snthorv

Rednas, you also need to look at your htaccess file for a malicious redirect.

I have run 4 anti-virus programs on my computer. Some things were found by the first three, but nothing serious. I put Windows Security Essentials on and it found some js injections in the cache of my firefox browser. I really don’t know if that is it, or not.

I believe it is fair to say that my own computer is involved somehow in bringing back the virus. But I am not convinced that there is not an exploit somewhere that needs to be identified.

In support of the FTP theory (David’s), though I run hundreds of WordPress sites, the only 2 that continually get infected are ones that are stored in the site manager of my Filezilla. If that is involved, it would actually help make sense of things a little, because I have changed the password numerous times, to no avail. But I updated it in Filezilla each time, too. 🙂

My Windows Defender is set to scan my computer every day and it did not detect anything. Prompted by this thread, I ran Malwarebytes.

MB says it only found potentially unwanted files (PUP), which makes me skeptical of the idea that my computer was compromised, per se. However, many of these presented as FF extensions with this phrase in it: \[email protected]\ some of which were associated with js file names.

Too suspicious to leave, so I whacked them.

It will be interesting to see if I continue to have this problem, and a little sad that Defender didn’t do the job for me.

I don’t have this plugin but I have been having this problem. I have done all the normal things, such as making sure everything is up to date, changing passwords and so on. I still have no idea how they are actually getting into my sites. However, I did notice something that no one mentioned here, so I’ll mention it now:

they were also adding a line in the .htaccess file. This line caused a redirect. The htaccess change and the change in the header seemed to work in conjunction, so that after I deleted the line, even though the ‘teaserguide’ bit still showed, users were not actually moved away from my site.

Also, I had one site that I had restored like 5 times that is presently uninfected, and the thing that I did this time was go through and carefully made sure that all of the permissions for every file in the WP directory and sub-directories were correct. I have a hunch that they are exploiting permissions somehow.

Anyway, I have been able to instantly repair my sites by uploading completely fresh copies of the latest WP as well as a backed up copy of .htaccess. So, even though I can’t figure out how they’re getting in, at least I can fix it now in about 5 mins.

I’m presently working on another site that was infected, and focusing on the permissions. If that seems to solve this site as well, I’ll let ya’ll know.

Having been locked out of my own site several times now, a whitelist for login attempts seems to be a no brainer. Honestly, why WOULDN’T you have a whitelist option for it? Really, there should be a whitelist that covers an IP for all BWPS functions, so that nothing can slip through the cracks.

Today, I was locked out inexplicably. I found my IP in the database and deleted every instance of it. Still blocked out. Nothing in htaccess. Full computer restart, even. There was nothing for it except to wait until the time expired. This just isn’t acceptable.