it for most of the sites.

However one page (http://www.khersolicitors.co.uk/our-team/) seems to be immune to this at the moment.

and I cant see this anywhere in the template files? (which I strange as it is not appearing on any of the other pages.)

Any ideas where I shoudl look to remove this code?
0
Peter HartCommented:
Is it only in the admin view of this page? I can't see it on the link you provided.
look at the html view of the content and see if you see anything that's not supposed to be there.
try creating a new page and copy the content across and see if the problem transfers to the new page. (if it doesn't then use the new page and replace the problem page with the new one)

its more than likely  one of the plugins like the social buttons.
try un-installing the plugin and re-installing fresh downloads
0
flynnyAuthor Commented:
ChilternPC,

Many thanks for the reply.

I found the code and removed it literally just before you posted. It had appended it self tot he bottom of the template the page was on. I have removed this and updated the social plugin.

You are correct this is the only page on the site using the social plugin.

However, it has appeared on other wordpress sites which do not use this plugin?

Is there anything I can do to test for ports and vulnerabilities on the site/server to preventthis coming back?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.