Solved

Malware detected on my site - screenshot attached. zg3owjjnzqwn.ghara.pw

Posted on 2014-04-29
6
264 Views
Last Modified: 2014-05-01
I have a Wordpress site that is now showing I have Malware.  Any ideas on how to fix this?

Content from zg3owjjnzqwn.ghara.pw, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware.
0
Comment
Question by:livewirewebsolutions
  • 3
  • 2
6 Comments
 

Author Comment

by:livewirewebsolutions
ID: 40030327
here is the screenshot.
0
 

Author Comment

by:livewirewebsolutions
ID: 40030329
oops, here is the screenshot now.
Screenshot-2014-04-29-14.25.56.png
0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 500 total points
ID: 40030386
Read my article for more information:

http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_10806-Recovering-From-and-Preventing-WordPress-Site-Hacks.html

In this case, I would pay for Sucuri or Stop The Hacker to come in and fix the malware and also scan your site for vulnerabilities.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40030551
You're in good hands with Jason.  I would only add that most WP malware arrives because of vulnerabilities in plugins or similar add-on code.  So check to make sure everything you're adding to the base WP package is up to date and approved by WP!
0
 

Author Comment

by:livewirewebsolutions
ID: 40030715
everything is up to date.  My host company said that a file called wp.php was infected.  They removed the file.  See comments below.

Maldet scan:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# maldet --scan-all .
maldet(10490): {scan} scan completed on .: files 26699, malware hits 0, cleaned hits 0
--

ClamScan:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# clamscan -ir *
wp.php: PHP.Webshell-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 2992278
Engine version: 0.97.8
Scanned directories: 751
Scanned files: 26666
Infected files: 1
Data scanned: 568.83 MB
Data read: 463.17 MB (ratio 1.23:1)
Time: 94.942 sec (1 m 34 s)
--

wp.php: PHP.Webshell-2 FOUND << Is showing as an infected file.

I've moved that file and removed it's permissions:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# mv wp.php /root/support/busted/

What do I do now and how do I inform Google that it's been removed?
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 40030727
You removed a symptom, not the infection. Wp.php is not a core WordPress file so the attackers will be able to exploit you again. This is why you need a specialist to evaluate your site and ISP to figure out how this is happening.  

If you don't take those steps, you are just going to get hacked over and over again.

To remove any Google actions, log in to Webmaster Tools.  You will be able to request a removal from there.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The purpose of this video is to demonstrate how to set up an RSS Feed on a WordPress Website. This will be demonstrated using a Windows 8 PC. Feedburner will be used for this demonstration. Go to your WordPress login page. This will look like the…
The purpose of this video is to demonstrate how to set up the permalinks on a WordPress Website. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Go t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now