Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How does one clean up a server/site of "Undetermined malware"?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How does one clean up a server/site of "Undetermined malware"?

DroidzoneDroidzone Member
edited September 2015 in Help

Recently while visiting one of my Wordpress sites, I found a Google advisory that the site contained malware. Webmaster tools showed this:

I tried the online scanners that I could think of-Sucuri, Wordfence. Wordfence had already been installed, but other than an integrity check error for Genesis theme (updated recently from the developer), it didn't comment on anything else. All online tools mentioned that the site was blacklisted by Google, but didnt find any specific malware.

A maldet scan hasn't detected anything. I'm also planning to run clamav though I'm unsure of whether it can detect these kind of threats.

Anything else that I'm missing? I've covered the basics-Disable unused and unnecessary plugins, themes etc (being a Wordpress installation). Please dont tell me to clean the server and reinstall. That's not viable, as the content and files are irreplaceable. I've also disabled Bidvertiser ads.

Comments

  • I was in the same situation, couldent find nothing.
    My situation got solved by misterhost.net for free after upgrading to yearly plan. You could go with sucuri if you want to spent hundert of dollars.

    P.s am takling about my cpanel reseller plan not vps.

  • WHT said: My situation got solved by misterhost.net for free after upgrading to yearly plan.

    What did they do?

  • No idea to be honest, probobly my pc was hacked and someone uploaded some encrypted code in the index.php and .js files. Thanks god not happened again.
    I was with sucuri before it was kust $89 year but now is $199 i think.

  • What type of site is it?

  • @linuxthefish said:
    What type of site is it?

    I would assume WP as he mentioned Wordfence.

  • @linuxthefish said:
    What type of site is it?

    It's a wordpress mu blog network containing Android roms.

  • jhjh Member
    edited September 2015

    PM me your site's URL and I'll scan it for you, or use the "t" flag on "ls" to show recently modified stuff

    Thanked by 1netomx
  • Droidzone said: It's a wordpress mu blog network containing Android roms.

    Can users comment on stuff, or use HTML code? even embedding an image from another website that is marked as malware can produce this warning...

    Please PM me your site URL and i'll take a look if it's OK!

    Thanked by 1netomx
  • DroidzoneDroidzone Member
    edited September 2015

    linuxthefish said: Can users comment on stuff, or use HTML code? even embedding an image from another website that is marked as malware can produce this warning...

    No, commenting has been disabled since almost two years. The content has not been wilfully changed by me since almost the same amount of time.

    PMed the url to both of you.

    Is there anything that can scan mysql code for malware code?

  • Probably google is trolling you / scaring you because they don't like third party android roms.

  • joepie91joepie91 Member, Patron Provider
    edited September 2015

    jh said: or use the "t" flag on "ls" to show recently modified stuff

    That won't always work. The more clever malware resets its own modification date to the original, so that it looks like nothing has changed. You'd have to compare hashes to be sure.

    From a prevention POV, auditd is a possibility... but it's hard to set up, and can get very noisy. You also have to explicitly specify kernel calls to monitor, so a kernel upgrade might mean that it stops working out of nowhere.

  • "These pages directed users to a site that serves malware or unwanted software"

    This doesn't necessarily mean it's on your site, you could be linking to a site that has malware.

    Alternatively, they don't like the ROMs you're linking and placed a generic advisory on your domain.

    Thanked by 1Host4Go
  • Ishaq said: "These pages directed users to a site that serves malware or unwanted software"

    This doesn't necessarily mean it's on your site, you could be linking to a site that has malware.

    Yea, but there's no content including links on the site that wasnt specifically added by me. So if there's something new linking to an external site containing malware, there's something wrong.

    Ishaq said: Alternatively, they don't like the ROMs you're linking and placed a generic advisory on your domain.

    Really? The site's been online since 2009, and provides custom roms for an outdated phone that's probably something of a collector's item.

    Thanked by 1Host4Go
  • @joepie91 not always but usually :)

  • @Droidzone said:
    Recently while visiting one of my Wordpress sites, I found a Google advisory that the site contained malware. Webmaster tools showed this:

    I tried the online scanners that I could think of-Sucuri, Wordfence. Wordfence had already been installed, but other than an integrity check error for Genesis theme (updated recently from the developer), it didn't comment on anything else. All online tools mentioned that the site was blacklisted by Google, but didnt find any specific malware.

    A maldet scan hasn't detected anything. I'm also planning to run clamav though I'm unsure of whether it can detect these kind of threats.

    Anything else that I'm missing? I've covered the basics-Disable unused and unnecessary plugins, themes etc (being a Wordpress installation). Please dont tell me to clean the server and reinstall. That's not viable, as the content and files are irreplaceable. I've also disabled Bidvertiser ads.

    May I ask if you could show me the details in google webmaster tools?
    as I would like to see the details why and what it is detecting as a generic message doesn't tell me anything.

  • @timnboys said:
    as I would like to see the details why and what it is detecting as a generic message doesn't tell me anything.

    There are no details. Clicking that button shows just an empty place holder.

  • @Droidzone said:
    There are no details. Clicking that button shows just an empty place holder.

    really?
    send me your link and I will check it as it is most likely not you but a site you linked to?
    do you host the files yourself? or does someone else host it?
    as if someone else hosts it it could be they got infected(as for example today trying to go to lcpdfr.com avast! told me it was infected with html:script-inf
    so that could be possibly what happened to you?

  • @timnboys said:

    It's a vps on Prometeus, and I'm the only one with access to server and sites.

  • @Droidzone said:

    okay I don't want to question your password but in general I have my vps's passwords with 30+ characters to make it hard to crack(maybe it may be because of my computer security training)
    anyway I would recommend changing your pass first to something secure first.(as you should probably treat it like a breakin atleast that is what I would do)

  • I have root password disabled for ssh, and use keys. The site username and password is quite complex.

    Thanked by 1netomx
  • The page may be not in your server ,use F12 to know what happen

  • ricardoricardo Member
    edited September 2015

    I'd sooner assume it is the WP installation itself rather than your container, particularly as it seems you have things well locked down.

    I'd suggest trying "Fetch as Googlebot" on Google's webmaster tools, as whatever is on your site seems to be detectable by them regardless of any potential cloaking.

    If you see something out of the ordinary, try dumping a back trace to see which functions are called within your WP installation, and that may help pinpoint anything running that shouldn't.

    Thanked by 1Droidzone
  • @ricardo said:
    I'd sooner assume it is the WP installation itself rather than your container, particularly as it seems you have things well locked down.

    I'd suggest trying "Fetch as Googlebot" on Google's webmaster tools, as whatever is on your site seems to be detectable by them regardless of any potential cloaking.

    If you see something out of the ordinary, try dumping a back trace to see which functions are called within your WP installation, and that may help pinpoint anything running that shouldn't.

    I would suggest that as well.
    As that will let you see what google see's

  • DroidzoneDroidzone Member
    edited September 2015

    timnboys said: I would suggest that as well. As that will let you see what google see's

    I cant seem to get it to fetch the subdomain. I add the subdomain, and it gets somehow "merged" with the main domain. I get options to fetch the main domain, but not the subdomain. The main domain and other subdomains dont show that Google warning.

    Edit: Fixed that after adding another owner and adding just the subdomain for that account.

  • ricardoricardo Member
    edited September 2015

    Try just spoofing the user agent.

    curl -iL -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "http://www.example.com/"
    

    If it's more sophisticated it may also be checking for Google's IP ranges.

    Thanked by 1netomx
  • DroidzoneDroidzone Member
    edited September 2015

    ricardo said: Try just spoofing the user agent.

    Already tried that, and 'grep'ed for eval and iframe. Anything else that I should be looking for?

  • Could be anything, the payload could be obfuscated in an image or something as novel. Just look at the source code of the fetched page for anything that shouldn't be there, hopefully you see something and then do a backtrace.

  • Surprised Maldetect hasn't been mentioned yet, that will help you find malware.

    Or you can use Security Ninja: http://codecanyon.net/item/security-ninja/577696

  • Licensecart said: Surprised Maldetect hasn't been mentioned yet, that will help you find malware.

    Probably because I mentioned it in the OP. :)

Sign In or Register to comment.