How to make sure Hoeflertext Font Virus is Gone from Site

  • Resolved craftandclover

    (@craftandclover)


    8 years ago

    I have a client site that was infected with the HoeflerText Font Virus. We rolled back the site to a backup made before the virus was injected, which seems to have eradicated the issue – except from one machine.

    This particular machine showed the pop-up (even after the backup restore and extensive testing) – and the pop up went away after clearing the cache/cookies. It has not returned and they are able to access the site just fine from this machine. Client said they never had the pop-up before, but has used this machine to access the site many times.

    What to make of this? Does this necessarily mean the script is still somewhere in the site (even though the issue cannot be replicated from any other machine)? Or could it be that the client’s computer and/or browser was infected and causing the pop up?

    Any help to understand this would be great, thanks in advance!

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter craftandclover

    (@craftandclover)

    Thanks, Steve!

    We have had 2 developers manually investigating the files and have run several scans, including one by Sucuri and nothing is being picked up.

    Is it possible the virus is very well hidden and escaping the scans?

    Would it make sense to rebuild from scratch if the client is willing to do that?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Burn it down except for the database, wp-content/uploads, and wp-config.php

    Thread Starter craftandclover

    (@craftandclover)

    We’ve done fresh installs of WP, plugins, etc. and the problem still exists.

    By burn it down, do you mean just do a fresh site? Sorry, I want to be sure I am giving solid advice to the client and I want to be sure I understand you correctly. If the problem is in the database, wp-content or uploads, then the issue will still remain, correct?

    That logic is pointing me toward a fresh rebuild, from scratch. Does that sound right?

    If I directed them to Sucuri or other company, are they guaranteed to find and eradicate the virus?

    Thanks again for you help. We’re banging our heads here.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    delete all php files except wp-config.php. Get clean copies of wordpress, plugins, and your theme from the repositoiries.

    I can’t speak to what warranties Sucuri may offer,but they have a lot more experience cleaning up this **** than you or I do. ??

    bluesdigital

    (@bluesdigital)

    Hi, it might be worth checking any Google Font Plug-ins:
    One of my sites was nailed, but by deleting: WP Google Fonts Version v3.1.4 | By Noah Kagan & Google Fonts For WordPress Version 3.0.0 | By KAPlugins, My site was up & running agian instantly.
    Whether the plug’s are compromised, or if the developers are putting out free plug’s containing back doors for the World’s Malware Thieves, I Don’t know. Suffice to say, i’m checking every site that I manage, and getting rid of any plug-ins from the above sources.

    Good Luck!

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Versions of WP Google Fonts less than 3.1.4 have an issue:

    https://wpvulndb.com/vulnerabilities/8253

    Thread Starter craftandclover

    (@craftandclover)

    Thanks for the input everyone! We elevated it to Sucuri who found 16 lines of malicious code that escaped manual and scanned investigation. Thanks for suggesting them, Steve!

    No longer banging our heads and everything seems to be running well. Thanks to all who contributed!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘How to make sure Hoeflertext Font Virus is Gone from Site’ is closed to new replies.

Tags