sahdes Posted February 16, 2014 Posted February 16, 2014 username: sahdesserver: Steviedomain: sahdes.heliohost.org / sahdes.org I'm starting a new topic because the first one's been blocked: wolstechRank VI MemberPosted 14 February 2014 - 07:58 PMIt says you were suspended because your site was hacked...first time I've seen that as the reason. Be sure to clean up the hack quickly and get it back in order so it doesn't get suspended again. Your account has been unsuspended. sahdesPosted 14 February 2014 - 10:37 PMI'll work on it next week (I'm away right now), please keep it active until then I'm back home, but the account is already suspended again... Thank you.
wolstech Posted February 16, 2014 Posted February 16, 2014 Someone resuspended it since you weren't ready to clean it. Are you ready to clean it up now? If so, I'll unsuspend it again.
sahdes Posted February 17, 2014 Author Posted February 17, 2014 Understood. I'll let you know when I'm ready to work on it. Thank you wolstech.
sahdes Posted February 22, 2014 Author Posted February 22, 2014 Well, I'm ready, please unsuspend. Thank you.
wolstech Posted February 22, 2014 Posted February 22, 2014 Your account has been unsuspended. Please clean it up quickly.
sahdes Posted February 23, 2014 Author Posted February 23, 2014 The site doesn't seem to have been hacked at all. Just some update of the wordpress theme I'm using made a mess with my homepage. Please don't suspend the account again, even if it looks "hacked" for a while, it's not, it's just me trying to fix it, that's all. Thank you very much.
wolstech Posted February 23, 2014 Posted February 23, 2014 It appears to be working fine now. Thank you for fixing this
wolstech Posted February 24, 2014 Posted February 24, 2014 This time it's for malware. The suspension reason explicitly named this file as malware: /public_html/wp-content/images/index.php Delete that file before you do anything else. In addition, I would recommend downloading a backup of your account and running a virus scanner on all of your files. Delete all infected files from your account. Since you are using wordpress, I would also recommend making sure that everything is up to date and that you aren't using any plugins from dubious websites. There are many plugins out there for wordpress that are full of security holes due to lack of support, and sometimes others (especially those from less-reputable websites) are malware disguised as a theme or plugin to make people install it. You have 24 hours from the time of this post to remove any malware from your account. If you don't, it'll be resuspended.
sahdes Posted February 24, 2014 Author Posted February 24, 2014 I'm using the last version of WP; all themes & plugins are only from the WP official repository, and all up to date. I made a full backup and scanned the whole site with antivirus, plus many anti-malware tools; nothing was found, not even on the file you told me. Then I scanned the site with 3 online malware url scanners: https://www.virustotal.com/es-ar/url/6dcdc3d20a987b5a6a2816bfee832d84e3a79b72a6deb2ea8009103a7bdbfb37/analysis/http://app.webinspector.com/public/reports/20289098?cache=truehttp://www.quttera.com/detailed_report/sahdes.org Nothig wrong. Anyway, then I removed /public_html/wp-content/images/index.php (I don't know how it's gonna affect the site; so far all seems to be ok).Please let me know if now it's clean. But, I wonder... couldn't it have been just a false positive?
wolstech Posted February 24, 2014 Posted February 24, 2014 I dont believe Wordpress is supposed to have an index.php in that folder. The hacker probably added it. As for being a false poitive, i doubt it. When I visited that file in my browser, it redirected me to some Russian hosting service... I have no way of checking if it is totally clean now though since only an Admin can re-run the scanner. If you get suspended again, it's not.
sahdes Posted February 25, 2014 Author Posted February 25, 2014 Wolstech, I've found a homedir backup dated 01/03/14, in which not only there is no index.php in "images" folder, but there is no such folder at all. Into this "images" folder there is a .js file that contains, hello!, some russian url... So, I'm going to get a clean break and restore my home form that backup. I think that's the thing to do.
wolstech Posted February 25, 2014 Posted February 25, 2014 The entire images folder sounds like it was the dumping ground for the malware that the hacker installed. The JS and other stuff is just malware components and a link to what's likely either the malware maker or the group using the malware. My original directions were assuming you didn't have backups since the large majority don't bother to make them as they should. Since you have recent backups, restoring them is a good choice. The downside is that any files you might have added or upgraded (including plugins or upgrades you might have installed to prevent future hacks) will likely need to be redone. The upside is that you can guarantee the hack is gone.
Recommended Posts