Malware

39 views
Skip to first unread message

Angela Bengtson

unread,
Jun 13, 2013, 10:40:11 AM6/13/13
to mpls-stpau...@googlegroups.com
My church site is apparently infected with some sort of virus ... and my host said I should "ask your web developer if they have run into this b4 and if they know what to do" ... unfortunately I don't have a web developer ... it's just me .... 

Here's the messages I'm getting (intermittently)

Can anyone point me in the right direction?

--
Angela Bengtson
Communications & Membership
Zion Lutheran Church
1200 Highway 25 South
PO Box 88
Buffalo, MN 55313
6-13-2013 7-59-42 AM.png
6-12-2013 7-04-07 PM.png

Nicholas Ciske

unread,
Jun 13, 2013, 11:52:36 AM6/13/13
to mpls-stpau...@googlegroups.com
How do I know if my site's been infected?

Sucuri says your sites looks clean, but that may be a false positive (some malware tries to hide itself from scanners).

My advice (since you don't have a developer, but even if you did):
Invest in a Sucuri plan, have them clean it up, then find another host... any host this clueless (and unable to type complete words) is not a good place to be. At $90/year, it's cheaper than having a competent dev clean it up and (hopefully) you won't get infected again (as their plugin blocks a host of attacks) and once you're on a list of vulnerable sites, you'll probably be attacked again.


(Affiliate link, in case you want to have Sucuri pay me a pittance for the referral).

_________________________
Nick Ciske
@nciske

Peter Fleck

unread,
Jun 13, 2013, 11:58:21 AM6/13/13
to MSP Wordpress
Is it possible the server itself is infected? It might be deeper than WordPress.

Peter
> --
> You received this message because you are subscribed to the Google Groups
> "Minneapolis St. Paul WordPress User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mpls-stpaul-word...@googlegroups.com.
> To post to this group, send email to mpls-stpau...@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/mpls-stpaul-wordpress?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--
Peter Fleck
Blog: http://pfhypertheblog.wordpress.com/
Twitter: http://twitter.com/pfhyper
pfh...@gmail.com
PF Hyper LLC
http://pfhyper.com
Community Work:
http://sewardprofile.wordpress.com

Angela Bengtson

unread,
Jun 13, 2013, 5:23:34 PM6/13/13
to mpls-stpau...@googlegroups.com
Or where I might find someone we can pay to help us deal with this ...

Nick Pelton

unread,
Jun 13, 2013, 5:54:08 PM6/13/13
to mpls-stpau...@googlegroups.com

I don't see any obvious malware in your site code and Google apparently didn’t either: http://www.google.com/safebrowsing/diagnostic?site=http://zionbuffalo.org/


Says your site is listed as suspicious but has no records of malicious code in the last 90 days...


Next step would be to create a Google Webmaster tools account and request a review since it looks like a mistake.


Thanks,

Nick P.

--
You received this message because you are subscribed to the Google Groups "Minneapolis St. Paul WordPress User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mpls-stpaul-word...@googlegroups.com.
To post to this group, send email to mpls-stpau...@googlegroups.com.

Angela

unread,
Jun 14, 2013, 7:23:28 AM6/14/13
to mpls-stpau...@googlegroups.com, aben...@zionbuffalo.org
Thank you all for your advice re my malware message.

I've not been able to get the verification to work yet in Google Webmaster Tools. 

I've signed up for Sucuri and submitted a support ticket. 

Angela Bengtson

unread,
Jun 14, 2013, 8:40:13 AM6/14/13
to mpls-stpau...@googlegroups.com
Especially Nick :) 

Sucuri worked fast!

For anyone who was interested here's what the report said

OK: Hardened upload directory (./wp-content/uploads)
OK: Hardening ./wp-admin/wp-admin/setup-config.php on WordPress
OK: Hardening ./wp-admin/setup-config.php on WordPress
CLEARED: Cleared malware from file: ./w.php. Details: http://sucuri.net/malware/backdoor-phpfilesman02
CLEARED: Found backdoor (malware) on file: ./2b55087b640bfe4bdbb777a5ea3d2b5dfc2bb529.php


Angela Bengtson

unread,
Jun 14, 2013, 8:43:39 AM6/14/13
to mpls-stpau...@googlegroups.com
Oh, I meant to ask ... does anyone know if that means users of our site were actually at risk or not and if so what they should look for?

Nicholas Ciske

unread,
Jun 15, 2013, 10:45:28 AM6/15/13
to mpls-stpau...@googlegroups.com
Possibly. What they cleaned was a backdoor script that allowed the attacher to remotely upload infections.

The intermittent notices mean there was malware there at some point. It may be that the attacker was cycling the malware on and off (and/or changing it) to avoid detection.

Regardless, the safe thing would be to let your congregation (and site visitors, via a modal popup or other notice) know that if they've visited the site in the last X days a virus/malware scan would not be a bad idea. Less so if they are on Mac/iOS*, more so if they are on Windows or an older Android phone.

Free scanners exist for Mac and Windows. But I haven’t used Windows in ages so I'm not sure what's the best one these days.

For Macs (reviews are mixed but it'd better than nothing):

Sophos also have free tool for Windows (reviews are mixed but it'd better than nothing):

* Malware is much more rare on these platforms.

_________________________
Nick Ciske
@nciske


Angela

unread,
Jun 20, 2013, 3:39:57 PM6/20/13
to mpls-stpau...@googlegroups.com
One more update ... It took until today to really get this dealt with in the end. 
After 3 rounds of them thinking everything was fine and Google saying no, they did track it down to a problem with our host's server and worked with him to get that fixed. Sucuri was awesome to work with.
//Angela.
Reply all
Reply to author
Forward
0 new messages