Solved

Malware in my Wordpress Sites

Posted on 2014-02-27
10
209 Views
Last Modified: 2014-03-05
Hi all,

I have a cloud Web Server 2008 and I have had a popup widget appear in some (not all) of my wordpress sites on (around 4 out of 6-7??)

I have re-updated wordpress which has eliminated the popups I am just worried is it held somewhere on the machine?

Is there anything I can do to eliminate this completely?

Has anyone seen this before?
screenshot.png
0
Comment
Question by:flynny
  • 4
  • 3
  • 3
10 Comments
 
LVL 28

Expert Comment

by:chilternPC
ID: 39893480
there are steps you can take to 'harden' your wordpress install these steep are described on the wordpress site here:

http://codex.wordpress.org/Hardening_WordPress

also there are firewalls and other plugin you can add to increase security . a good list is here:
http://www.problogger.net/archives/2013/01/08/10-essential-wordpress-security-plugins-for-2013/
0
 
LVL 70

Assisted Solution

by:Jason C. Levine
Jason C. Levine earned 250 total points
ID: 39894137
0
 

Author Comment

by:flynny
ID: 39894266
Thanks for the replies guys (sorry i didnt  get the email saying comments had been left!).

Would you say that this is sley a wordpress based hack and not a server hack?

Reason I asked is because it appeared across multiple sites, but only the worpdress ones.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 39895098
It's most likely a server hack that then targets WordPress sites (because odds are the server is running WordPress sites). Almost as likely is this is a targeted hack to WordPress based on previous scans to make sure it's present.
0
 

Author Comment

by:flynny
ID: 39895150
ok is there anything I can do to check the issue is removed and its not still stored away on the server somewhere?

I assume they have performed a brute force hack on the server then. But the password was secure on the users (i.e. Capitals Numeric and Symbols, and is not a word or anything like that??)

Thanks for the help guys.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Accepted Solution

by:
chilternPC earned 250 total points
ID: 39895338
Other than removing the site and reinstalling from a clean backup or looking in every folder and comparing the sizes of the files against a clean backup version not really... some malware embed them inside the system files.

some hosts provide regular malware checking.
but you can get third parties to scan your website for malware
see this link to Sitelock:
(maybe use the 30 day free trial ;-)

https://www.sitelock.com/malware-removal.php?utm_source=Google&utm_medium=ES&utm_campaign=Expert%252BServices&gclid=CNmHmfum77wCFTCWtAodC0YAtA

remember to back up once its clean
I found the process of downloading a site to my PC was a good way of my PC antivirus s/w detecting malware in the files I was download, it simply deleted them which allow me to find the rogue files
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 39895458
I assume they have performed a brute force hack on the server then. But the password was secure

Your password is probably irrelevant.  They are not logging in as you.  Instead, they have found an insecure something and used it to inject and execute code.  This can be be done without a login to the server or to the site backend. If they get into the backend, it just makes their life easier.

I can do to check the issue is removed and its not still stored away on the server somewhere?


Other than hiring a pro?  Not really.  Server and script security is very, very tough to do unless you specially trained on how to do it and you are likely to miss something critical if you try to follow a guide without a full understanding of what you are doing.

Your best bet is to follow the best practices listed in the Hardening WordPress Codex article the first Expert linked to and adding your own security measures such as the ones I list in my article.  Stick with known, good plugins that are regularly updated and themes from reputable theme developers and you will probably be okay.
0
 

Author Comment

by:flynny
ID: 39902457
Hi there,

many thanks for your reply.

reinstalling the wordpress plugin (I did this through the wp-admin backend). sorted it for most of the sites.

However one page (http://www.khersolicitors.co.uk/our-team/) seems to be immune to this at the moment.

and I cant see this anywhere in the template files? (which I strange as it is not appearing on any of the other pages.)

Any ideas where I shoudl look to remove this code?
0
 
LVL 28

Expert Comment

by:chilternPC
ID: 39902680
Is it only in the admin view of this page? I can't see it on the link you provided.
look at the html view of the content and see if you see anything that's not supposed to be there.
try creating a new page and copy the content across and see if the problem transfers to the new page. (if it doesn't then use the new page and replace the problem page with the new one)

its more than likely  one of the plugins like the social buttons.
try un-installing the plugin and re-installing fresh downloads
0
 

Author Comment

by:flynny
ID: 39902744
ChilternPC,

Many thanks for the reply.

I found the code and removed it literally just before you posted. It had appended it self tot he bottom of the template the page was on. I have removed this and updated the social plugin.

You are correct this is the only page on the site using the social plugin.

However, it has appeared on other wordpress sites which do not use this plugin?

Is there anything I can do to test for ports and vulnerabilities on the site/server to preventthis coming back?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
The purpose of this video is to demonstrate how to manually back up a WordPress Database. This will be demonstrated using a Windows 8 PC. The Host used will be IPage.com Log into your Hosting account. IPage will be used for demonstration : Locat…
The purpose of this video is to demonstrate how to set up an RSS Feed on a WordPress Website. This will be demonstrated using a Windows 8 PC. Feedburner will be used for this demonstration. Go to your WordPress login page. This will look like the…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now