Timeline for Website infected with unwanted "redirections", apparently via javascript code
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 2, 2015 at 21:33 | comment | added | zipzit | WireGhoul, right you are. Virgin code everywhere. Total rebuild required from the ground up. (Why didn't they think of that last year when they were first hit? I was most unhappy when the guy told me, "oh, yeah, we saw that last month." Ugh. ) I think we're going to do a manual review of the XML code from wordpress export, instead of using the DB. I'm not certain I can automate the search for all the errant code. Too many variants. | |
| Feb 2, 2015 at 21:19 | comment | added | wireghoul | It sounds like you're dealing with an adversary that has the experience to ensure they have one or more backdoors in place everytime they inject malicious code. Or a hosting provider that is running vulnerable software. I would start with a fresh install, clean database or at least a manual review of any data you import and ideally not on a shared server that is up to date on its patch levels. Analysing your log files and comparing them to file modification/creation dates may hold some clues as to how the attackers are accessing their tools and how you can stop it. | |
| Feb 2, 2015 at 17:34 | comment | added | zipzit | We've kept very close watch on .htaccess files. They have seemed clean throughout. My belief is that an evil doer has root access to the Virtual Private Server and once a week he plays games. One week this JS thing in the database, the week before an eval(base64_decode... I didn't know this site has been hit a lot. The site owner is insistent on using bandaids. I've convinced the business owner to go elsewhere and start fresh with all new passwords and better security. | |
| Jan 31, 2015 at 7:23 | history | undeleted | wireghoul | ||
| Jan 31, 2015 at 7:23 | history | edited | wireghoul | CC BY-SA 3.0 |
added 95 characters in body
|
| Jan 30, 2015 at 12:34 | history | deleted | wireghoul | via Vote | |
| Jan 30, 2015 at 12:33 | history | answered | wireghoul | CC BY-SA 3.0 |