eisd

It appears pinkgothic may be right and this isn’t a brute force but rather a decryption of saved FTP passwords.

We just finished cleaning an entire server. Here are the steps:

1) Change all your FTP passwords. Configure your FTP client to not save passwords. Write your passwords down instead or store them in a secure place. Use a strong random password generator. Your passwords should look something like: !@$(*cxz0

2) If you have a Linux server and have SSH access, you can use the following command to locate all infected files:

grep -nslPR “<script>[A-Za-z]\w+=” *

It will search all subfolders as well. It will run incredibly slow, but it will find the exact infected files so you can clean them up.

I wouldn’t run SSH from a possibly infected computer though.

The command I gave is a search only. You can also try an automated find/replace:

https://refactormycode.com/codes/1600-find-and-replace

In order to use the above find/replace command, you should have a strong grasp of regular expressions (in which case, you should know not to use regex for HTML parsing). I chose to manually replace because if it detected the wrong scripts, I would be in trouble.

If you need a more specific search (in the event you have safe JS code that starts off with an inconvenient implicit global):

grep -nslPR “<script>(ti|wa)=” *

3) Have your host ban the IP address I listed above. Check your FTP and SSH logs for suspicious activity from unrecognized IP addresses. Ban those IPs.

4) Finally, once everything is clean, use Google Webmaster Tools to request a review of your website to remove the malware warning from Google Search and Google Chrome.

Amada,

We are having this problem too.

I can confirm it’s not a WordPress security hole. We have a dedicated server, and we don’t even run a hint of WordPress on our servers.

However, being that I actually know how to locate the source of security problems, I wasn’t going to just sit around and let support try and figure it out while our sales plummeted. So I just finished working with SoftLayer Live Support to determine the root cause of the problem.

It appears there is malware which is using a brute force attack via FTP to gain access to and modify your files.

We have multiple servers – all of which have very strong passwords and were attacked within the span of a single day. We checked the SSH logs and, fortunately, there was no SSH access. However, based on the FTP log activity, we were able to determine the type and nature of the attack.

Finally, we reach the IP address you’ll need to ban:

204.12.252.138

This was the IP address responsible for the script injections on our dedicated server. It may be some variant for your own server.

However, SoftLayer says I need clearance to get an IP banned.

I sent the live support chat log and how we were able to deduce the source of the problem to their ticketing system.

If you want to message me or discuss this further, send an email to [email protected]

That’s my junk email inbox, but I’ll reply with my real email address.

Cheers.