# Site visitor says my site gave her a trojan virus - any way to check?



## canderson00 (Aug 15, 2011)

I don't believe my site's responsible, but of course want to do my due-diligence to confirm. The visitor said she went from Facebook directly to my site (pixelkickmedia.com) and received a Trojan popup message while on my site (20-30 seconds after it loading). 

I do not have any advertising on the site, and it's a WP-based site with very few plugins, and nothing is amiss in the file directory. 

I submitted the site to AVG and VirusTotal and they came back clean, but is there any more definitive way to checking my site to be clean?

Several friends who've visited haven't received any messages, nor have I. The site again is pixelkickmedia.com.

Edit: A friend just went and told me he got the following message: 

web attack: exploit Kit Variant 11 detected.

Any ideas? :/


----------



## wmorri (May 29, 2008)

Hi,

Can you ask your friend what browser they are using and then exactly how they are trying to get to the site. Another thing would be the url that is being given. We can try and figure out if there is a redirect in it somewhere.

Cheers!


----------



## canderson00 (Aug 15, 2011)

My friend who just received this message (about 30 minutes ago) is using Firefox' latest version (7.0.1). The site was accessed through the direct URL (typed via gchat) as pixelkickmedia.com. 

The other person who got this over the weekend typed in pixelkickmedia.com direclty into the address bar, but I'm not sure what browser she's using. 

Thank you for your help. The site itself is Worpress 3.2.1 (also the most up-to-date).


----------



## canderson00 (Aug 15, 2011)

My friend said he loaded the site again and saw it pulling from a server ending in .ru and .cc, but he went back a few times and it didn't happen again. Totally random, he said.

Just posting that to give more info ...


----------



## reventon (Oct 16, 2009)

I just went to the site and saw it trying (unsucessfully, thanks to an add-on) to pull a bit of javascript from what looked like *ogre.pl*.

Unfortunately I wasn't logging requests in Firebug at the time, so the exact URL was not recorded, and subsequent refreshes have not resulted in any more requests. It does appear to be completely random.

I will try a few more refreshes over the next few hours and see if anything turns up.

Here's something you can do on your end, download the entire website to a local directory.

Then navigate to that directory in a cmd line window (start -> type *cmd.exe* press enter):

```
[I]For example, if you saved the site to your desktop and your username was [B]canderson00[/B]:[/I]

cd C:\Users\canderson00\Desktop\site
```
And run this *findstr* command:

```
FINDSTR /S /R /I /M /C:"\.[B]cc[/B]" *.*
```
That command will return a list of files which have the string ".cc" in them. Also run the same command with ".cc" changed to ".ru" and ".pl" to check for files containing them.

Now, there may be a lot of false matches. Windows built in regular expression search doesn't have all the features other regular expression tools do, but it's built in so I know you have access to it. Go through the files that it lists and use the search in notepad (or your editor of choice) to search the file for the matching text.

Let us know how you get on.


----------



## canderson00 (Aug 15, 2011)

OK, thanks. I'm dl'ing the directory now (it'll take some time, my current connection's painfully slow!). Will post back when it's all done and I've completed the requested search. 

This is depressing.


----------



## canderson00 (Aug 15, 2011)

I've been transferring the entire public_html directory, Avast popped up a threat (says it was blocked).

Avast message says: infected file located users/canderson/desktop/public_html/ALLFILES/public_ftp/msf.exe

I browsed to the ALLFILES (which I have no idea what that folder is, btw, I didn't manually create it ... ) via Filezilla and then to public_ftp, and there were two items. One was the normal "incoming" folder and then the msf.exe file, dated 6/15/2011.

So whatever that file is, I'm assuming WP is calling it somewhere?


----------



## canderson00 (Aug 15, 2011)

One more note (sorry for the barrage!), I navigated via cmd to the public_html folder on my desktop and ran the command:


```
findstr /s /r /i /m /c:"\.cc" .
```
And it returned nothing at all. I did the same search with .ru and .pl and it too returned nothing. In fact, the cmd just spaced down a line and didn't return to the desktop\public_html root directory I navigated to originally.


----------



## Laxer (Dec 28, 2010)

WP would not be calling an EXE.

Delete it remotely and see if you get any errors with WP.

If not change your password and update WP if you can.


----------



## Amd_Man (Jan 27, 2009)

I just went to your site and my AVG blackhole expoloit. See attached pic below.


----------



## canderson00 (Aug 15, 2011)

OK, thank you both for the reply. I have deleted the ALLFILES folder remotely, and have changed my cpanel and WP passwords. 

The ALLFILES folder was from a site I had saved for a client, and those files were infected (which caused my computer to be infected in August). I'm assuming that infection somehow worked into WordPress. 

Can anyone tell me if they're seeing anything amiss on WP now (ie if it's giving any warnings, calling any crazy .ru, .cc, .pl, etc files? And if so, what steps should I take next to clear up the WP files?

Thanks,
Chris


----------



## Laxer (Dec 28, 2010)

I get no flags anymore....

I checked WP initially and was unable to find a reference to anything _bad_.

I think the WP files are fine but I will look around...

Try to update if you can as well, an update should clear any junk installed by hardcoding.


----------



## canderson00 (Aug 15, 2011)

Thanks. WP is already updated to its latest version (3.2.1), as are all my plugins and theme. 

I appreciate you poking around. I'm a designer and the file reading is a bit beyond me, so I greatly thank you all for poking around and seeing if that one file removal has solved the issue. Would my SQL database perhaps be compromised, or all the flags seen more file related than database related?


----------



## Laxer (Dec 28, 2010)

I cant see the SQL DB but I doubt its a problem...

You can look at each of the tables and see if any of them are huge(size wise)...

In order to store the EXE in SQL it would have to be broken down to base 64 making the file size really large.

Flags would be from the file as local machines cant read the DB directly.


----------



## canderson00 (Aug 15, 2011)

My SQL database has 12 tables, the largest being WP Options at 653 KiB. The next biggest is WP Posts at 80 KiB, and the rest are in the single digits. 

Would 653 KiB for WP Options be considered huge? I'm guessing not, but I'll defer to your judgment.


----------



## Laxer (Dec 28, 2010)

Nope your good... that sounds about normal :grin:


----------



## canderson00 (Aug 15, 2011)

Thanks! 

So ... do you guys believe my site's clean now? I certainly hope so - I really, really hate the thought of infecting any of my current or future clients. And myself, again!


----------



## canderson00 (Aug 15, 2011)

... I meant to ask this question as well: Even though I deleted the directory where the infected .exe is, I'm not sure at all how that makes my WP installation safer. The directory with the .exe was a different from WP directories, so the call from WP has to be something within those files. Correct?

Sorry for the I'm certain rudimentary questions.


----------



## Laxer (Dec 28, 2010)

I get a database error now when visiting your site....

and no, not necessarily...

I don't know how browsers check for "safe" content but it may have just seen the exe on the server and flagged it as a whole...


----------



## canderson00 (Aug 15, 2011)

Oops, fixed that! Hadn't updated the configuration file.

I went to the site in my phone, and it redirected to celebrity-gossip.com, so it's definitely still infected. 

Any steps to direct me to?


----------



## Laxer (Dec 28, 2010)

I will look at it closer tonight.

Can you post the server config files here? (php.ini,.htaccess...)

you should be able to find them in the root of your sever.


----------



## canderson00 (Aug 15, 2011)

I've attached the htaccess and wp-config (took our the database info of course). I see no php.ini file in the root or in any WP folder, though.

Besides the attached files, these are what I have within the root folder:

wp-rdf.php
wp-rss.php
wp-atom.php
wp-rss2.php
wp-commentsrss2.php
wp-feed.php
wp-blog-header.php
wp-register.php
index.html_
wp-pass.php
wp-cron.php
index.php.php
wp-links-opml.php
wp-load.php
wp-config-sample.php
xmlrpc.php
wp-trackback.php
wp-comments-post.php
wp-activate.php
wp-mail.php
wp-settings.php
license.txt
wp-signup.php
error.log
wp-login.php
wp-app.php

If you need to see any of 'em, let me know! 

I have gone back several times and not been redirected, then was once. I just went back and saw it trying to load iframe junk to weird search sites.

It is, as mentioned before, completely random. I can't locate anything that seems amiss though ... looking forward to your thoughts!


----------



## Laxer (Dec 28, 2010)

Files are clean...

*Good and bad news...*

The infection must be coming from server sided code.... (most likely PHP)

Before we do anything...

Check your WP accounts and make sure you know all of them...

If you don't recognize any of them delete them immediately.
NEXT, If you have your site backed up locally upload this entire folder: */wp-content/themes/dropholio/style/*

Check to see if you still get an errors... if you do read below:

Next step is all based on you...

You could scan the php files manually and look for the infection... It is most likely in a theme file... It would stand out like a sore thumb if you found it...

Second is backing up your site and re-installing WP... I would hate to see this happen so I suggest looking through your site to see if you can find any code that looks weird...

If you find something that doesn't look right please post it here....

More info: FAQ My site was hacked « WordPress Codex


----------



## canderson00 (Aug 15, 2011)

Thanks. There were no additional users, so I am safe there.

I looked through the PHP files and honestly didn't see anything that appeared to be too crazy, though. I'm strongly, strongly considering blowing everything out and reinstalling WP, the theme and plugins. 

:/ The site's not huge, so it wouldn't take a crazy amount of time in actuality.


----------



## Laxer (Dec 28, 2010)

Did you reupload the themes folder with your local copy?

Doing this will remove any issues that they may have added in without the need to look through the code.


----------



## canderson00 (Aug 15, 2011)

I did - actually cleaned out a ton of stuff just to be safe.

If you don't mind, poke around (note the Our Work section is blank, I'm redoing it) Home | Pixel Kick MediaPixel Kick Media | Good design is good business and let me know if it's clean on your end. It looked good to go for me!


----------



## Laxer (Dec 28, 2010)

I clicked through it briefly and was unable to get redirected...

Not saying its clean yet but it is _cleaner._

Install this plugin: WordPress › AntiVirus « WordPress Plugins

and scan your theme file.

I am going out of town until tomorrow night so that should allow enough time for you to get things set up and tested.


I am looking for a tool a ran across a while back that scans the php files but I am being unsuccessful. I will let you know if I find it.


----------



## canderson00 (Aug 15, 2011)

I ended up blowing everything out and fresh installing everything actually, so of I'm infected still I'll be quite confused! Will install the plugin and report back. Have a safe trip!


----------



## Laxer (Dec 28, 2010)

canderson00 said:


> I ended up blowing everything out and fresh installing everything actually, so of I'm infected still I'll be quite confused! Will install the plugin and report back. Have a safe trip!


Even if not its a good plugin to have, It will send you a email every day with a brief report.

you can just send this to a junk email and monitor it from time to time.

It will give you an exact date of an error making it much easier to diagnose.

You got your site up very quickly! *Nicely done!*

let me know if anything else comes up.


----------



## canderson00 (Aug 15, 2011)

I've installed the plugin, thanks for the heads up on it. It flagged a 10 lines in my theme's functions.php file, which are these lines:



> require_once (FUNCTIONS_PATH . 'dropholio-functions.php');
> require_once (FUNCTIONS_PATH . 'dropholio-portfolio.php');
> require_once (FUNCTIONS_PATH . 'dropholio-gallery.php');
> require_once (FUNCTIONS_PATH . 'shortcodes.php');
> ...


I'm assuming this file is safe, but do these links look strange to you?

Feel free to poke around my site and let me know if you notice anything (you shouldn't). 

And mostly what you think of it thus far.


----------



## Laxer (Dec 28, 2010)

The code you provided is fine.

It is just a bunch of false-positives from your theme.

I think the site looks nice, lots of _flashy_ items...

which is fine since you are somewhat "advertising" and care more about looks then load times.

If you would like more reviews on your site please post it here: http://www.techsupportforum.com/forums/f185/


----------



## canderson00 (Aug 15, 2011)

Sweet! Once I get the portfolio finished I'll post for critiques in that forum. Greatly appreciate your help, sir.


----------



## Laxer (Dec 28, 2010)

No problem,

Sorry we ended up having to clean install :frown:

looking forward to seeing your finished product!

Good luck :wave:


----------



## canderson00 (Aug 15, 2011)

No worries, my fault for not having a safe backup (though I think the infection had been around for a while and just got activated this past week). New clean backups tucked safely away on an external drive!


----------



## Laxer (Dec 28, 2010)

canderson00 said:


> No worries, my fault for not having a safe backup (though I think the infection had been around for a while and just got activated this past week). New clean backups tucked safely away on an external drive!


Good move :grin:

make sure to backup periodically so you don't have to go back to square 1 in the future.


----------



## Amd_Man (Jan 27, 2009)

I'd like to chime in that, I really appreciate you keeping a clean website. It's a battle to say the least and you are on top of it. Great advice from Laxer too.


----------

