Bill Hand

Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • in reply to: Pharma Hack #1067

    Bill Hand
    Member

     

    My domain host did a scan of my site last night and sent me this email. I ended up purchasing Sitelock so they would not shut down my site. This is just a partial list of the files they say were infected:

    “A scan of your account has found the following malicious or infected files present 

    wp-content/plugins/revslider/general.php: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL FOUND wp-content/plugins/revslider/temp/index_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/contact-form-7/general.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/cats-jobsite/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/bwp-google-xml-sitemaps/load.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/lib/Microsoft/Http/Response/Stream_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/lib/W3/Cdn/Base_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/inc/options/support/select_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/w3-total-cache/ini/s3-sample-policy_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-18.UNOFFICIAL FOUND wp-content/plugins/wordpress-seo/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-content/plugins/underconstruction/meta.php: JCDEF.Obfus.CreateFunc.BackDoorEval-25.UNOFFICIAL FOUND wp-content/plugins/quick-pagepost-redirect-plugin/locale.php: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL FOUND 

    <snip>

    /home/users/web/b741/ipg.fullergrpcom/2014/wp-content/uploads/quarantine/F25NS.F25NS.L2hlcm1lcy9ib3NvcmF3ZWIxNTUvYjc0MS9pcGcuZnVsbGVyZ3JwY29tLzIwMTQvd3AtY29udGVudC90aGVtZXMvYXR0aXR1ZGUtcHJvLTEuN25ldy9mdW5jdGlvbnMucGhw1.GOTMLS: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL FOUND /home/users/web/b741/ipg.fullergrpcom/2014/wp-content/uploads/quarantine/F15Ji.F15Ji.L2hlcm1lcy9ib3NvcmF3ZWIxNTUvYjc0MS9pcGcuZnVsbGVyZ3JwY29tLzIwMTQvd3AtY29udGVudC90aGVtZXMvYXR0aXR1ZGUtcHJvLW9sZDIwMTQvZnVuY3Rpb25zLnBocA3.GOTMLS: SiteLock-PHP-INJECTOR-1-et.UNOFFICIAL FOUND wp-admin/media-upload_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/admin-media.php: JCDEF.Obfus.CreateFunc.BackDoorEval-26.UNOFFICIAL FOUND wp-admin/js/gallery_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/includes/template_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/includes/class-wp-locale.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/css/color-picker-rtl_backup.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND wp-admin/user/user-edit_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL FOUND 

    <snip>

    Due to the potential for abuse in this malware, and to protect your site content from further damage, we will have to suspend website services for your account, if this is not addressed within 24 hours. Please remove/replace the malicious files as appropriate, through FTP or the file manager. I would recommend deleting and republishing your entire site from a clean copy; this should then erase any other code which may have been injected into your pages to allow ‘back-door’ access by unauthorized people. Most importantly, you need to make sure any applications in your account are completely up-to-date as far as versions, security patches, etc. are concerned. This applies not just to the core application, but also plugins, themes, modules, etc. ** If this is not done, your account will remain vulnerable to future attacks of this kind. ** In addition, you should immediately change your password through the control panel for the account. You should choose a ‘strong’ password, which includes upper- and lower-case letters, numbers and special characters such as hyphens, and is at least eight characters long. This will help reduce the chance of this happening again. Other possible causes include - a computer infected by viruses, which is controlled by hackers. In this situation, your uploads may also get infected. - poor scripts and/or applications, which allow hackers to insert various malformed queries to remotely execute code - Virus effected theme selection for applications - Installing applications, add-ons or modules which are downloaded form third-party locations and may be infected. Please let us know when you have addressed the malicious files.”

    I can see where your plugin quarantined the two files listed as PHP Injector. I was wondering whether the rest of the files were false positives or if they were really infected? I assume Sitelock has cleaned these files now.

    If you can show me how to attach a file I can send the one you requested. Hopefully the issue has been resolved.

    in reply to: Pharma Hack #1065

    Bill Hand
    Member

    The pages/post look fine in the editor. If you google my site using the “site:fuller-grp.com” you will see pages of foreign language drug related sales for viagra, etc.. This hack seems to be generating some kind of links to my site.

    From what I have read there are usually entries in the DB as well as the functions.php that allow this to happen. Have you dealt with something like this before?

    I also checked a backup of the site I have on my compter and it contains a folder of files that have unreadable code like “MzB8fHxrYW1hZ3JhIGJlb29yZGVsaW5nfHx8PCFE…”. I assume that is being generated by the malicious code.

    in reply to: Pharma Hack #1063

    Bill Hand
    Member

    My site has been hacked and I think it is the Pharma hack. From what I have read about this hack it infects the theme and/or plugins (in my case its the functions.php file) and also creates a backdoor to the database. There may also be a backdoor to allow remote access?

    Your plugin identified the infection in functions.php but fixing just that file won’t eliminate the entire issue. Can you provide any assistance in removing the unwanted database entries?

    Also, if I use the “fix this problem” button does that delete the entire file or repair it?

    Thanks for any help.

Viewing 3 posts - 1 through 3 (of 3 total)