Title: Malware on a WordPress theme Last modified: August 20, 2016 --- # Malware on a WordPress theme * [delikasi](https://wordpress.org/support/users/delikasi/) * (@delikasi) * [13 years, 8 months ago](https://wordpress.org/support/topic/malware-on-a-wordpress-theme/) * Dear Friends, * Kindly help how to address this issue (see email from hosting company below). How do i resolve without messing up the existing theme? Is it safe to just delete the theme and install a fresh one? I’m worried I might mess up the site. Please help. Thanks. * Sincerely, * Jovel * —————————– Dear Jovel, * We have requested google to review your site and still Malware URL exist. We have checked further and found the malware injection to your “NewsSpot” theme/ template. You could verify here the sample injection./home/magicmel/public_html/ blog/wp-content/themes/NewsSpot/index.php * Please change your theme and delete the entire files/folder under “NewsSpot” theme. * Please get back to us when done. ++++++++++++++++++++++++++++ * Thank you. Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [13 years, 8 months ago](https://wordpress.org/support/topic/malware-on-a-wordpress-theme/#post-3093560) * > How do i resolve without messing up the existing theme? * Where did you get that theme and can you share a link to your site? * The normal way to do it is get original copies of everything and give these links a good long read as you probably need to delouse your web server. * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://www.studiopress.com/tips/wordpress-site-security.htm](http://www.studiopress.com/tips/wordpress-site-security.htm) * Thread Starter [delikasi](https://wordpress.org/support/users/delikasi/) * (@delikasi) * [13 years, 8 months ago](https://wordpress.org/support/topic/malware-on-a-wordpress-theme/#post-3093570) * Thanks for the quick reply Jan. Below is the complete details of the incident. * Regards, * Jovel * ————————- * > Dear Jovel, > We have received a complaint regarding magicmelt.com which has been compromised. > With this, we have temporarily suspended the hosting account. Please let us > know when you are ready to fix the site so we can unsuspend. Below is the report. > —————————————————————– > —- Original message —- > > This is an automated email alert; please do not reply to this email as > > > replies will not be answered. To get in contact with us, use the links > and > contact details, mentioned in the text below instead! > > ************************************************************************ > > > TO WHOM IT MAY CONCERN: > > The security experts of cyscon GmbH like to > ask you to remove/review > the below mentioned file from/on your servers. At > least one of our > scanners detect it, and we consider it as malicious: > >######################################################################## > > # begin logs > > IP: 67.215.234.180 > URL: [http://magicmelt.com/blog/](http://magicmelt.com/blog/) > > Port: 80 > Tested on: Sat, 29 Sep 2012 12:33:19 +0200 > Result: JS/Redirect. > CG > > # end logs > ######################################################################## > > > Also, please check if your machine has been compromised and is now > being > used by intruders in malicious activities, or if a legitimate > user is engaged > in activity that is probably in violation of your > terms of service agreement. > In either case, please investigate this > matter. Further details on this project& > advisories may be found > here: [http://www.c-sirt.org/faq-section/](http://www.c-sirt.org/faq-section/) > > > The incident is already solved? Then just visit the following url and > > trigger a rescan of your file: > [http://www.c-sirt.org/incident/?incident=da11a27d14a5c0cca800f9255956eee5](http://www.c-sirt.org/incident/?incident=da11a27d14a5c0cca800f9255956eee5) > > When the problem is solved the field “Solved” will be set and the > color > changes to green. If this does not happen, a virus-scanner still > detects > malicious content. > > You received this message because you are listed as > the contact for > this network (AS# AS29761). This message is intended for > the person > responsible for computer security at your site. If this is not > the > correct address, please forward this message to the appropriate party. > > > Please note: If more than one IP address at your site is involved, or > > malicious code/malware is detected in more than one file, you may/will > receive > more than one message, each one with different content. > Additionally you > may found a X-ARF report attached to this document, > with all relevant details > for automated complaint parsing. Learn more > about X-ARF: [http://www.x-arf.org/specification.html](http://www.x-arf.org/specification.html) > > > We hope this important information regarding the security of your > customers/ > clients content is/was useful/helpful for you. In case of > further questions, > of if you need any help in resolving this issue, > please feel free to contact > us at . We, the > C-SIRT team of cyscon GmbH, will > assist you in any questions regarding > this incident [SIRT#0001208564]. —————————————————————– > ######################################################################## > # > begin logs > IP: 67.215.234.180 > URL: [http://magicmelt.com/](http://magicmelt.com/) Port: > 80 Tested on: Sat, 29 Sep 2012 12:33:44 +0200 Result: Redirects.To.JS/Redirect. > CG > # end logs > ######################################################################## * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [13 years, 8 months ago](https://wordpress.org/support/topic/malware-on-a-wordpress-theme/#post-3093573) * According to Sucuri SiteCheck, your site is black listed. * [http://sitecheck.sucuri.net/results/magicmelt.com](http://sitecheck.sucuri.net/results/magicmelt.com) * I suggest you start going through that reading list just in case. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Malware on a WordPress theme’ is closed to new replies. ## Tags * [sql injection](https://wordpress.org/support/topic-tag/sql-injection/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * Last activity: [13 years, 8 months ago](https://wordpress.org/support/topic/malware-on-a-wordpress-theme/#post-3093573) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics