Please go here for backupbuddy support:
↧
sterndata (Steve Stern) on "How to find the source of a potentially malicious file?"
↧
Simon Barnett on "How to find the source of a potentially malicious file?"
I decided not to contact them. Once I knew it was from BackupBuddy it was a much lower priority than finding the actual exploit on the server.
↧
↧
Simon Barnett on "Where to submit malware samples?"
Where are good places to submit samples of potential malware for analysis?
WordFence does this, which I assume is mutually beneficial because it helps them keep ahead. Are there any others doing code analysis?
According to this WordFence doc:
I have a file that looks suspicious, but I’m not sure if it is. How can I tell?
Email it to us at samples@wordfence.com and we’ll let you know. If you don’t receive a reply, either your mail system or ours may have discarded the message thinking it was malicious because of your attachment. So please email us a message without the attachment letting us now that you’re trying to send us something and we’ll try to help get it through.
↧
James Huff on "Where to submit malware samples?"
If it's a particular confirmed security threat with WordPress, please let our security team know at security (at) wordpress (dot) org
↧
Jan Dembowski on "Where to submit malware samples?"
Where are good places to submit samples of potential malware for analysis?
Not here. There really is no value to sharing malware and posted malware gets deleted when found in these forums.
If you have information about a confirmed WordPress compromise then yes, consider contacting the security email address. But if you only have samples of malware that some attacker succeeded to drop onto your site then do not share that.
The malware doesn't matter. It's the fact that someone was able to successfully place that on your system that is the important part. That's when you need to delouse your system.
↧
↧
Simon Barnett on "Where to submit malware samples?"
Not here
I know, which is why I'm asking where.
↧
rngdmstr on "[Plugin: Wordfence Security] Malware inside Images"
What is the warning generated from WordFence, can you supply a sample?
It's not uncommon for attackers to insert backdoors into images. Usually in the form of EXIF data which can be removed without hurting the source of the image.
I think this link should help:
http://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/
↧
rngdmstr on "[Plugin: Wordfence Security] Malware inside Images"
Also, if you head over to http://archive.org/web/ you might be able to find old, cached versions of the images before the hack occurred.
↧
JustinF on "[Plugin: Wordfence Security] Malware inside Images"
Thanks for replying!
The error reads:
Post contains a suspected malware URL: Choosing the right Point of Sale (POS) system
This post contains a suspected malware URL listed on Google's list of malware sites. The URL is: http://www.retailandrestaurant.co.za/wp-content/uploads/2013/11/IronTree.jpg
↧
↧
rngdmstr on "[Plugin: Wordfence Security] Malware inside Images"
Oh I see. That WordFence flag is generating because your website is blacklisted by Google :( The image itself is fine, there's no exif data or script code in it from what I see here.
Once the infection is removed from your website and blacklist removal request submitted to Google, that will fix the WordFence warning. But it seems there are much bigger issues here, unless you've already removed the malware.
SiteCheck doesn't seem to be flagging the malware itself:
https://sitecheck.sucuri.net/results/www.retailandrestaurant.co.za
So it's hard to say what the root of the problem is. I'd suggest taking a look here and follow this guide:
↧
rngdmstr on "[Plugin: Wordfence Security] Malware inside Images"
Hmm I forgot to ask, is retailandrestaurant your website, or is that image being grabbed from another domain? If the latter, you can just host that image on your server instead of loading it from external site.
↧
matthewjamesgibson on "[Plugin: Wordfence Security] Unknown PDF file links are appearing on my sites"
Hello,
Thanks for all of your helpful tips in this discussion.
I'd just like to add:
1. A random PHP file in the plugin directory was duplicated. Delete the one that has a .php.php extension.
2. In addition to the malicious code the simon5 identified, I also found the same code in wp-includes/random_compact/random_bytes_mcrypt.php
3. I found exclusions set in Wordfence's options so Wordfence wouldn't scan the .x1-unix directory!
↧
simon5 on "[Plugin: Wordfence Security] Unknown PDF file links are appearing on my sites"
Well often it's a .php.php but sometimes the infection won't find a .php file to infect, so you will get a jpg.php or a css.php or a png.php or else.
Just to add another hint to this diagnosis.
↧
↧
JustinF on "[Plugin: Wordfence Security] Malware inside Images"
Can you tell me what you are basing your assessment of the images on? You say "here's no exif data or script code in it from what I see here" ... How exactly did you inspect them? I'm only asking because I struggled to find a means of checking them for malware, so I would love to know for future.
I have removed the major malware from the site. There were some .php files hiding in the wp-content folders and there was one or 2 lines of unsavoury looking code in the .hta-access file. All of that is gone.
All the images are being hosted on the cloudflare server that the website is hosted on. But luckily a lot of them are stock images from the internet, so I can probably find them again.
↧
laikinas on "[Plugin: WP Fastest Cache] Site is being suspended due to malware code found in cache folder"
Hi there,
Thanks for the plugin, super easy to use.
I have a question, during past few days I am struggling with google adwords site suspension due to, as they say, malware code [moderated]
As I understand this code is due to sfsi_float_widget plugin (Social Media and Share Icons). Is there a way to avoid cashing it so that link would not appear in cache folder? Because otherwise google flags me.
looking forward to your reply.
Thanks
↧
Andrew Nevins on "[Plugin: WP Fastest Cache] Site is being suspended due to malware code found in cache folder"
Hi @laikinas, as per your previous thread, please try to avoid posting malicious code on these forums.
↧
Emre Vona on "[Plugin: WP Fastest Cache] Site is being suspended due to malware code found in cache folder"
The page is saved as a static html file. If you want to exclude a part of page, it is not possible.
↧
↧
laikinas on "[Plugin: WP Fastest Cache] Site is being suspended due to malware code found in cache folder"
↧
laikinas on "[Plugin: WP Fastest Cache] Site is being suspended due to malware code found in cache folder"
It helped me out. Especially this link: http://stackoverflow.com/questions/28940177/http-ujquery-org-jquery-1-6-3-min-js-failed-to-open-stream-http-request-fa
It is where you have to find the if(!function_exists('wp_..... function and delete it.
In my case it was in theme folder, functions-core.php.
Cheers,
Albert
↧
darkwarrior92 on "WordPress site hacked"
Is there any way i can recover my site, when i want to login to admin panel, i have a login page, but when i login it's all messed up. Is there any way i can recover whole site, or just admin panel, it will be also helpful.
Thanks in advance.
↧