Malware??

  • danr

    #1600

    On Friday, I upgraded Graphene on one of my sites, http://www.cbpmagazine.com/blog. Over the weekend, Google started flagging the site as containing malware. Has anyone else had this problem? I can’t 100% blame it on Graphene, but updating the theme was really the only work I did on the site Friday.

    Ricardo

    #16436

    By the looks of it, I can say your site has been infected with malware (by a third party)

    I really don’t think this happened because you updated the theme.

    Google says that:

    In a 90 day period, your site has been reported 5 times

    3 pages also download malicious software to users without there approval from this source: kartfhffda.zapto.org (this was tested by Google) This source has infected 433 domains in total.

    I do want a second opinion on this one, but reinstalling WordPress and the theme and also changing all your passwords (just to be safe) seems a logical next step?


    Maybe a bit off topic: I only get the Google message when using Firefox (not when using Internet Explorer)

    Mod

    Kenneth John Odle

    #16437

    Graphene is not malware.

    If you read why Google has flagged your site, two things stick out in my mind:

    How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

    A lot of people use SEO plugins, because they think this will enable them to make a lot of money quickly. Unfortunately, a lot of SEO plugins promote themselves much more than they promote you. Check your plugins and see what they are installing. (Hint: Don’t use the Dashboard. Use “View Source” when you are viewing your page to see the actual HTML that is being generated.)

    What happened when Google visited this site?

    Of the 3 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-08-22, and the last time suspicious content was found on this site was on 2011-08-22.

    Malicious software is hosted on 1 domain(s), including kartfhffda.zapto.org/.

    [Listed as code in order to prevent linking.]

    This site was hosted on 1 network(s) including AS30568 (VCS).

    Do you have any links to this site, or any plugins that link to this site?

    Again, this is not a theme issue, but a lot of people who use this theme also use SEO plugins, which, IMHO, are useless at best and malicious at worst. Let us know what you find out.

    Ken

    Mod

    Kenneth John Odle

    #16438

    Maybe a bit off topic: I only get the Google message when using Firefox (not when using Internet Explorer)

    Yet another reason not to use IE!

    I do want a second opinion on this one, but reinstalling WordPress and the theme and also changing all your passwords (just to be safe) seems a logical next step?

    This seems a bit like overkill to me, but I have never had this problem on any of my blogs. I also don’t use any SEO plugins, either, however. So if deleting plugins and then contacting Google doesn’t work, this may very well be necessary. Be sure to do a backup of your database so you don’t lose your posts.

    That said, if the plugin in question inserts code into your database, all of this may not help!

    BTW, the “WordPress SEO Plugin” constantly sends comment spam to my blogs; I wonder what it would do if I actually installed it! Be cautious when using this plugin!

    For what it’s worth, I’m working on an article about SEO.

    Ken

    danr

    #16439

    Thanks for all your comments, but I do not have any SEO plugins installed on this. Also, I do not have any links to zapto.org, according to Google.

    As I say, it might just be a coincidence, but the only thing I did to the site on Friday was to upgrade the Graphene theme, which, by the way, is a third party. I installed no plugins last Friday, so I think I can pretty much rule those out.

    Mod

    Kenneth John Odle

    #16440

    Here is your answer:

    How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

    Next steps:

    Return to the previous page.

    If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.

    I would contact Google for more specifics ASAP.

    Admin

    Syahir Hakim

    #16441

    Hi danr,

    Firstly, let me explain a bit how the Graphene theme development goes.

    1. The developers (2 developers, in case of the Graphene theme) write the codes and make changes/updates to the theme.

    2. The developers then uploaded the updated theme to the Google Code project hosting for the theme. Only the authorised developers have the permission to do this. In this case, it’s only me and one other developer, Jeffrey Tummers.

    3. The theme then goes into a public beta period, which lasted anywhere from a few days to a few weeks, depending on how major the changeset is. A number of volunteers test the theme, and translators update their translations. Any issues found during this beta testing period are fixed almost immediately after being reported.

    4. The theme is then submitted to the official WordPress.org theme repository. A member of the WordPress.org Theme Review Team will then review the theme and the changes made. Note that this happens everytime before an update is published. The reviewer that reviews the theme is independent and not related to the Graphene theme.

    5. Only after the theme passes the review which checks for a heck lot of things will the theme update be published and made online on the WordPress.org official theme repository.

    So you see, there’s a lot of checks being done between the development process and the stage when the theme’s updates are published, by a lot of people. The full history of changes made to the theme’s codes are publicly available on the theme’s Google Code Project Hosting page. If anyone has malicious intent with your site, you can be pretty certain that it is not us.

    That being said, there’s a lot of ways that a site can be compromised, one of which is via insecurities in the codes. We’ve made significant efforts in later versions of the theme to harden its security, but as with all software developments there’s always a possibility of a security hole somewhere that we are not aware of. If somebody finds one and point it to us, we’ll be more than happy to plug it.

    But the theme is only part of the codes that make up your site, and a small part at that. Your site could have been compromised in a myriad of ways, including those that do not involve vulnerabilities in the codes at all. This can include improper server configuration, sharing of server resources, etc. In fact, if it’s really the theme that contains the vulnerability that causes your site to be compromised, many of the tens of thousands of the theme users would have similar issues. But they don’t.

    So really, the best way to go about it is to try do a complete reinstall of your site. Back up the database, change all the passwords (including the FTP and server admin panel passwords), wipe out all the script files, and then reinstall WordPress, the theme, and other plugins that you have again. Then notify Google to let them do a review of your site again.

    I know it can be frustrating when things like this happens, but it does. We’re not living in an ideal world, and people with malicious intents do exist. So your best option would be to just stay cool and ride it out. If we can help in any way that is within our constrained time and ability, we’d be happy to.

    Mod

    Kenneth John Odle

    #16442

    FYI:

    As I say, it might just be a coincidence, but the only thing I did to the site on Friday was to upgrade the Graphene theme, which, by the way, is a third party.

    First party: your webhosting service (and software they provide; usually: Apache, MYSQL, PHP, etc.)

    Second party: you (and your knowledge, talents, and abilities)

    Third party: whatever software you install that is not provided by your webhost (i.e., WordPress, etc.)

    But the theme is only part of the codes that make up your site, and a small part at that. Your site could have been compromised in a myriad of ways, including those that do not involve vulnerabilities in the codes at all. This can include improper server configuration, sharing of server resources, etc.

    I am working on an article about this.

    Kim

    #16443

    Hi

    What does Malwarebytes (http://www.malwarebytes.org/)

    report on the local computer..

    Kim

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.