Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Sep 2012
    Posts
    23
    Thanks
    2
    Thanked 1 Time in 1 Post

    Im a new developer and a client site is infected with malware.

    Hello friends,

    just registered on the site as Ive run into a roadblock and have absolutely no idea what to do. I starting learning html/css/js about 2 years ago and started "helping"/taking clients to get some experience professionally.

    I'm not overly affluent outside basic front end but am capable of using google/learning. Anyhow to the point. A site i built that I wont disclose (its got auto-download JS malware) has been infected.

    At first i did a site scan through Sucuri that turned up 3 potential risks - i researched the ones there, did some updates to plugins and CMS versions and somehow that uncovered 19 more malicious files.

    At this point I have no idea what to do? Is it smarter to just advise the client to pay the 120$ through online security companies to clean the site or is there an easier way for me to manage this?

    If I'm being unclear, i apologize, still in the middle of learning

    If you have any advice or questions, please let me know.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,546
    Thanks
    8
    Thanked 1,093 Times in 1,084 Posts
    Not enough info ...

    Is it their own server or a shared webhost ... and who is the webhost (if pertains)?

    What is their CMS? A system like WordPress, Joomla, Drupal, or some other custom system?

    Is the server-side scripting (which one) PHP, ASP, Perl ?

    Can you give us a link to the affected site?


    .

  • #3
    New Coder
    Join Date
    Sep 2012
    Posts
    23
    Thanks
    2
    Thanked 1 Time in 1 Post
    Thanks for the quick reply, appreciate it!

    Its a shared webhost, not managed by myself. Jumplaunch owns the servers, not sure who they purchased from.

    CMS: Wordpress
    Scripting Language: PHP

    This client came to me with this site unhappy with the guy who built it. The way its been put together is beyond my skill set right now, Ive just started learning php.

    I feel weird sharing a link to a site with viruses on it but all the same:

    www.madewood.ca

    Im assuming based on your questions that problems like this can afflict either a site/domain or an entire server?

    Thanks again.

  • #4
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,546
    Thanks
    8
    Thanked 1,093 Times in 1,084 Posts
    How do you know it's malware?

    It's a WordPress site that looks current: 3.4.2

    Would you be willing to PM one of us and we can view the website files?
    I realize you don't know any of us, but that would be an option.

  • #5
    New Coder
    Join Date
    Sep 2012
    Posts
    23
    Thanks
    2
    Thanked 1 Time in 1 Post
    Quote Originally Posted by mlseim View Post
    How do you know it's malware?

    It's a WordPress site that looks current: 3.4.2

    Would you be willing to PM one of us and we can view the website files?
    I realize you don't know any of us, but that would be an option.
    I suppose to be frank, I don't.

    Here's what I've done so far:

    Using this site I did an initial scan for malware. Its accuracy is unknown to me.

    It gave me these results: http://imgur.com/0u5rn

    So that "scan" turned up the name of :
    Malware entry: MW:EXPLOITKIT:BLACKHOLE1
    Malware entry: MW:JS:160

    This is where i start researching like a SOB, found a free copy of virus scan software and removed a blackhole trojan (Viruses, Cookies, Trojans Quarantined: JS/Exploit-Blacole.eu) from my comp within 2 days of this discovery.

    From there I logged into the dashboard of Wordpress and installed "Anti-Malware by GOTMLS.net and scanned the site again after doing all the updates to the site.

    And i got this : http://imgur.com/uP69L

    I tracked down the files through FTP but that didnt do me any good because I don't know the code well enough to locate anything added after the fact.

  • #6
    evo
    evo is offline
    waka Ionsurge
    Join Date
    Feb 2005
    Location
    United Kingdom
    Posts
    895
    Thanks
    5
    Thanked 12 Times in 12 Posts
    It is certainly compromised. You will need to update it via a clean back up. If you don't have one then unfortunately you need to start from scratch, change your FTP access info and use a freshly made new database with a new username and password.

    This is because you have no idea what files have been compromised beyond the files that have been added on.

    In future try and make sure that you use as many security tools as possible to keep your website secure. Use strong passwords.

  • #7
    evo
    evo is offline
    waka Ionsurge
    Join Date
    Feb 2005
    Location
    United Kingdom
    Posts
    895
    Thanks
    5
    Thanked 12 Times in 12 Posts
    Also you have no idea what information they may have captured from your existing site. And the purpose of the hack.

    WordPress along with other CMS's are plagued with insecurities. It takes a few clicks to flood an admin user with countless never ending password resets as the wp-admin folder can't be changed.

    It's a bad place to be in.

  • #8
    evo
    evo is offline
    waka Ionsurge
    Join Date
    Feb 2005
    Location
    United Kingdom
    Posts
    895
    Thanks
    5
    Thanked 12 Times in 12 Posts
    P.s in future sites add a HTML or php redirect back to the base URL into every directory in the installation, using a HTML redirect where an index.php file already exists.

    It'll add a little more security. And get rid of that wp generator tag.

    Sorry for the triple post. On here via my mobile.

  • #9
    New Coder
    Join Date
    Sep 2012
    Posts
    23
    Thanks
    2
    Thanked 1 Time in 1 Post
    Noob questions incoming:

    1) What other security tools could have been used? The research I did basically said keep versions and plugins updated.

    2) Should i contact their webhost to having things cleaned?

    3) Does how the got in/how did it even matter? They are worried their old developer did this? Could it be a person or are their programs constantly trolling the internets looking for holes like these?

    Side note: "in future sites add a HTML or php redirect back to the base URL into every directory in the installation, using a HTML redirect where an index.php file already exists. "

    Not entirely sure what that means as I havnt started writing too much php yet. Ive taken note of it and Im sure it will make more sense as time goes on.

    Thanks for the help guys.

  • #10
    evo
    evo is offline
    waka Ionsurge
    Join Date
    Feb 2005
    Location
    United Kingdom
    Posts
    895
    Thanks
    5
    Thanked 12 Times in 12 Posts
    1) You should be able to find security tools/plugins that will actively deny SQL injections, ddos attempts and so forth. I've stayed away from WP for quite some time now so I wouldn't be particularly up to date with these. Other things include htaccess modifications, password protecting the admin directory. If you just google for security tips relating to Wordpress you should find a tonne of useful sites.

    2) The web host most likely will disable your site as soon as you tell, and will give you the request to wipe the domain and restore a clean back up of the site. Any responsible host will do this as again, there is no way of telling how extensive the compromise was to your existing files. They've modified the template at least to link the site to the malicious JavaScript files. They have no contractual obligation or need or want really to clean up an infected domain. Their interest is to purge it to limit the collateral damage it may cause. Moreso if it is a shared server.

    3) It is extremely unlikely the old developer did this. More likely is one or both of two scenarios not including SQL injection, a) the previous developer was complacent with password and security and or b) they downloaded the template/plugin from a source other than the author's website if they used one. Maybe a warez type website which will often provide modified templates preloaded with the vulnerability inside.

    Due to the vast array of possibilities there's not much point in clutching at straws of which there are countless amounts.

    Re side note; most hackers will try to first find what CMS you are using. The easiest way to get to that is either with the generator tag which makes it obvious or the admin directory. The most popular use default settings or cannot be changed like Wordpress/Joomla for instance. They also tend to give the first user a default user ID based, the first always being a super admin user. It makes these installations a lot easier to attack with an injection.

    As such it is highly recommended that you add an extra layer of security to these directories or try limit access however best possible. The redirects I mentioned are useful to make it seem a file or directory does not exist.

    I would say that it is best that you start all over.
    Last edited by evo; 09-12-2012 at 01:27 AM.

  • #11
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,925
    Thanks
    6
    Thanked 1,040 Times in 1,013 Posts
    Common security holes are poorly programmed CMS modules/plugins, usually web forms that don’t do enough security checks for their input. Spammers then usually insert hidden iframes into the site that load the malware. Also, it has been noted that some Wordpress themes are compromised or specifically programmed with obfuscated code that could be malware. A good read on this is at http://wpmu.org/why-you-should-never...anywhere-else/. Another thing that’s good to know is that some malware/spam robots look for characteristic code sequences or text strings in the HTML source code, such as meta tags with clear indication about which CMS is used, and which version (things like “powered by Wordpress” or similar). That way they can easily find out who is using a system with known security holes. So always remove these version notes or any indication about the CMS used if possible.

    That said, I can only agree with evo in that it’s best to remove everything and reinstall from scratch. It should usually suffice to delete all files from the server and clear/delete the database to clean up a webspace (changing all passwords (FTP/database) is advisable, too). If the host’s servers aren’t infected themselves (which we can usually assume they aren’t) that should get rid of any malware that affects your site because after all, malware is just software and consisting of regular files, too.

    Also, there are a few security measures you can add with a few htaccess rules to block known evil scripts, for example.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •