How to find and eliminate malware?


#1

Something has infected my site, causing it to generate Google-detectable viagra posts that I can’t find or delete (they’re not in the FTP).

I’m not a pro with the behind-the-scenes workings that websites run from, so I’m a bit confused where to start looking.

Is this a PHP issue? or something that is hiding in a SQL database? What would I even try looking for to find and eliminate it? I imagine it’s trying to hide itself pretty well.

Any thoughts on how to start my journey? I reinstalled my wordpress but the bad URLs are still showing up on Google.


#2

#3

Thanks Bobocat. I’ve read through that page and tried to understand and implement it as best I can. I’ve mangled a few parts of my site but have a mostly complete backup.

So the thing I don’t know well enough is how to track down where the infringing pages are hiding. I’ve looked at the .htaccess file, I’ve poked around in mysql a little. Some of it makes sense to me, but I just don’t even know what I’m looking FOR.

And it’s especially hard because the files are only showing up on Google and other search engines – not on a securi.net scan or anything else I have control over.

Any thoughts? Thank you.


#4

This malware bug is still affecting me. Another thought/question:

I host a few WP installations on my dreamhost account.

Perhaps I can use the “export” tool to save all the posts and pages I’ve made, and download the “uploaded images” file.

Then I’ll delete everything. Nuke all my WP installs, the mysql databases, user accounts. Start fresh, rebuild all the pages with clean installs, then import all the post/page files and upload the saved image file to FTP.

Would that eliminate the malware virus that’s affecting me? Is there a chance it would linger around in my exported posts file or images file? Also, is it possible to completely delete the database? Or will I just re-access the same one (with old files) if I delete and then rebuild?


#5

You can try that, since you haven’t narrowed down how the sites are being compromised. I roll out sites from my test MU instance to live versions that way.

Often it’s a bad - old - plug-in or a template that used vulnerable timthumb.php that lets the hack in, then bogus php files and folders (sometimes named things like cgi-bin, .logs or .temp - names that actual folders might use and also “invisible” folders you wouldn’t see with a regular FTP session) show up and serve the spam links that Google is seeing.
Check for that: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Some tips to keep your new installations clean:
Only keep templates and plug-ins you are actively using, get rid of anything else, don’t just deactivate
Also upgrade your plug-ins and site whenever a new version comes out.
Run each WordPress site as a separate user - set that up in the Dreamhost panel - and use secure user settings to keep sites from infecting each other.
Don’t use the default admin user, create a new one.

Even after you clean up, those bogus links may still show up in Google for a while.

Try this to “force” a recrawl when the sites are all back up and clean:
https://www.google.com/webmasters/tools/submit-url


#6

usually that’s caused by a modified .htaccess, although other routes are possible. post your .htaccess


#7

Thanks guys.

Here’s the .htaccess. I think it’s pretty clean (but I’m not a pro):

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Look OK?


#8

That part looks normal, but make sure there’s nothing hiding at the bottom of the file. I’ve seen some tricky spammers hide extra rewrite rules (to redirect searches to spam sites) after a bunch of empty lines.

If that’s not it, it’s possible there’s been something injected into the PHP. Our Support team has scripts to check for this; shoot them a request and they’ll have a look-see.