Compromised website

Mr-White · 29 Apr 2010 at 20:48

My website has been getting virus warnings when connecting to it from various browsers on 2 different machines, so I scanned them both and found nothing. I concluded it was my website and contacted the host. They said it looks like my site had been compromised and advised to delete and re-install from back up. The thing is I didn't back it up as it's just pics and texts in Wordpress. I downloaded the content of the site and scanned it for viruses and spy-ware and found nothing. What's the best way to be sure it's all clean so I can upload it again ?

MW

namnoc · 30 Apr 2010 at 13:44

If all the pictures and text are fine, delete everything on your site. Change the site password and then put the files back.

Mr-White · 1 May 2010 at 14:10

namnoc said:
If all the pictures and text are fine, delete everything on your site. Change the site password and then put the files back.

That's what I did. I haven't had any problems from my site directly but when I clicked to reset my wordpress password it sent me an email, when I clicked on the link in the email I got a viruses warning before it emailed me a new password :/

MW

malef!c · 1 May 2010 at 14:14

Do you have SSH access to the site at all?

May be worth jumping on a Linux box and going in to see whats happening - at a guess it will be a iframe or something thats trying to drop malware onto you and your visitors.

Failing that, download all the files via FTP to a linux box (you probably could do it to Windows but that may add a bit of danger to it all incase it drops the malware on as well)

My email is in trust if you want a hand - be aware if you are on a shared host it may not be your site that allowed the attackers in, it may be another site on the box that has allowed them access to others, depends on how well the host has toed dow the box.

Mr-White · 1 May 2010 at 16:14

How can I tell if I have SSH access, it's hosted with 123-reg ?

I don't have dedicated hosting, so it's likely to be shared.

My response from the 123-reg was "It looks like your site has been compromised." and then went on to say remove the content and upload a back up and change your passwords. It was nice they responded so quickly (under 5 mins) but it was so quick it was almost like they didn't check.

MW

Hutchy · 1 May 2010 at 16:16

Can you link us to the site, but in a non clickable form.

We can then advise what you need to remove code wise to fix the problem.

V4NT0M · 2 May 2010 at 00:04

Mr-White said:
How can I tell if I have SSH access, it's hosted with 123-reg ?

I don't have dedicated hosting, so it's likely to be shared.

My response from the 123-reg was "It looks like your site has been compromised." and then went on to say remove the content and upload a back up and change your passwords. It was nice they responded so quickly (under 5 mins) but it was so quick it was almost like they didn't check.

MW

I'm pretty sure all they did was go to your site and got a virus warning, otherwise they would have told you in what respect your site was "compromised".