?
Solved

Malware detected on my site - screenshot attached. zg3owjjnzqwn.ghara.pw

Posted on 2014-04-29
6
Medium Priority
?
277 Views
Last Modified: 2014-05-01
I have a Wordpress site that is now showing I have Malware.  Any ideas on how to fix this?

Content from zg3owjjnzqwn.ghara.pw, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware.
0
Comment
Question by:livewirewebsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:livewirewebsolutions
ID: 40030327
here is the screenshot.
0
 

Author Comment

by:livewirewebsolutions
ID: 40030329
oops, here is the screenshot now.
Screenshot-2014-04-29-14.25.56.png
0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 2000 total points
ID: 40030386
Read my article for more information:

http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_10806-Recovering-From-and-Preventing-WordPress-Site-Hacks.html

In this case, I would pay for Sucuri or Stop The Hacker to come in and fix the malware and also scan your site for vulnerabilities.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40030551
You're in good hands with Jason.  I would only add that most WP malware arrives because of vulnerabilities in plugins or similar add-on code.  So check to make sure everything you're adding to the base WP package is up to date and approved by WP!
0
 

Author Comment

by:livewirewebsolutions
ID: 40030715
everything is up to date.  My host company said that a file called wp.php was infected.  They removed the file.  See comments below.

Maldet scan:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# maldet --scan-all .
maldet(10490): {scan} scan completed on .: files 26699, malware hits 0, cleaned hits 0
--

ClamScan:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# clamscan -ir *
wp.php: PHP.Webshell-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 2992278
Engine version: 0.97.8
Scanned directories: 751
Scanned files: 26666
Infected files: 1
Data scanned: 568.83 MB
Data read: 463.17 MB (ratio 1.23:1)
Time: 94.942 sec (1 m 34 s)
--

wp.php: PHP.Webshell-2 FOUND << Is showing as an infected file.

I've moved that file and removed it's permissions:
--
cP/vz31-md/2109 root@162.211.82.64 [/home/joyce/public_html]# mv wp.php /root/support/busted/

What do I do now and how do I inform Google that it's been removed?
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 40030727
You removed a symptom, not the infection. Wp.php is not a core WordPress file so the attackers will be able to exploit you again. This is why you need a specialist to evaluate your site and ISP to figure out how this is happening.  

If you don't take those steps, you are just going to get hacked over and over again.

To remove any Google actions, log in to Webmaster Tools.  You will be able to request a removal from there.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question