Has this happened to anyone?

Joined
Oct 7, 2014
Messages
50
Likes
7
Degree
0
So, somehow, my site got hacked and now their is trojans on it. But, there is no mention of it in webmaster tools. I used this site: http://sitecheck.sucuri.net/ , it then told me it's in some of the JavaScript files. Does anyone know what to look for in a "suspicious java file"? Thanks.
 

Sobol

Building the Daemon
Joined
Oct 11, 2014
Messages
26
Likes
20
Degree
0
It hasn't happened to me, but my initial guess is a cookie stealer.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
2,180
Likes
4,986
Degree
6
Yeah, look at the recent modified dates of all the javascript files that are running. Hopefully you have a local version you can compare too, but if not just sort the directory in your FTP program by modified date, and see what's up with the most recently updated ones (edited by a hacker).
 

RiverStyx

Boot Camp
Joined
Oct 10, 2014
Messages
212
Likes
152
Degree
1
I had that problem once upon a time, I went to my host about it as I was told the problem was on their server...the host just denied anything was wrong. That was the last time I dealt with eukhost
 
Joined
Oct 7, 2014
Messages
50
Likes
7
Degree
0
so, I did a fresh install on WordPress and I'm still getting the problem. I'm going to try to delete some plug-ins, and see if that fixes the problem.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
2,180
Likes
4,986
Degree
6
Did you "DELETE" all the files or do a replace? Also it could be your theme is compromised cause you said javascript files.
 

SmokeTree

Developer/Linux Consultant
BuSo Pro
Digital Strategist
Joined
Sep 23, 2014
Messages
211
Likes
375
Degree
1
One thing I've done in the past and still employ sometimes is to use inotify to watch files and directories for changes. Timestamps are OK for more of a basic check to see if something has changed, but there is always the possibility of someone gaining access to the touch command (or uploading a custom shell), allowing them to change the timestamp itself (modified time included). You could write a script that would watch whatever files or directories you wanted and if there is a change, immediately take some kind of action which could be as simple as sending you an email, writing to a log file, release the kraken, etc. The script would run as a separate user set up for the purpose and run outside of webserver file space. I mostly code in Ruby so I use https://github.com/nex3/rb-inotify but you can find wrappers in other langs. If you are just looking for a way to see differences in a directory, you could use a tool like http://meldmerge.org/

Also, now would be a good time to do a security audit of your server and make sure file permissions, basic security and the like are in check.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
2,180
Likes
4,986
Degree
6
No offense to OP, but if he can't find simple compromised files by digging into the source code or by FTP - there is little likelihood he'll be able to do a security audit of his server. That's sort of something you should get an expert to do, or at least point him to a beginner's guide to help him understand why he should get a expert to do it for him.

The way it was compromised hasn't even be discovered cause he is still looking for the files that are trouble. It might be on a shared hosting where all sites on the server are compromised and it's the hosting company's fault.
 
Joined
Oct 7, 2014
Messages
50
Likes
7
Degree
0
@CCarter I would not say im so experienced in using ftp. But, I had two of my friends look at who are pretty experienced using FTP servers, and this is kind of a last resort to check plugins.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,405
Likes
6,210
Degree
7
You've definitely narrowed it down. If it's not in the Wordpress install, then it's the theme or plugins. You can use the process of elimination to sort it out. You COULD just search for all javascript files and then sort by last modified date, like @CCarter said. That'll be your fastest and easiest path. You'd probably want to log into cPanel and use the file manager, versus FTP, assuming you have cPanel.