Author Topic: [SPLIT] garethplu  (Read 26886 times)

0 Members and 1 Guest are viewing this topic.

May 20, 2009, 08:22:29 pm
Reply #15

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Damn.

I've tried a feed validator http://feedvalidator.org/check.cgi?url=http%3A%2F%2Fwww.stadiatech.com%2Ffeed#l241

and it tells me that line 241 is wrong.  I have been using the Wordpress forum for two days now but the operator of the forum keeps tell me to find the code.  Im not sure how to find the code, what code Im looking for or what to if I find it.

I have changed my FTP password btw.

May 20, 2009, 08:45:25 pm
Reply #16

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The feed likely won't validate whilst the code is present.

Follow the steps below to clean it out;

1. Login to your site via FTP
2. Delete the contents of the htdocs/wwwroot/public_html (or whichever it's called) folder
3. Download the following and extract the contents;

http://wordpress.org/latest.zip

4. Upload the ENTIRE contents of the zip

IMPORTANT: You MUST ensure you make a copy of your wp-config.php file BEFORE doing step 2, as you'll need the database credentials and information, present in this file, to put into the new wp-config.php file, prior to uploading it

Please note, once this is done, you will need to re-install any plugins you had installed.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 08:58:25 pm
Reply #17

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Sorry Steve,

I've had a good look and I dont recognise this file or anything based on "wwwroot" or "public_html" : "htdocs/wwwroot/public_html"

I notice the zip file is of 2.7.1 which I have installed (this install led to the problem)

Many thanks for the help your giving by the way.

May 20, 2009, 09:11:20 pm
Reply #18

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
No problem.

If you'd prefer I do it for you, please e-mail me at;

mdl @ it-mate.co.uk

The only thing I'll need is your FTP credentials.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 21, 2009, 05:09:51 pm
Reply #19

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Hi,

This is what my host came back to me with:

"I visited and checked your website www.stadiatech.com but it does not
prompt for a virus threat and also the site loads just fine. It did not
even tried to redirect the page to  martuz.cn."

I'm starting to find this very stressful.  I dont know why my host cant find the problem and fix it.

May 21, 2009, 05:15:34 pm
Reply #20

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've just checked, and the problem is definately still there. Either they didn't look properly, used a browser with JS disabled, or both. Feel free to point them here if need be;

http://vurl.mysteryfcm.co.uk/?url=625774

The script is on line #39
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 21, 2009, 05:28:40 pm
Reply #21

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Thats whats they told me on the Wordpress website but I cant find that code. 

If I delete that will it sort this problem?

Thanks.

May 21, 2009, 05:36:27 pm
Reply #22

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
You could just delete the code, yes (see /wp-content/themes/{theme}/header.php), however, these types of attacks have usually seen extra files added, so they can still get in even when the FTP password is changed, so it's a much better idea just to do a complete refresh.

As mentioned, we'll be happy to help you do this if necessary :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 21, 2009, 09:15:40 pm
Reply #23

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Thanks Steve, so how did the code get in their.   Is it a virus and does it have a pirticular purpose.  Is their way of ensuring it doesn't happen again. 

How did you get so knowledgable about this stuff?

May 21, 2009, 10:01:23 pm
Reply #24

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Most of the gumblar/martuz infections, are done by sniffing the computer that usually connects to it, for FTP etc passwords (which also means you'll need to check your machine), for details, please refer to;

http://www.malwaredomainlist.com/forums/index.php?topic=2892.msg9833#msg9833
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

One of the samples we've seen, have shown it to create both a _.exe and e.bat file (amongst other things) in the root of the infected machine (usually C:\), so it will be worth checking your machine for signs of this infection. For details, please see;

http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39f

As far as prevention of this happening again, there are a couple of things you can do;

1. Change your FTP password (I know you've done that already, but I suggest doing it frequently (at least weekly))
2. DO NOT use regular FTP as passwords are sent in plain text - use sFTP (Secure FTP) instead if your host allows it
3. Backup your site frequently - this way, if it does happen again, you can just delete the current files, and restore the backup (again, the backup should be stored in a secure location)
4. Keep your computer up to date (e.g. install Windows patches and such) - not guaranteed to prevent it, but will help
5. Install a firewall on your local computer (this will also help prevent infections sending out your data - again not a guarantee, but will help)

Finally, and most importantly - keep WordPress (and any plugins you have installed) up to date - this will help prevent infections occuring via SQL injection etc.

Again however, none of the above will guarantee to prevent this occuring again - there are no guarantees when it comes to this type of thing unfortunately.

As for how I became knowledgeable, I'm self taught ;) (you'll usually find this is the same for the vast majority of people)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 22, 2009, 04:35:48 pm
Reply #25

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Thanks Steve,

I have now recived an email from Google.

Thanks for your advice but how do I follow points 2 and 3.

What is Secure FTP and how do I backup the site?

May 22, 2009, 05:02:56 pm
Reply #26

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
sFTP is done in pretty much the same fashion as FTP;

http://winscp.net/eng/docs/protocols#sftp
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

With regards to backing up your site, the easiest way to backup the files, is by FTP. Your sites database can be backed up either via the WordPress ACP, or via phpMyAdmin (if you've got it installed on the server)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net