Malicious code hiding somewhere

  • Resolved epicsockmonkey

    (@epicsockmonkey)


    10 years, 11 months ago

    Everything seemed fine until someone told me different. My computer’s silent antivirus kept me from seeing pop-ups without even telling me they existed. So here I am trying to fix something that’s been there for weeks on my site.

    What I know is that if you click on the events page, you get a pop-up or even a redirect to another page. It’s never the same twice. I have Wordfence Premium which doesn’t report anything on a scan.

    I’m using twentyeleven with a child theme and my site and plugin’s are up to date. I have no extra themes or much of anything stored aside from recovery from Backupwordpress plugin recovery.

    I don’t know if Wordfence just stinks, which I doubt, or if maybe it’s some place it isn’t scanning. I tried manually finding it without any luck. Where else can it be? If I do a restore I’m going to lose a LOT of info, but I will if I have to. Any ideas?

    {Sobodance.com) is the site

Viewing 10 replies - 1 through 10 (of 10 total)
  • wslade

    (@wslade)

    10 years, 11 months ago

    Without a backup your only permanent solution is to repair the site. Follow this guide.

    If you want to make sure Wordfence is making the most thorough scan possible, from your Dashboard > Wordfence > Options > go to the section titled “Scans to include” and tick mark ALL the boxes in this section. Then rescan.

    Thread Starter epicsockmonkey

    (@epicsockmonkey)

    10 years, 11 months ago

    I did. No luck.

    wslade

    (@wslade)

    10 years, 11 months ago

    Sorry, then the guide is your best answer. It takes longer to read than to do the work.

    Unless you get lucky, a manual search is usually a waste of time. The average WordPress installation including plugins and themes contains about 4000 files. The average file may contain a 1000 lines of code. This means if you manually search for malware in the average WordPress installation, you have 4 million lines of code to review.

    Lalit Nagrath

    (@laliz)

    10 years, 11 months ago

    did you got this fixed?

    browsed around your website and calender events for june/july, didnt got any popup as you mentioned or is that issue with some specific events?

    even sucuri mentions website as clean
    https://sitecheck.sucuri.net/results/sobodance.com

    wslade

    (@wslade)

    10 years, 11 months ago

    @laliz Sucuri is not a server side scanner. Even their free plugin is not a server side scanner. Only a server scan is capable of locating all types malware. And even though a scan may be capable of finding malware, there is no guarantee it will. This case is a perfect example, Wordfence is an excellent tool but it didn’t find malware.

    It is not prudent to tell a site owner their site is not hacked unless you can verify that. Hacks appear and disappear. They only show to some agents or OS or browsers.

    Thread Starter epicsockmonkey

    (@epicsockmonkey)

    10 years, 11 months ago

    The only time I find these pop-ups is when I click on the events page, with my antivirus off and pop-up protection disabled. It doesn’t happen on any other page. It isn’t the act of clicking because if I enable maintenance mode on the page, the splash shows up without the popups when it’s clicked. This tells me that it isn’t the actual act of clicking the menu. Since this is the site’s “blog” so to speak, I’m under the impression that the problem resides in my database.

    It didn’t get it fixed and was debating whether purchasing Sucuri would be fruitful. The fact is, I won’t be wasting my money since there is obviously a security issue that’s being over-looked. It got in somehow. I have very limited knowledge on databases so I am hoping to find a program that can “search” it.

    wslade

    (@wslade)

    10 years, 11 months ago

    I am sent to one of those pages that is almost impossible to close trying to sell me spyware removal when I click on Events.

    There is the possibility that the database is involved but on average, I find the database isn’t often the source of the hack. There is information in the guide for cleaning the database but I suggest you leave the database to last.

    Why wouldn’t you want to follow the guide that is proven to remove the malware from your site?

    Thread Starter epicsockmonkey

    (@epicsockmonkey)

    10 years, 11 months ago

    I thank you for the link and am looking at it. I was interested in what others had to say for many reasons. One was because this is a unique learning experience for me and I wanted more input than just an article. I’m happy I got it and believe I resolved the problem. I think the culprit is a plugin I was using called Sweet Captcha. I’m basing this off my console actions in the dev toolbar. I deleted it and cleared my cache and all seems right in the world

    Thanksand the article is a great reference!

    wslade

    (@wslade)

    10 years, 11 months ago

    @epicsockmonkey I dislike being the bearer of bad news but your redirect on Events is back.

    Thread Starter epicsockmonkey

    (@epicsockmonkey)

    10 years, 11 months ago

    Umm..no. You didn’t clear your cache. Stop being a creep. I resolved this thread. Unless you wanna shake your booty in my strip-tease class, don’t email me either!

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Malicious code hiding somewhere’ is closed to new replies.