I usually start by comparing a “good” backup (thought to be unaffected) and the current state of the web root. By diffing you can sieve through the changes that had occurred and verify each one manually (if you use version control it’s a godsend in such cases!).
Often nice to diff database dumps as well for signs of new content.
Check the crontab for the php user, check mail logs to see if spam mail is being sent out, take a look in /tmp/, delete anything suspicious (or everything, it’s /tmp/ after all).
Hope this helps, @Raspberyade and everyone else.
Yes, that’s good advice for most people, even if I wasn’t able to apply it personally (I didn’t have a “known good” backup of the current version, and I’m running Windows).
Hi Guys,
The URL posted (which you can find here: http://pastebin.com/EjZNMdkj) is actually malicious. If you try to visit the URL you’ll get a malware warning from Chrome, so that’s why we’re flagging it. I’m pretty sure you don’t want iframe’s on your site that point to malicious URL’s, so it’s not a false positive. Please either mark the alert in Wordfence as ‘ignore’ or remove the iframe pointing to a malware URL on your site.
Regards,
Mark.
The URL has been down for several days now, I think even PasteBin didn’t like it as the paste is now removed π
Overall it makes sense, thanks Wordfence, but the flags are coming from WPTavern’s post containing a sample of the code that ended up being displayed and cached in admin Dashboards worldwide. The link wasn’t clickable.
Wordfence also found http://203koko.eu/hjnfh/ipframe2.php in my site and I’ve never had Fancybox installed.
* File contains suspected malware URL: /wp-content/cache/object/000000/48b/676/48b6765b0b10ec7e296d04f016543911.php
I have an older theme installed Showtime, which hasn’t been updated in two years as the author “Freshface” refuses to, and the following plugins:
Akismet
All in one security
BruteProtect
Child Theme Configurator
Clear Cache for Me
Contact Form 7
Easy Table
Google Analyticator
GT Metrix for Worpdress
Intuitive Custom Post Order
iThemes Security
Jetpack by WordPress.com
Lead Gorilla
Limit Login Attempts
NextGEN Gallery by Photocrati
Per page head
Pretty Link Pro
Revolution Slider (v4.3.8 after the critical update)
Simple Custom CSS
Sucuri Security – Auditing, Malware Scanner and Hardening
TablePress
TinyMCE Valid Elements
Updater
UpdraftPlus – Backup/Restore
Use Google Libraries
W3 Total Cache
W3 Total Cache Purge All Page
What The File
Whitelist IP For Limit Login Attempts
Wordfence Security
WordPress SEO
WP-FileManager
WP Edit
WP Smush.it
None of which seem like they’d be the vulnerability point to me, do they to you? Maybe a new exploit of Rev Slider? Kind of ironic I have so many security plugins installed and they did no good in stopping this! What can be done to prevent this in the future and most importantly, find and fix this current exploit asap!
@nickth, as @gennady explained here https://ww.wp.xz.cn/support/topic/possible-malware-2/page/3?replies=96#post-6532356 “this is either the Blogroll or WordPress Dashboard News section that was cached”.
Any update on this?
I think my error message is coming from “WordPress Backup to Dropbox” plugin.
Should I remove the file?
FYI- my site is https://designoneprinting.com
Thanks for any help!
@wt999 what’s your error message?
I’m not using Fancybox currently.. I had it installed a while ago.
But the error message I’m referring to is coming from Wordfence and shows the link to 203koko.eu
“File contains suspected malware URL: /home/content/p3pnexwpnas04_data01/94/2284594/html/wp-content/backups….f83c6aa7-wpb2d-secret”
@wt999 I can think of only one way you got it there off the bat, your backup plugin backed up the cache directory of WTC or something similar. Can you post the full path?
Okay, that’s the SQL database, can you send that file over to me for analysis? gennady[at]kovshenin[dot]com I’ll let you know whether it was a cached blogroll in the database or the actual Fancybox exploit. As is the file is harmless, but you might want to remove it as restoring it might lead to the link appearing on your site and Google banning you.
Wouldn’t the sql file have sensitive information like logins and passwords?
Sure. Hashes, though. Still sensitive, agreed. But it’s either that or remove it and not know what happened. As an alternative I can provide @wt999 with details on how to analyze the file using grep or something. Or how to extract the _options table.
If you’re a webmaster running hundreds of WP websites, this might come in handy: https://github.com/besso/fancybox-wordpress-js-exploit-removal
