Good morning.
Most of the websites on my Virtual Personal Server have gotten hacked.
The infection seems to consist primarily of the following code being added to various pages (I’ve changed http to hxxp so as not make this URL clickable and have removed parts of the iframe tags) ….
iframe src=“hxxp://davajtemnedenegsejchas.com/spl1/?f115c845296f7ba3144dc004201e3f86” width=1 height=1 style=“visibility:hidden”
The above has mainly been added to /index.php pages such as /wp-admin/index.php … /wp-content/index.php …
One of the sites affected has been my blog @ prodos.thinkertothinker.com – which has now been listed as an attack site:
http://www.google.com/safebrowsing/diagnostic?site=prodos.thinkertothinker.com
This blog is part of my Wordpress MU based blog service @ ThinkerToThinker.com
I think I’ve now removed the malicious script from all pages on the blog system.
Any suggestions or observations about what to do next would be appreciated. Thanks.
Best Wishes,
PRODOS
Melbourne, Australia
If you are certain that your site is clean and secure, you should “Request a Review” through your Google Webmaster Tools account. Your site must be added and ownership verified before you will be able to see the malware warning and get to the “Request a Review” link.
Google Webmaster Tools
Google Malware FAQ – Request a Review
If you aren’t certain and need guidance for other things to check for, you may want to review the following resources. You will want to identify the vulnerability that allowed things to get hacked in the first place and fix that in order to minimize chances of it happening again.
Tips for Cleaning & Securing your Website
How to remove the ‘This site may harm your computer’
One thing you need to address is the fact that there is a link from [ prodos .thinkertothinker .com ] to [ sydneykendall .thinkertothinker .com ] which is also labeled as suspicious. Until it is repaired (or the reference removed) the prodos blog may not clear.
http://www.google.com/safebrowsing/diagnostic?site=http://prodos.thinkertothinker.com/&hl=en
http://www.UnmaskParasites.com/security-report/?page=prodos.thinkertothinker.com
External reference to suspicious site:
sydneykendall .thinkertothinker .com
http://www.google.com/safebrowsing/diagnostic?site=sydneykendall.thinkertothinker.com
Good afternoon Kaleh,
Thanks for your notes.
My blog is part of a Wordpress MU (multi-user) installation.
The main domain is THINKERTOTHINKER.COM
My blog, prodos.thinkertothinker.com is a subdomain of this.
So is sydneykendall.thinkertothinker.com
I’m the SuperAdmin for this Wordpress MU installation and I’m the owner of the main domain, THINKERTOTHINKER.COM
I don’t know how to insert a verification meta tag within the subdomains of particular blogs, or how to create a html verification page for a particular blog.
However, I just created a html verification page for the main domain @
http://thinkertothinker.com/google5b2500be9abd42a2.html as Google Webtools instructed.
But when I try to verify this, my Webmaster tools page says:
= We weren't able to verify your site. Did you upload your HTML verification file to this location: http://thinkertothinker.com/google5b2500be9abd42a2.html? =
Thanks for any further advice or tips.
Best Wishes,
PRODOS
I’m not terribly familiar with trouble-shooting verification errors. But … I do know where the documentation is. :-D
Take a look at this and see if it helps.
Verifying subdomains and subdirectories
From what I can determine, it appears that non-existent pages do not return a 4XX status code. That may be the problem, but I’m not sure.
I also think that if you were to use the meta-tag method at the root level, that will be adequate for you to deal with issues for the entire site.
You can get additional verification assistance in the Google Webmaster Help Forum, if necessary.
Edit: Sorry about the multiple email responses. I keep changing things. I think this is the last time. :-)
Thanks Kaleh.
You wrote: “I also think that if you were to use the meta-tag method at the root level, that will be adequate for you to deal with issues for the entire site.”
I’ve been trying to work out how to do that. There doesn’t currently seem to be much literature on how to do this with a Wordpress MU site (WPMU)
I did find this discussion thread: http://mu.wordpress.org/forums/topic/8791?replies=18
… which explains "The meta tag goes in the header.php file of the theme you are currently using … "
I’ll have to experiment with this and report back.
Best Wishes,
PRODOS
Greetings.
Reporting that I succeeded in getting THINKER TO THINKER .COM verified by Google Webmaster Tools.
I used the verification meta tag method as suggested by Kaleh (above).
… HOW …
In the /header.php file of the theme currently being used by THINKERTOTHINKER.COM I inserted the meta-tag code directly before </head>
After doing this I double-checked by going to my site and using View/Source to confirm the verification meta tag appeared correctly.
On my Google Webmaster Tools page I then proceeded to request a “verify”. This worked fine.
Kaleh had written: “I also think that if you were to use the meta-tag method at the root level, that will be adequate for you to deal with issues for the entire site.”
It seems this is correct since, as well as verifying THINKER TO THINKER .COM, I was informed of various subdomains (blogs) on my system that had also been detected as containing malware.
I used this site – http://www.blacklistdoctor.com/wam/ – to check that everything was now clean.
I then asked for my website to be reviewed.
Now we wait. :-)
Howdy.
Reporting that my blogs have been reviewed by Google and the “attack site” warning has been removed.
However, I’m still working with a colleague to identify the source of the vulnerabiity – otherwise the same thing could happen again. (Of course server and WinSCP passwords have been changed.)
I’ll post a note about anything useful we discover.
Bye for now.
Best Wishes,
PRODOS
Melbourne, Australia