Malware on Wordpress Website
- or -
Post a project like this2739
$$$
- Posted:
- Proposals: 4
- Remote
- #1320369
- Awarded
Description
Experience Level: Expert
General information for the website: Clean Wordpress website and DB then Re-install, as per ISP's instructions
Description of requirements/features: I have a website in wordpress which my HOST has disabled the website as its been attacked by Malware. they have sent the following instructions and I ned sommeone to follow these instructions and to restore the website.
Unfortunately I have had to disable script functionality for your website, as it has been compromised.
These compromises typically take advantage of weaknesses in the code that your site is constructed with, not the code that the server itself uses.
These weaknesses can be found in themes, plugins or modules you have installed. If you are using an out of date version of WordPress the base install may also be vulnerable.
These types of malicious files can be used to attack other servers, steal data from your website database, install malware on your visitors machines and then eventually cause you to be blacklisted by Google, preventing organic search traffic reaching your domain.
This compromise appears to be the cause of the redirects in this case. Upon checking for the source of the redirect, I carried a few basic checks, which pointed out abnormalities in some of the core files used by WordPress.
For example, I located a file called 'xml.php', in the directory '/wp-includes/SimplePie/XML/Declaration/'. This file contained encoded data, which is not common in WordPress (as confirmed here: https://core.trac.wordpress.org/browser/branches/4.6/src#wp-includes/SimplePie/XML/Declaration)
Below are the details showing when this file was modified:
File: `xml.php'
Size: 38704 Blocks: 80 IO Block: 8192 regular file
Device: 13h/19d Inode: 30212406 Links: 1
Access: (0644/-rw-r--r--) Uid: (1485576/limo4u.co.uk) Gid: (1473813/limo4u.co.uk)
Access: 2016-09-23 20:02:06.314685946 +0100
Modify: 2016-09-23 20:02:06.315685946 +0100
Change: 2016-09-23 20:02:06.315685946 +0100
I also checked the index.php file, which contained code which appears to be causing the redirect (I'm not sure what the rest of the code did).
The details of this file are as follows:
File: `index.php'
Size: 7626 Blocks: 16 IO Block: 8192 regular file
Device: 13h/19d Inode: 3105229 Links: 1
Access: (0644/-rw-r--r--) Uid: (1485576/limo4u.co.uk) Gid: (1473813/limo4u.co.uk)
Access: 2015-05-16 22:19:17.000000000 +0100
Modify: 2015-05-16 22:19:17.000000000 +0100
Change: 2016-08-29 10:14:11.206484509 +0100
The attacker may also have accessed or copied your database details from wp-config.php. This would mean they have access to the database that powers your site providing them the ability to add administrative users, edit the content of pages or add malicious links to the site.
To prevent this we have disabled access to the site. In order to fix this and restore your site please follow these steps and our support team will be able to review and enable the site again.
Please note: You are not able to simply replace your site files with a recent backup. The backup may still contain the malicious software and at the very least it will almost certainly contain the original exploit used to gain access.
1. Respond to this ticket letting us know you are ready to continue. We can create a backup of the files and database for you to download, then remove the live site files and change the database password. At this point support can take a dump of the mysql database and zip the site contents and database files. Then change the database password. All support should be able to do this.
2. Check your WordPress database for unauthorised admin users (we can help with this) – and check the email addresses for them haven't been changed. Support should provide output from the wp_users table for the customer to verify
3. Request we enable the site. Support can re-enable the site allowing them to download the backup.
4. Install a clean fresh copy of WordPress using our one click installer or a direct download from WordPress website.
5. Re-attach your new files to your old database by editing wp-config.php
6. Download and install the latest version of all plugins and themes needed for your site.
(Please avoid downloading any pirate copies of themes or plugins, or software from not from the original developers official site. Unauthorised versions or unlicensed versions are often provided pre-hacked)
Known plug ins with vulnerabilities can be seen here https://wordpress.org/plugins/plugin-vulnerabilities/
Once you have completed these steps and are happy the site is clean and secure, please let us know on this ticket and we will complete a check to see if the site is secure.
If you have any questions, please do not hesitate to ask
Extra notes:
Description of requirements/features: I have a website in wordpress which my HOST has disabled the website as its been attacked by Malware. they have sent the following instructions and I ned sommeone to follow these instructions and to restore the website.
Unfortunately I have had to disable script functionality for your website, as it has been compromised.
These compromises typically take advantage of weaknesses in the code that your site is constructed with, not the code that the server itself uses.
These weaknesses can be found in themes, plugins or modules you have installed. If you are using an out of date version of WordPress the base install may also be vulnerable.
These types of malicious files can be used to attack other servers, steal data from your website database, install malware on your visitors machines and then eventually cause you to be blacklisted by Google, preventing organic search traffic reaching your domain.
This compromise appears to be the cause of the redirects in this case. Upon checking for the source of the redirect, I carried a few basic checks, which pointed out abnormalities in some of the core files used by WordPress.
For example, I located a file called 'xml.php', in the directory '/wp-includes/SimplePie/XML/Declaration/'. This file contained encoded data, which is not common in WordPress (as confirmed here: https://core.trac.wordpress.org/browser/branches/4.6/src#wp-includes/SimplePie/XML/Declaration)
Below are the details showing when this file was modified:
File: `xml.php'
Size: 38704 Blocks: 80 IO Block: 8192 regular file
Device: 13h/19d Inode: 30212406 Links: 1
Access: (0644/-rw-r--r--) Uid: (1485576/limo4u.co.uk) Gid: (1473813/limo4u.co.uk)
Access: 2016-09-23 20:02:06.314685946 +0100
Modify: 2016-09-23 20:02:06.315685946 +0100
Change: 2016-09-23 20:02:06.315685946 +0100
I also checked the index.php file, which contained code which appears to be causing the redirect (I'm not sure what the rest of the code did).
The details of this file are as follows:
File: `index.php'
Size: 7626 Blocks: 16 IO Block: 8192 regular file
Device: 13h/19d Inode: 3105229 Links: 1
Access: (0644/-rw-r--r--) Uid: (1485576/limo4u.co.uk) Gid: (1473813/limo4u.co.uk)
Access: 2015-05-16 22:19:17.000000000 +0100
Modify: 2015-05-16 22:19:17.000000000 +0100
Change: 2016-08-29 10:14:11.206484509 +0100
The attacker may also have accessed or copied your database details from wp-config.php. This would mean they have access to the database that powers your site providing them the ability to add administrative users, edit the content of pages or add malicious links to the site.
To prevent this we have disabled access to the site. In order to fix this and restore your site please follow these steps and our support team will be able to review and enable the site again.
Please note: You are not able to simply replace your site files with a recent backup. The backup may still contain the malicious software and at the very least it will almost certainly contain the original exploit used to gain access.
1. Respond to this ticket letting us know you are ready to continue. We can create a backup of the files and database for you to download, then remove the live site files and change the database password. At this point support can take a dump of the mysql database and zip the site contents and database files. Then change the database password. All support should be able to do this.
2. Check your WordPress database for unauthorised admin users (we can help with this) – and check the email addresses for them haven't been changed. Support should provide output from the wp_users table for the customer to verify
3. Request we enable the site. Support can re-enable the site allowing them to download the backup.
4. Install a clean fresh copy of WordPress using our one click installer or a direct download from WordPress website.
5. Re-attach your new files to your old database by editing wp-config.php
6. Download and install the latest version of all plugins and themes needed for your site.
(Please avoid downloading any pirate copies of themes or plugins, or software from not from the original developers official site. Unauthorised versions or unlicensed versions are often provided pre-hacked)
Known plug ins with vulnerabilities can be seen here https://wordpress.org/plugins/plugin-vulnerabilities/
Once you have completed these steps and are happy the site is clean and secure, please let us know on this ticket and we will complete a check to see if the site is secure.
If you have any questions, please do not hesitate to ask
Extra notes:
Ajay D.
99% (114)Projects Completed
175
Freelancers worked with
89
Projects awarded
15%
Last project
21 Feb 2022
United Kingdom
New Proposal
Login to your account and send a proposal now to get this project.
Log inClarification Board Ask a Question
-
What is your budget?
-
Happy to clean your website and DB, but not for £100. Don't fall down with cheap solutions, because problems will back. Let me know if you are interested. Also I can provide anti brute force hosting.
Greg -
Hello Ajay,
can you provide link of your site please
Thanks
186327186312186278
We collect cookies to enable the proper functioning and security of our website, and to enhance your experience. By clicking on 'Accept All Cookies', you consent to the use of these cookies. You can change your 'Cookies Settings' at any time. For more information, please read ourCookie Policy
Cookie Settings
Accept All Cookies