Link to home
Start Free TrialLog in
Avatar of robrodp
robrodpFlag for Mexico

asked on

Google reports malware in my wordpress sites. Cant find the problem

I have a wordpress site.

Plugins

sucuri
wordfence

I run the scan with wordfence and no problems but google adwords

Says these dangerous links have been found

         deloton[.]com

·         mobisla[.]com

·         mobpushup[.]com

·         pub2srv[.]com

any idea of how to find them?

I have run a string search in the site but nothing s found. I guess the problem is in the mssql tables.

Or are they in the hosting space? Can't find them either

Any  ideas?
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Use HeidiSQL to connect to the database and do a string search through the database.

1. After you install HeidiSQL, set up a connection to your database (you might have to whitelist your IP and/or allow your Wordpress DB user to connect from your IP).

2. Once you're connected, right-click on the database name and in the pop-up menu, click on "Find text on server".

3. You'll get a pop-up screen with all of your tables inside your DB selected automatically and on the right hand side, just type in "mobpushup" (for example) in the "Text to find:" textbox, make sure the column type is "Text" and click on Find:
User generated image
4. Once it finishes running through all the tables (it will take a couple of minutes at least), click on the "See results" button and it should show you the rows in each table where that text was found, and then you can figure out how to delete it (based on what table has it).

For example, if it's in the comments table, you might just edit the comments from your WP admin area and remove them (and maybe implement something like ReCAPTCHA to help prevent bot-driven comment submissions)
Alternative,
1. Dump (backup the database)
2. Open in a code editor and search for the strings
3. When found check which table - then go and remove from the live database.

If you don't find it there or a search of the source files then there is a chance there is code in your site that is obfuscating the links.

Are you able to see the pages where the links are appearing? You need some way to test that they have been "turned off"

Check your functions.php file for any code added (usually to the start or end of the file - might look like a long string of jumbled characters)

Turn your plugins off and see if the links disappear - then re-enable one at a time to see which plugin is causing the problem
Dumping the database is taking the long way to do what I just suggested. Both HeidiSQL and phpMyAdmin offer search capabilities without having to dump the database to do a simple search.

I do agree, though, that there's always a chance that some encoded content has been injected, but I would first start with the database, since that's the more likely target. A poorly-built plugin or theme could expose SQL injection, at which point links (either in raw or encoded form) could be added to posts, pages, comments, etc...

If you post a link to your WP site, it might allow us to see something that would point us in the right direction.
Avatar of noci
noci

Any other advertisement networks involved?
that might have had a bad run (once... can be enough).
Dumping the database is taking the long way to do what I just suggested.
Msiread your response - did not know Heidi had that functionality. I use SQLYog which does not have that functionality (at least not in my version).
In terms of time though - it does not take longer - only drawback is having to clean up afterwards - but the dump is effectively a backup so you could overlap the two.
When I refer to it taking longer, I'm talking about the overhead of having to wait for the dump to complete and then potentially having to download it (if the dump wasn't executed from the machine where the search is performed) and then opening up the file (possibly needing an editor that supports big files) and searching for the value and then searching in reverse for the containing table name (since a dump usually does bulk inserts so the search result isn't always on the same visible page as the start of the query), and repeating. It's just a lot of manual overhead.

A backup is a great thing, don't get be wrong, but searching a dump file should be the last resort if you can search for the value in the instance.

You should give HeidiSQL a go, though. It's a lot like what SQL Enterprise Manager used to be.
I have played with it - last time I looked (12 months back) it did not have all the features that Enterprise Yog has - but I will do another eval of it.
Hi,
I don't know which tool you use to search your site but here my suggestions if the links are not in DB

These links may be in injected files, these files have strange name with php extension something like 3589.php they are easy to spot and is not a part of your installation files. If this is the case the files were probably placed in theme folder or images folder (any folder that have less restrictive chmod).

What you can do to is to download all files on your computer and do a search in file using Notepad++
You can compare the actual installation with the last good backup using Araxys merge there is an option to compare folder (demo one month free).
You can check on the server using Filezilla for recent files by checking the date, this could be a quick way to spot it, I would start by that.

If the code was injected into your existing file the theme files would be the first place to look.

Also contact your hosting company they have tools to scan and they probably can help you.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.