Author Topic: www redirections (Read 31542 times)

klogier · « **Reply #30 on:** March 02, 2013, 05:13:47 PM »

Guys.
Could you tell me what can I do with my site. polonus mayby you know somebody in Poland who I can hire for repair my site. I can't repair it by myself. The company that made this site isn't good for this, too.

!Donovan · « **Reply #31 on:** March 02, 2013, 05:21:04 PM »

Hi klogier,

Can you try disabling xmlrpc.php from the WordPress dashboard?

Follow the instructions here: http://codex.wordpress.org/XML-RPC_Support

~!Donovan

polonus · « **Reply #32 on:** March 02, 2013, 05:32:24 PM »

Hi klogier,

Give scan results from this plugin: http://wordpress.org/extend/plugins/wp-security-scan/
And do a scan here: http://evuln.com/tools/php-security/
Paste here your PHP/Perl source code to check it by PHP Security Scanner.

Example:

<?php
include($variable);
?>
Zarejestruj się w tym serwisie: http://www.webmaster.54.pl/

polonus

klogier · « **Reply #33 on:** March 03, 2013, 01:40:26 AM »

Hi Guys,

xmlrpc.php disabled. I had to install plugin for this because in WP 3.5.... there isn't option to disable it manualy.

wp-security-scan results attached (printscreen)

report of scan of xlmrpc.php made by 2nd tool attached

!Donovan · « **Reply #34 on:** March 03, 2013, 08:02:22 PM »

Hi klogier,

If you would, please upload xmlrpc.php to VirusTotal (https://www.virustotal.com/).

Thanks,
~!Donovan

polonus · « **Reply #35 on:** March 03, 2013, 11:06:49 PM »

Hi klogier,

On a basis of our analysis we could later give you advice what to delete. We, !Donovan and I, already have some strong hunch as what to look for here,

polonus

essexboy · « **Reply #36 on:** March 03, 2013, 11:21:03 PM »

Cheers gents I knew there was a reason I had you two in my favourites list

klogier · « **Reply #37 on:** March 05, 2013, 12:29:05 PM »

report from virus total

https://www.virustotal.com/pl/file/ded0220e745c40232601bd32a6bdc5b103895f2313ff34bff4b24ddbf8f23d53/analysis/1362482751/

klogier · « **Reply #38 on:** March 05, 2013, 02:01:17 PM »

I scanned (by avast) all site files (after downloading it by ftp) and 854 files from 3174 are infected by PHP:Agent-CF [Trj]

polonus · « **Reply #39 on:** March 05, 2013, 02:12:04 PM »

Hi klogier,

Now that we know what in your PHP code are the malbits, the chunks that are "eval base64_decoded/obfuscated", we should be able to start to delete these.
Wait for !Donovan to instruct you further. I have informed him you wait for his instructions,

polonus

!Donovan · « **Reply #40 on:** March 06, 2013, 12:44:16 AM »

Hi klogier,

~~We would appreciate it if you uploaded the contents of xmlrpc.php to http://pastebin.com/, then provide us with the link.~~ Confirmed Malicious.

As for the automated removal of this malware, I recommend you install and try Wordfence (http://www.wordfence.com/).

Be sure to backup your WordPress installation first.

Tell me if you experience any problems,
~!Donovan

klogier · « **Reply #41 on:** March 06, 2013, 09:21:47 PM »

Hi.
I will try this, but could you tell me how can I do full backup of site ? I downloaded full content of below folders by Filezilla:
.htpasswd
awstats
logs
public_ftp
public_html
public_html_old
Is it good way to backup wordpress site?

polonus · « **Reply #42 on:** March 06, 2013, 10:34:05 PM »

This is a way to do it: http://wordpress.org/extend/plugins/simple-backup/

polonus

klogier · « **Reply #43 on:** March 06, 2013, 10:59:24 PM »

Ok, backup made.

Log from Wordfence below:
[Mar 06 22:16:45]Preparing a new scan.Done.
[Mar 06 22:16:45]Remote scan of public facing site only available to paid membersPaid Members Only
[Mar 06 22:16:48]Fetching core, theme and plugin file signatures from WordfenceSuccess.
[Mar 06 22:16:50]Fetching list of known malware files from WordfenceSuccess.
[Mar 06 22:16:52]Comparing core WordPress files against originals in repositoryProblems found.
[Mar 06 22:16:52]Skipping theme scanDisabled [Visit Options to Enable]
[Mar 06 22:16:52]Skipping plugin scanDisabled [Visit Options to Enable]
[Mar 06 22:16:52]Scanning for known malware filesSecure.
[Mar 06 22:16:54]Scanning file contents for infections and vulnerabilitiesProblems found.
[Mar 06 22:16:54]Scanning files for URLs in Google's Safe Browsing ListSecure.
[Mar 06 22:17:18]Scanning posts for URL's in Google's Safe Browsing ListSecure.
[Mar 06 22:17:19]Scanning comments for URL's in Google's Safe Browsing ListSecure.
[Mar 06 22:17:19]Scanning for weak passwordsSecure.
[Mar 06 22:17:20]Scanning DNS for unauthorized changesSecure.
[Mar 06 22:17:20]Scanning to check available disk spaceSecure.
[Mar 06 22:17:20]Scanning for old themes, plugins and core filesSecure.
[Mar 06 22:17:20]Scan complete. You have 843 new issues to fix. See below for details.

There is a lot of "This file may contain malicious executable code" with "View this file" and "Delete this file" option.
There isn't Repair option

And a lot of "WordPress core file modified:..... " with "View...", "Restore to original..." and "Show how the file was changed"

What next I can do?

polonus · « **Reply #44 on:** March 06, 2013, 11:08:32 PM »

Hi klogier,

See where the code has been changed, go back to the original where you can and delete what cannot be restored/retrieved...
Go through the whole process meticulously (tz. bardzo, bardzo porządnie) else the cleansing is not complete. You have to tackle all 843 issues.
When all is well update to the latest WP available. To jest sposób na sukces!

pozdrawiam,

Damian

Author Topic: www redirections (Read 31542 times)

klogier

Re: www redirections

!Donovan

Re: www redirections

polonus

Re: www redirections

klogier

Re: www redirections

!Donovan

Re: www redirections

polonus

Re: www redirections

essexboy

Re: www redirections

klogier

Re: www redirections

klogier

Re: www redirections

polonus

Re: www redirections

!Donovan

Re: www redirections

klogier

Re: www redirections

polonus

Re: www redirections

klogier

Re: www redirections

polonus

Re: www redirections