I'm working on a clients website, and I realize they've been compromised. Early today there was a major problem with a php eval(base64_decode issue. That was cleaned up via Andy Stratton clean.php repair (which searches for infected files and then deletes them.) Website was rebuilt with virgin Wordpress code and a trusted theme. 12 hours later I'm seeing lots of unwanted redirects. The redirects are going to an odd site overseas somewhere. In fact, redirects may not be the correct term. I can see all of the original sites content loading up in the developer tools, and at the end of the load it grabs an image and a music player, and pastes up a simple html page. The image is http://ift.tt/1velH2t The displayed url was the original selected on the site.
As I do just a bit of testing, I find that the issue seems to be related to JavaScript. If I turn off the JS, no redirects. Here are my questions: Can I use the JS tools in Chrome to identify which file is most suspect? (pause on exceptions, etc.. ) Is there any way to scan all the files to look for evil JS code? I've tried the common tools & locations to review, with no avail. Its definitely not a .htaccess issue.
I'm very curious if I might be able to step thru the JavaScript code in Chrome and see where things go astray. I suspect the fix for this is to wipe the VPS and reinstall, but in the mean time, I'm curious. Can I detect where the evil code is located?
And note, I don't have complete access to the server. I only have simple cPanel & FTP access. Additionally the site is being served thru CloudFlare. Many thanks for your help.
Update: We've figured out where the errant code was located..It was in the mySQL database in a cell normally reserved for widget content. The code was quite large, 1530 lines of gobbledy gook. Some words in the clear, others in cryptic code. Its heavily obfuscated with code with : and ; elements. Apparently this customer has been hit before, their current web guy wants to throw bandaids at the site. I think I've convinced the business owner to put his business elsewhere, and secure up everything.
One question. Because the Database is compromised, is there a safe way to clone the site on a new server? I guess I can search the DB for familiar patterns based on this one block of code, but that really isn't robust. I know I can create a content XML backup from the admin control panel --> Export. The format is actually called WordPress eXtended RSS or WXR, and it will contain posts, pages, comments, custom fields, categories, and tags. I can review those entries visually, to see if things make sense.
Any other ideas on cloning a site with at least one virus in the DB??
Also, Is there a repository for legitimate folks chasing down viruses' for submitting this example of recent JavaScript activity? Obviously I'm not going to post it here, to avoid giving others a chance to create more. e.g. do I submit the code to folks like sucuri.net or somewhere else?
Aucun commentaire:
Enregistrer un commentaire