0

A friend told me that the website of our association, here , got blocked by the corporate network of the company he is working for, due to malware (see picture below)

enter image description here

I've tried a few website like this one here and this one too , both are giving differents answers.

How can I know if our website got infested? Are there any reliable web based tools , I can use to figure it?

And if it was infected, how can I deal with that?

The page is powered by wordpress and I'm a total n00bs with wordpress e.g. any steps by steps hands on are more than welcomed.

Thanks in advance for any insights you will be able to provide me with.

Update: @Lukas helped me out and i've accepted his answer. Hence, I'm removing the website's url.

Andy K
  • 411
  • 1
  • 3
  • 11
  • 1
    Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Stephane Apr 26 '16 at 10:58

1 Answers1

2

I've taken a look at the website and I couldn't find any evidence that it has been hacked - however, this does not necessarily mean that the site is clean.

Norton claims that your site is a Web Attack: Mass Injection Website and has therefore put the site on a blacklist. This blacklist seems to be used by other services (like sucuri and maybe the company firewall you mentioned).

But Web-based tools can never be as exact as searching for malicious content by yourself. Therefore, it is better to have a closer look at the server and the files stored on it than wasting much time with online tests.

For you, the next steps could be:

  • Skim through all the files of your website. Find out if there are any suspicious PHP or JavaScript files. Open them in a text editor and review them: If the source is obfuscated like in this example, it is quite probably a backdoor: $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF3.$sF[11].$sF[8].$sF[10].$sF [...]

  • You should also check the log files (if your hoster provides them) and search for any php files accessed.

  • If you are not sure whether a file is suspicious, compare them with the files in a new Wordpress installation. You can download a zip file from wordpress.org for comparison.

  • Oh, and always keep Wordpress and its plugins and themes up-to-date. The website is currently not running the latest available version.

If you find a backdoor or other malicious code - then check out the thread How do I deal with a compromised server provided by Stephane.

Community
  • 1
Lukas
  • 3,138
  • 1
  • 15
  • 20
  • Hi @Lukas, how do I find this kind of string `$sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF3.$sF[11].$sF[8].$sF[10].$sF [...] ` in the php file? – Andy K Apr 26 '16 at 12:36
  • Hi, You need to get access to the files of your server. There are basically three methods: Access the files via FTP (or alike), access via some backend provided by the hosting provider or installing a file manager plugin in wordpress - eg [this](https://de.wordpress.org/plugins/file-manager/). Then you need to open each file with a text editor and skim it through. If you need further help, feel free to ask. – Lukas Apr 26 '16 at 12:44
  • Hi @Lukas, issue is I have 500 files or so ... I need help but more in learning how to do it – Andy K Apr 26 '16 at 12:45
  • If you have access to the log files, you could look for lines that contain the words "POST" and "php", and then review only these files. – Lukas Apr 26 '16 at 12:53
  • I wish but alas no @lukas – Andy K Apr 26 '16 at 12:55
  • Can you download all files to your local computer and search for "eval" in php scripts? Please note that "eval" is used heavily in javascript files - so you might want to exclude these. – Lukas Apr 26 '16 at 13:05