View Full Version : Im a new developer and a client site is infected with malware.

09-11-2012, 08:06 PM
Hello friends,

just registered on the site as Ive run into a roadblock and have absolutely no idea what to do. I starting learning html/css/js about 2 years ago and started "helping"/taking clients to get some experience professionally.

I'm not overly affluent outside basic front end but am capable of using google/learning. Anyhow to the point. A site i built that I wont disclose (its got auto-download JS malware) has been infected.

At first i did a site scan through Sucuri that turned up 3 potential risks - i researched the ones there, did some updates to plugins and CMS versions and somehow that uncovered 19 more malicious files.

At this point I have no idea what to do? Is it smarter to just advise the client to pay the 120$ through online security companies to clean the site or is there an easier way for me to manage this?

If I'm being unclear, i apologize, still in the middle of learning :)

If you have any advice or questions, please let me know.

09-11-2012, 08:14 PM
Not enough info ...

Is it their own server or a shared webhost ... and who is the webhost (if pertains)?

What is their CMS? A system like WordPress, Joomla, Drupal, or some other custom system?

Is the server-side scripting (which one) PHP, ASP, Perl ?

Can you give us a link to the affected site?


09-11-2012, 09:28 PM
Thanks for the quick reply, appreciate it!

Its a shared webhost, not managed by myself. Jumplaunch owns the servers, not sure who they purchased from.

CMS: Wordpress
Scripting Language: PHP

This client came to me with this site unhappy with the guy who built it. The way its been put together is beyond my skill set right now, Ive just started learning php.

I feel weird sharing a link to a site with viruses on it but all the same:


Im assuming based on your questions that problems like this can afflict either a site/domain or an entire server?

Thanks again.

09-11-2012, 09:59 PM
How do you know it's malware?

It's a WordPress site that looks current: 3.4.2

Would you be willing to PM one of us and we can view the website files?
I realize you don't know any of us, but that would be an option.

09-11-2012, 10:46 PM
How do you know it's malware?

It's a WordPress site that looks current: 3.4.2

Would you be willing to PM one of us and we can view the website files?
I realize you don't know any of us, but that would be an option.

I suppose to be frank, I don't.

Here's what I've done so far:

Using this site (sitecheck.sucuri.net) I did an initial scan for malware. Its accuracy is unknown to me.

It gave me these results: http://imgur.com/0u5rn

So that "scan" turned up the name of :
Malware entry: MW:JS:160

This is where i start researching like a SOB, found a free copy of virus scan software and removed a blackhole trojan (Viruses, Cookies, Trojans Quarantined: JS/Exploit-Blacole.eu) from my comp within 2 days of this discovery.

From there I logged into the dashboard of Wordpress and installed "Anti-Malware by GOTMLS.net and scanned the site again after doing all the updates to the site.

And i got this : http://imgur.com/uP69L

I tracked down the files through FTP but that didnt do me any good because I don't know the code well enough to locate anything added after the fact.

09-12-2012, 12:05 AM
It is certainly compromised. You will need to update it via a clean back up. If you don't have one then unfortunately you need to start from scratch, change your FTP access info and use a freshly made new database with a new username and password.

This is because you have no idea what files have been compromised beyond the files that have been added on.

In future try and make sure that you use as many security tools as possible to keep your website secure. Use strong passwords.

09-12-2012, 12:09 AM
Also you have no idea what information they may have captured from your existing site. And the purpose of the hack.

WordPress along with other CMS's are plagued with insecurities. It takes a few clicks to flood an admin user with countless never ending password resets as the wp-admin folder can't be changed.

It's a bad place to be in.

09-12-2012, 12:11 AM
P.s in future sites add a HTML or php redirect back to the base URL into every directory in the installation, using a HTML redirect where an index.php file already exists.

It'll add a little more security. And get rid of that wp generator tag.

Sorry for the triple post. On here via my mobile.

09-12-2012, 12:28 AM
Noob questions incoming:

1) What other security tools could have been used? The research I did basically said keep versions and plugins updated.

2) Should i contact their webhost to having things cleaned?

3) Does how the got in/how did it even matter? They are worried their old developer did this? Could it be a person or are their programs constantly trolling the internets looking for holes like these?

Side note: "in future sites add a HTML or php redirect back to the base URL into every directory in the installation, using a HTML redirect where an index.php file already exists. "

Not entirely sure what that means as I havnt started writing too much php yet. Ive taken note of it and Im sure it will make more sense as time goes on.

Thanks for the help guys.

09-12-2012, 01:23 AM
1) You should be able to find security tools/plugins that will actively deny SQL injections, ddos attempts and so forth. I've stayed away from WP for quite some time now so I wouldn't be particularly up to date with these. Other things include htaccess modifications, password protecting the admin directory. If you just google for security tips relating to Wordpress you should find a tonne of useful sites.

2) The web host most likely will disable your site as soon as you tell, and will give you the request to wipe the domain and restore a clean back up of the site. Any responsible host will do this as again, there is no way of telling how extensive the compromise was to your existing files. They've modified the template at least to link the site to the malicious JavaScript files. They have no contractual obligation or need or want really to clean up an infected domain. Their interest is to purge it to limit the collateral damage it may cause. Moreso if it is a shared server.

3) It is extremely unlikely the old developer did this. More likely is one or both of two scenarios not including SQL injection, a) the previous developer was complacent with password and security and or b) they downloaded the template/plugin from a source other than the author's website if they used one. Maybe a warez type website which will often provide modified templates preloaded with the vulnerability inside.

Due to the vast array of possibilities there's not much point in clutching at straws of which there are countless amounts.

Re side note; most hackers will try to first find what CMS you are using. The easiest way to get to that is either with the generator tag which makes it obvious or the admin directory. The most popular use default settings or cannot be changed like Wordpress/Joomla for instance. They also tend to give the first user a default user ID based, the first always being a super admin user. It makes these installations a lot easier to attack with an injection.

As such it is highly recommended that you add an extra layer of security to these directories or try limit access however best possible. The redirects I mentioned are useful to make it seem a file or directory does not exist.

I would say that it is best that you start all over.

09-12-2012, 01:42 AM
Common security holes are poorly programmed CMS modules/plugins, usually web forms that don’t do enough security checks for their input. Spammers then usually insert hidden iframes into the site that load the malware. Also, it has been noted that some Wordpress themes are compromised or specifically programmed with obfuscated code that could be malware. A good read on this is at http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/. Another thing that’s good to know is that some malware/spam robots look for characteristic code sequences or text strings in the HTML source code, such as meta tags with clear indication about which CMS is used, and which version (things like “powered by Wordpress” or similar). That way they can easily find out who is using a system with known security holes. So always remove these version notes or any indication about the CMS used if possible.

That said, I can only agree with evo in that it’s best to remove everything and reinstall from scratch. It should usually suffice to delete all files from the server and clear/delete the database to clean up a webspace (changing all passwords (FTP/database) is advisable, too). If the host’s servers aren’t infected themselves (which we can usually assume they aren’t) that should get rid of any malware that affects your site because after all, malware is just software and consisting of regular files, too.

Also, there are a few security measures you can add with a few htaccess rules (http://perishablepress.com/stupid-htaccess-tricks/#security) to block known evil scripts, for example.