• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 219
  • Last Modified:

Malware in my Wordpress Sites

Hi all,

I have a cloud Web Server 2008 and I have had a popup widget appear in some (not all) of my wordpress sites on (around 4 out of 6-7??)

I have re-updated wordpress which has eliminated the popups I am just worried is it held somewhere on the machine?

Is there anything I can do to eliminate this completely?

Has anyone seen this before?
screenshot.png
0
flynny
Asked:
flynny
  • 4
  • 3
  • 3
2 Solutions
 
chilternPCCommented:
there are steps you can take to 'harden' your wordpress install these steep are described on the wordpress site here:

http://codex.wordpress.org/Hardening_WordPress

also there are firewalls and other plugin you can add to increase security . a good list is here:
http://www.problogger.net/archives/2013/01/08/10-essential-wordpress-security-plugins-for-2013/
0
 
Jason C. LevineNo oneCommented:
0
 
flynnyAuthor Commented:
Thanks for the replies guys (sorry i didnt  get the email saying comments had been left!).

Would you say that this is sley a wordpress based hack and not a server hack?

Reason I asked is because it appeared across multiple sites, but only the worpdress ones.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Jason C. LevineNo oneCommented:
It's most likely a server hack that then targets WordPress sites (because odds are the server is running WordPress sites). Almost as likely is this is a targeted hack to WordPress based on previous scans to make sure it's present.
0
 
flynnyAuthor Commented:
ok is there anything I can do to check the issue is removed and its not still stored away on the server somewhere?

I assume they have performed a brute force hack on the server then. But the password was secure on the users (i.e. Capitals Numeric and Symbols, and is not a word or anything like that??)

Thanks for the help guys.
0
 
chilternPCCommented:
Other than removing the site and reinstalling from a clean backup or looking in every folder and comparing the sizes of the files against a clean backup version not really... some malware embed them inside the system files.

some hosts provide regular malware checking.
but you can get third parties to scan your website for malware
see this link to Sitelock:
(maybe use the 30 day free trial ;-)

https://www.sitelock.com/malware-removal.php?utm_source=Google&utm_medium=ES&utm_campaign=Expert%252BServices&gclid=CNmHmfum77wCFTCWtAodC0YAtA

remember to back up once its clean
I found the process of downloading a site to my PC was a good way of my PC antivirus s/w detecting malware in the files I was download, it simply deleted them which allow me to find the rogue files
0
 
Jason C. LevineNo oneCommented:
I assume they have performed a brute force hack on the server then. But the password was secure

Your password is probably irrelevant.  They are not logging in as you.  Instead, they have found an insecure something and used it to inject and execute code.  This can be be done without a login to the server or to the site backend. If they get into the backend, it just makes their life easier.

I can do to check the issue is removed and its not still stored away on the server somewhere?


Other than hiring a pro?  Not really.  Server and script security is very, very tough to do unless you specially trained on how to do it and you are likely to miss something critical if you try to follow a guide without a full understanding of what you are doing.

Your best bet is to follow the best practices listed in the Hardening WordPress Codex article the first Expert linked to and adding your own security measures such as the ones I list in my article.  Stick with known, good plugins that are regularly updated and themes from reputable theme developers and you will probably be okay.
0
 
flynnyAuthor Commented:
Hi there,

many thanks for your reply.

reinstalling the wordpress plugin (I did this through the wp-admin backend). sorted it for most of the sites.

However one page (http://www.khersolicitors.co.uk/our-team/) seems to be immune to this at the moment.

and I cant see this anywhere in the template files? (which I strange as it is not appearing on any of the other pages.)

Any ideas where I shoudl look to remove this code?
0
 
chilternPCCommented:
Is it only in the admin view of this page? I can't see it on the link you provided.
look at the html view of the content and see if you see anything that's not supposed to be there.
try creating a new page and copy the content across and see if the problem transfers to the new page. (if it doesn't then use the new page and replace the problem page with the new one)

its more than likely  one of the plugins like the social buttons.
try un-installing the plugin and re-installing fresh downloads
0
 
flynnyAuthor Commented:
ChilternPC,

Many thanks for the reply.

I found the code and removed it literally just before you posted. It had appended it self tot he bottom of the template the page was on. I have removed this and updated the social plugin.

You are correct this is the only page on the site using the social plugin.

However, it has appeared on other wordpress sites which do not use this plugin?

Is there anything I can do to test for ports and vulnerabilities on the site/server to preventthis coming back?
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now