Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
Who is your hosting company? Report the issue to them and ask whether any other customers have been affected with a similar issue.
It may be that there is a vulnerability in their setup rather than anything you have done.
People have reported problems with media temple recently.
Thread Starter
tomasv
(@tomasv)
I am on a VPS and other sites using wordpress are intact…
james, I am calm – it’s just that I did follow the guide on Sunday and today I found they hacked it again, this time distributing different malware. Google already blacklisted the site so I just want to make sure this doesn’t repeat itself again.
One question – I used backup XML to get all of the posts back – can that contain a backdoor or infection?
Thx.
The export file shouldn’t contain any exploits, unless the database was exploited, which is possible, but that’s rare and there’s no know database exploit in 3.0.1 at this time. If your database was exploited, the only solution would be to restore from a known clean backup.
Have you tried any of the recommended security measures?
Thread Starter
tomasv
(@tomasv)
Google listed this info:
Suspected injected code Instances – 1
<script src=http://amd-creations.com/xmlnuke/matiere.php >
Thread Starter
tomasv
(@tomasv)
Yes, I have scanned all local machines with NOD32
I have changed passwords and checked file perms after the restore – all looked good
I have looked at log files – no sign of ftp access
so that makes me believe the issue is in the plugins or wp itself
Have you checked through the web logs for the times when the site was exploited? If the hack is web-based, you’d probably see the payload being deployed in there. Also have you checked the VPS itself for access logs etc.
Thread Starter
tomasv
(@tomasv)
Hi guys, I really need help – the site was clean for 7 days but it got infected again. From google webmaster:
Suspected injected code Instances
<script type=”text/javascript” src=”http://nuttypiano.com/RA
DCAB.js”
I have changed the ftp password, I generated new WP key, I have the log file and it shows just bunch of access from free mail accounts and some office live URl but I don’t think any of them are harmfull:
67.239.140.16 – – [25/Aug/2010:23:13:35 -0500] “GET /minuet71.jpg HTTP/1.1” 200 270 “http://md29.embarq.synacor.com/zimbra/mail” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 2.8)”
114.48.96.54 – – [25/Aug/2010:22:32:45 -0500] “GET /minuet71.jpg HTTP/1.1” 200 270 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)”
Is there anythign specific I need to look for?
Thx!
T.
Just remain calm and carefully follow this guide. When you’re done, you should definitely implement some (if not all) of the recommended security measures.
Thread Starter
tomasv
(@tomasv)
Yes James, I have run the WP security scan, I have renamed the admin account and in general I have done everything that was in my power – it would be great if someone could offer a more specific guidance on what to look for in the logs in order to determine how they can repeatedly hack this WP installs.
All other WPs on the same VPS are fine…
