Domain Manage

Little help please

Discussion in 'General Board' started by WaftyCrank, Oct 11, 2011.

Thread Status:
Not open for further replies.
  1. WaftyCrank United Kingdom

    WaftyCrank Active Member

    Joined:
    Oct 2007
    Posts:
    849
    Likes Received:
    11
    I've had an email from an SEO expert trying to sell me their services.
    In the email they've told me my wordpress site is trying to download a trojan to their computer but was picked up by their AVAST anti virus.

    This was done simply by logging on to the site.

    Now I appreciate this isn't a request you may relish but if anyone would like to try this out for my, the site in question is located here.

    I've tried and tried to no avail and cannot locate what they're talking about so am assuming it's a ploy to get me talking to them to buy their services. If any of you guys gets the same issue then I know there is a problem and need to get it fixed.

    Thanks in advance.
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. boxfish United Kingdom

    boxfish Active Member

    Joined:
    Jul 2010
    Posts:
    877
    Likes Received:
    38
  4. monaghan United Kingdom

    monaghan Moderator Staff Member

    Joined:
    May 2007
    Posts:
    1,993
    Likes Received:
    45
    Oops, I've seen similar on a customer site, long strings of hex and an eval command immediately suggests something underhand.

    I've not bothered to decode this one, but often the code will manipulate the DOM and insert elements from another site. You need to look at how it was able to be inserted. Common ways are user profile photo uploads that allow a PHP file to be uploaded and executed and a PHP shell is uploaded and executed and then the "insert appropriate word here" person has access to your user account and can do what they want.
     
  5. Ashton United Kingdom

    Ashton Well-Known Member

    Joined:
    Feb 2010
    Posts:
    1,621
    Likes Received:
    29
    ==EDIT==

    Yep its your timthumb, same thing happened to me. I got my entire server completely rooted from it, so you might want to check that.

    TimThumb allows images to be posted from sites like flickr.com so all the hackers have to do is do 'flickr.com.HACKERSITE.CN/SHELLHERE.php' and your site will nicely take it and cache it giving them a hell of a lot of access to your site. You can read more about it here: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

    You need to backup your database and your uploads file (MINUS THE SHELL!) and wipe the site, and check if your other sites on that box are compromised (like mine were)

    This is such a crap thing to happen and I feel your pain, took me so long to sort.
     
    Last edited: Oct 11, 2011
  6. WaftyCrank United Kingdom

    WaftyCrank Active Member

    Joined:
    Oct 2007
    Posts:
    849
    Likes Received:
    11
    Oh [insert expletive]
     
  7. expertc

    expertc Well-Known Member

    Joined:
    Apr 2009
    Posts:
    1,009
    Likes Received:
    16
    The easiest way out:

    1. Ask your hosting company to run audit on ALL your files.
    2. Update WP and plugins
    3. Change your password.
     
  8. Ashton United Kingdom

    Ashton Well-Known Member

    Joined:
    Feb 2010
    Posts:
    1,621
    Likes Received:
    29
    What I did:

    1. Checked all my databases for anything malicious.
    2. Backed up all my databases.
    3. Backed up my uploads folders on my wordpress site making sure that no shell's remained in them (no php files whatsoever should be in there really)
    4. Backed up static sites.
    5. Completely erased the box.
    6. Set up new security on the box (default CHMOD made more secure for example, added a few security mods too)
    7. Create new accounts for all the sites using generated passwords which I wrote down in an encryption script.
    8. Create new databases and users for the sites and upload the latest wordpress and your databases. Install http://wordpress.org/extend/plugins/wp-security-scan/
    9. Make sure before you add any theme you remove any unnecessary scripts and update to the latest timthumb.
    10. Upload the themes and activate them.
     
  9. Blossom

    Blossom Well-Known Member

    Joined:
    Oct 2010
    Posts:
    1,395
    Likes Received:
    55
    That's really not a good idea. It's not about an easy way out, it's about securing your site as effectively as you can. Shortcuts shouldn't be an option. Hosts don't have time to go through files in that way, and even if they do, they can't always tell what are your changes and what are someone else's.

    Much better to revert to an older version/back up that definitely hasn't been compromised, and upload the newer tim thumb script that has been amended.
     
  10. Ashton United Kingdom

    Ashton Well-Known Member

    Joined:
    Feb 2010
    Posts:
    1,621
    Likes Received:
    29
    The main issue for me was the fact he had rooted + mapped the entire server and had usernames for all the accounts. I wasn't 100% sure how far he had got into the system so I opted for a complete reset to assure future security.
     
  11. WaftyCrank United Kingdom

    WaftyCrank Active Member

    Joined:
    Oct 2007
    Posts:
    849
    Likes Received:
    11
    Well my hosting is on a reseller cloud service rather than a dedicated single server.
    I've asked them to run a check and they are helping out, they're actually very good.
    Problem is I hardly understood any of that what you said Ashton and would struggle to get it all done. I'm really stuck between a rock and a hard place right now.
     
  12. WaftyCrank United Kingdom

    WaftyCrank Active Member

    Joined:
    Oct 2007
    Posts:
    849
    Likes Received:
    11
    Seems to be all clear now. Would I be able to get one of you good folk to check again for me?
     
Thread Status:
Not open for further replies.

Share This Page