Forum Replies Created
-
AuthorPosts
-
Try a direct query in PhpMyAdmin looking in the wp_posts table for any records with that content. Use something like this:
SELECT * FROM wp_posts WHERE post_content LIKE ‘%cialis%’ OR post_title LIKE ‘%cialis%’All you need to do is enable the automatic updates and that will install the core files definitions for you.
It looks like those are posts or pages that may have been created by a rogue admin user or a hacker who has access to your wp-admin. Check your useres, change your passwords and then look for pages and posts that you did not create.
If it’s not in your theme’s header.php then I would reaffirm that it’s in the database. Try looking in the wp_options table, hat is where special header output is usually stored.
That is because this threat is usually not in any of your files. Instead, this malicious HTML is injected directly into your database. You’ll need to look in your post/page content (using the text tab so that you can see the HTML tags that you don’t want there) and remove the unwanted text manually.
Your bigger problem is that the hacker(s) will likely still have remote access to your database and they can re-inject this unwanted content. There was a widespread outbreak of this particular threat on TSOHOST recently and a number of their customers reported repeated hacks without any recourse to stop them from injecting the same links into their database.
I would suggest changing your DB_PASS and updating your wp-config.php file. If that does not stop repeated infections then you may have to look for a more secure host.
March 2, 2017 at 9:28 am in reply to: Anti-Malware say Ok but Sucuti say Infected With Malware #1796It looks like your site is all clean now. Was it just that Sucuri cached their scan results or did you find and remove the remaining threats?
My plugin does not remove text content from the database. In plain text, that code is likely to look less malicious and could easily have been put there by the author on purpose. If you have a hole in your DB security there is nothing any plugin can do about that. You can also simply remove that unwanted HTML text once you have security the DB so that it won’t happen again.
Sucuri says: Unable to properly scan your site. (HTTP Errors Returned)
Probably because you have Maintenance mode turned on right now, so I can’t tell if you site is still infected or not.If you want to give me more info or turn your site back on so I can see what you are talking about then I can help you more.
I use clamscan and maldet too, but I’ve never had it flag my plugin before. You host must be using customized YARA Definitions that include the patterns written by Florian Roth. There is no telling how long it might take for his updates to reach the distribution branch that your host is using, so I have modified the relevant code in the latest release of my plugin so that it no longer matches this pattern.
I got a reply from Florian Roth. He says that he has fixed his YARA definitions But I still see the old definitions published on other sites. Where do you get your YARA definition updates?
Yes, this is a False Positive, thanks for reporting this to me. I have notified Florian Roth (the developer who published that YARA Definition), but I am not confident that he can do much about it as it is open source and in distribution for over a year. Plus it may have been forked and redistributed by other developers, so I will be changing my code so that it will not match this definition any more.
This sounds like the classic shared hosting conundrum. Most shared hosting servers are wide open to crossover attacks, where a back-door or cron task on one site will infect many or all of the other sites on the server. If you can’t find the root source of the threat on any of your sites then it could be coming from a site on another account and there may not be much you can do about that.
I suggest switching to another, more secure, hosting environment. I do offer Super Secure Hosting for just such a problem as this and I can guarantee that your sites will not get re-infected on any of my servers. If you are interested in switching to my Super Secure Hosting then you can email me directly and we can discuss you particular hosting needs. If you are going to move to any other hosting providers, I suggest that you spread out your sites on different accounts/servers to minimize the crossover threat and isolate any problems you may bring over to the new server (if you put an infected site on any of my servers it would not be a problem).
PHP code is safe to download, and you can email it to me directly. If you would rather I handle the file directly on your server you can also just send me your login info and I will look at it in-place.
My plugin is obviously not malicious and does not contain a WebShell in it original installation source. However, I cannot tell you if this version that was detected by Maldet was modified or if it is a False Positive unless you send me that file so I can check it.
I have just whitelisted this false threat so that it will not be incorrectly flagged as malicious. Please download the latest definition updates and let me know if you have any more issues like this.
-
AuthorPosts
