Solved

Malware detected on my site - screenshot attached. zg3owjjnzqwn.ghara.pw

Posted on 2014-04-29
6
276 Views
Last Modified: 2014-05-01
I have a Wordpress site that is now showing I have Malware.  Any ideas on how to fix this?

Content from zg3owjjnzqwn.ghara.pw, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware.
0
Comment
Question by:livewirewebsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:livewirewebsolutions
ID: 40030327
here is the screenshot.
0
 

Author Comment

by:livewirewebsolutions
ID: 40030329
oops, here is the screenshot now.
Screenshot-2014-04-29-14.25.56.png
0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 500 total points
ID: 40030386
Read my article for more information:

http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_10806-Recovering-From-and-Preventing-WordPress-Site-Hacks.html

In this case, I would pay for Sucuri or Stop The Hacker to come in and fix the malware and also scan your site for vulnerabilities.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40030551
You're in good hands with Jason.  I would only add that most WP malware arrives because of vulnerabilities in plugins or similar add-on code.  So check to make sure everything you're adding to the base WP package is up to date and approved by WP!
0
 

Author Comment

by:livewirewebsolutions
ID: 40030715
everything is up to date.  My host company said that a file called wp.php was infected.  They removed the file.  See comments below.

Maldet scan:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# maldet --scan-all .
maldet(10490): {scan} scan completed on .: files 26699, malware hits 0, cleaned hits 0
--

ClamScan:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# clamscan -ir *
wp.php: PHP.Webshell-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 2992278
Engine version: 0.97.8
Scanned directories: 751
Scanned files: 26666
Infected files: 1
Data scanned: 568.83 MB
Data read: 463.17 MB (ratio 1.23:1)
Time: 94.942 sec (1 m 34 s)
--

wp.php: PHP.Webshell-2 FOUND << Is showing as an infected file.

I've moved that file and removed it's permissions:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# mv wp.php /root/support/busted/

What do I do now and how do I inform Google that it's been removed?
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 40030727
You removed a symptom, not the infection. Wp.php is not a core WordPress file so the attackers will be able to exploit you again. This is why you need a specialist to evaluate your site and ISP to figure out how this is happening.  

If you don't take those steps, you are just going to get hacked over and over again.

To remove any Google actions, log in to Webmaster Tools.  You will be able to request a removal from there.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
This video teaches users how to migrate an existing Wordpress website to a new domain.
The purpose of this video is to demonstrate how to set up the permalinks on a WordPress Website. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Go t…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question