Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    How does one clean up a server/site of "Undetermined malware"?
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    How does one clean up a server/site of "Undetermined malware"?

    DroidzoneDroidzone Member
    edited September 2015 in Help

    Recently while visiting one of my Wordpress sites, I found a Google advisory that the site contained malware. Webmaster tools showed this:

    I tried the online scanners that I could think of-Sucuri, Wordfence. Wordfence had already been installed, but other than an integrity check error for Genesis theme (updated recently from the developer), it didn't comment on anything else. All online tools mentioned that the site was blacklisted by Google, but didnt find any specific malware.

    A maldet scan hasn't detected anything. I'm also planning to run clamav though I'm unsure of whether it can detect these kind of threats.

    Anything else that I'm missing? I've covered the basics-Disable unused and unnecessary plugins, themes etc (being a Wordpress installation). Please dont tell me to clean the server and reinstall. That's not viable, as the content and files are irreplaceable. I've also disabled Bidvertiser ads.

    C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    Comments

    • I was in the same situation, couldent find nothing.
      My situation got solved by misterhost.net for free after upgrading to yearly plan. You could go with sucuri if you want to spent hundert of dollars.

      P.s am takling about my cpanel reseller plan not vps.

    • WHT said: My situation got solved by misterhost.net for free after upgrading to yearly plan.

      What did they do?

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • No idea to be honest, probobly my pc was hacked and someone uploaded some encrypted code in the index.php and .js files. Thanks god not happened again.
      I was with sucuri before it was kust $89 year but now is $199 i think.

    • What type of site is it?

    • @linuxthefish said:
      What type of site is it?

      I would assume WP as he mentioned Wordfence.

      Taking a hiatus.

    • @linuxthefish said:
      What type of site is it?

      It's a wordpress mu blog network containing Android roms.

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • jhjh Member
      edited September 2015

      PM me your site's URL and I'll scan it for you, or use the "t" flag on "ls" to show recently modified stuff

      Thanked by 1netomx

      Greetings of the day!!!!

    • Droidzone said: It's a wordpress mu blog network containing Android roms.

      Can users comment on stuff, or use HTML code? even embedding an image from another website that is marked as malware can produce this warning...

      Please PM me your site URL and i'll take a look if it's OK!

      Thanked by 1netomx
    • DroidzoneDroidzone Member
      edited September 2015

      linuxthefish said: Can users comment on stuff, or use HTML code? even embedding an image from another website that is marked as malware can produce this warning...

      No, commenting has been disabled since almost two years. The content has not been wilfully changed by me since almost the same amount of time.

      PMed the url to both of you.

      Is there anything that can scan mysql code for malware code?

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • Probably google is trolling you / scaring you because they don't like third party android roms.

      -

    • joepie91joepie91 Member, Provider
      edited September 2015

      jh said: or use the "t" flag on "ls" to show recently modified stuff

      That won't always work. The more clever malware resets its own modification date to the original, so that it looks like nothing has changed. You'd have to compare hashes to be sure.

      From a prevention POV, auditd is a possibility... but it's hard to set up, and can get very noisy. You also have to explicitly specify kernel calls to monitor, so a kernel upgrade might mean that it stops working out of nowhere.

    • IshaqIshaq Member, Provider

      "These pages directed users to a site that serves malware or unwanted software"

      This doesn't necessarily mean it's on your site, you could be linking to a site that has malware.

      Alternatively, they don't like the ROMs you're linking and placed a generic advisory on your domain.

      Thanked by 1Host4Go
      [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
    • Ishaq said: "These pages directed users to a site that serves malware or unwanted software"

      This doesn't necessarily mean it's on your site, you could be linking to a site that has malware.

      Yea, but there's no content including links on the site that wasnt specifically added by me. So if there's something new linking to an external site containing malware, there's something wrong.

      Ishaq said: Alternatively, they don't like the ROMs you're linking and placed a generic advisory on your domain.

      Really? The site's been online since 2009, and provides custom roms for an outdated phone that's probably something of a collector's item.

      Thanked by 1Host4Go

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • @joepie91 not always but usually :)

      Greetings of the day!!!!

    • @Droidzone said:
      Recently while visiting one of my Wordpress sites, I found a Google advisory that the site contained malware. Webmaster tools showed this:

      I tried the online scanners that I could think of-Sucuri, Wordfence. Wordfence had already been installed, but other than an integrity check error for Genesis theme (updated recently from the developer), it didn't comment on anything else. All online tools mentioned that the site was blacklisted by Google, but didnt find any specific malware.

      A maldet scan hasn't detected anything. I'm also planning to run clamav though I'm unsure of whether it can detect these kind of threats.

      Anything else that I'm missing? I've covered the basics-Disable unused and unnecessary plugins, themes etc (being a Wordpress installation). Please dont tell me to clean the server and reinstall. That's not viable, as the content and files are irreplaceable. I've also disabled Bidvertiser ads.

      May I ask if you could show me the details in google webmaster tools?
      as I would like to see the details why and what it is detecting as a generic message doesn't tell me anything.

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • @timnboys said:
      as I would like to see the details why and what it is detecting as a generic message doesn't tell me anything.

      There are no details. Clicking that button shows just an empty place holder.

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • @Droidzone said:
      There are no details. Clicking that button shows just an empty place holder.

      really?
      send me your link and I will check it as it is most likely not you but a site you linked to?
      do you host the files yourself? or does someone else host it?
      as if someone else hosts it it could be they got infected(as for example today trying to go to lcpdfr.com avast! told me it was infected with html:script-inf
      so that could be possibly what happened to you?

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • @timnboys said:

      It's a vps on Prometeus, and I'm the only one with access to server and sites.

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • @Droidzone said:

      okay I don't want to question your password but in general I have my vps's passwords with 30+ characters to make it hard to crack(maybe it may be because of my computer security training)
      anyway I would recommend changing your pass first to something secure first.(as you should probably treat it like a breakin atleast that is what I would do)

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • I have root password disabled for ssh, and use keys. The site username and password is quite complex.

      Thanked by 1netomx

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • The page may be not in your server ,use F12 to know what happen

    • ricardoricardo Member
      edited September 2015

      I'd sooner assume it is the WP installation itself rather than your container, particularly as it seems you have things well locked down.

      I'd suggest trying "Fetch as Googlebot" on Google's webmaster tools, as whatever is on your site seems to be detectable by them regardless of any potential cloaking.

      If you see something out of the ordinary, try dumping a back trace to see which functions are called within your WP installation, and that may help pinpoint anything running that shouldn't.

      Thanked by 1Droidzone
    • @ricardo said:
      I'd sooner assume it is the WP installation itself rather than your container, particularly as it seems you have things well locked down.

      I'd suggest trying "Fetch as Googlebot" on Google's webmaster tools, as whatever is on your site seems to be detectable by them regardless of any potential cloaking.

      If you see something out of the ordinary, try dumping a back trace to see which functions are called within your WP installation, and that may help pinpoint anything running that shouldn't.

      I would suggest that as well.
      As that will let you see what google see's

      CubeData FraudRecord Module: https://cubedata.net/fraudrecord OpenNebula module: https://cubedata.net/opennebula now for blesta & whmcs

    • DroidzoneDroidzone Member
      edited September 2015

      timnboys said: I would suggest that as well. As that will let you see what google see's

      I cant seem to get it to fetch the subdomain. I add the subdomain, and it gets somehow "merged" with the main domain. I get options to fetch the main domain, but not the subdomain. The main domain and other subdomains dont show that Google warning.

      Edit: Fixed that after adding another owner and adding just the subdomain for that account.

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • ricardoricardo Member
      edited September 2015

      Try just spoofing the user agent.

      curl -iL -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "http://www.example.com/"
      

      If it's more sophisticated it may also be checking for Google's IP ranges.

      Thanked by 1netomx
    • DroidzoneDroidzone Member
      edited September 2015

      ricardo said: Try just spoofing the user agent.

      Already tried that, and 'grep'ed for eval and iframe. Anything else that I should be looking for?

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    • Could be anything, the payload could be obfuscated in an image or something as novel. Just look at the source code of the fetched page for anything that shouldn't be there, hopefully you see something and then do a backtrace.

    • Surprised Maldetect hasn't been mentioned yet, that will help you find malware.

      Or you can use Security Ninja: http://codecanyon.net/item/security-ninja/577696

      Blesta.Store - Blesta specialists
      Atlanical - Social Network Management

    • Licensecart said: Surprised Maldetect hasn't been mentioned yet, that will help you find malware.

      Probably because I mentioned it in the OP. :)

      C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

    Sign In or Register to comment.