Little help please

WaftyCrank · Oct 11, 2011

I've had an email from an SEO expert trying to sell me their services.
In the email they've told me my wordpress site is trying to download a trojan to their computer but was picked up by their AVAST anti virus.

This was done simply by logging on to the site.

Now I appreciate this isn't a request you may relish but if anyone would like to try this out for my, the site in question is located here.

I've tried and tried to no avail and cannot locate what they're talking about so am assuming it's a ploy to get me talking to them to buy their services. If any of you guys gets the same issue then I know there is a problem and need to get it fixed.

Thanks in advance.

boxfish · Oct 11, 2011

http://sitecheck.sucuri.net/scanner/

Malware found on javascript file:
http://www.sheffieldlaser.co.uk/wp-includes/js/l10n.js?ver=20101110

Malware found on javascript file:
http://www.sheffieldlaser.co.uk/wp-includes/js/jquery/jquery.js?ver=1.4.4

monaghan · Oct 11, 2011

Oops, I've seen similar on a customer site, long strings of hex and an eval command immediately suggests something underhand.

I've not bothered to decode this one, but often the code will manipulate the DOM and insert elements from another site. You need to look at how it was able to be inserted. Common ways are user profile photo uploads that allow a PHP file to be uploaded and executed and a PHP shell is uploaded and executed and then the "insert appropriate word here" person has access to your user account and can do what they want.

Ashton · Oct 11, 2011

==EDIT==

Yep its your timthumb, same thing happened to me. I got my entire server completely rooted from it, so you might want to check that.

TimThumb allows images to be posted from sites like flickr.com so all the hackers have to do is do 'flickr.com.HACKERSITE.CN/SHELLHERE.php' and your site will nicely take it and cache it giving them a hell of a lot of access to your site. You can read more about it here: http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

You need to backup your database and your uploads file (MINUS THE SHELL!) and wipe the site, and check if your other sites on that box are compromised (like mine were)

This is such a crap thing to happen and I feel your pain, took me so long to sort.

WaftyCrank · Oct 11, 2011

Oh [insert expletive]

expertc · Oct 11, 2011

The easiest way out:

1. Ask your hosting company to run audit on ALL your files.
2. Update WP and plugins
3. Change your password.

Ashton · Oct 11, 2011

What I did:

1. Checked all my databases for anything malicious.
2. Backed up all my databases.
3. Backed up my uploads folders on my wordpress site making sure that no shell's remained in them (no php files whatsoever should be in there really)
4. Backed up static sites.
5. Completely erased the box.
6. Set up new security on the box (default CHMOD made more secure for example, added a few security mods too)
7. Create new accounts for all the sites using generated passwords which I wrote down in an encryption script.
8. Create new databases and users for the sites and upload the latest wordpress and your databases. Install http://wordpress.org/extend/plugins/wp-security-scan/
9. Make sure before you add any theme you remove any unnecessary scripts and update to the latest timthumb.
10. Upload the themes and activate them.

Blossom · Oct 11, 2011

expertc said:
The easiest way out:

1. Ask your hosting company to run audit on ALL your files.
2. Update WP and plugins
3. Change your password.

That's really not a good idea. It's not about an easy way out, it's about securing your site as effectively as you can. Shortcuts shouldn't be an option. Hosts don't have time to go through files in that way, and even if they do, they can't always tell what are your changes and what are someone else's.

Much better to revert to an older version/back up that definitely hasn't been compromised, and upload the newer tim thumb script that has been amended.

Ashton · Oct 11, 2011

The main issue for me was the fact he had rooted + mapped the entire server and had usernames for all the accounts. I wasn't 100% sure how far he had got into the system so I opted for a complete reset to assure future security.

WaftyCrank · Oct 11, 2011

Well my hosting is on a reseller cloud service rather than a dedicated single server.
I've asked them to run a check and they are helping out, they're actually very good.
Problem is I hardly understood any of that what you said Ashton and would struggle to get it all done. I'm really stuck between a rock and a hard place right now.