Has this happened to anyone?

[seogeek]

So, somehow, my site got hacked and now their is trojans on it. But, there is no mention of it in webmaster tools. I used this site: http://sitecheck.sucuri.net/ , it then told me it's in some of the JavaScript files. Does anyone know what to look for in a "suspicious java file"? Thanks.

 

[Sobol]

It hasn't happened to me, but my initial guess is a cookie stealer.

 

[CCarter]

Yeah, look at the recent modified dates of all the javascript files that are running. Hopefully you have a local version you can compare too, but if not just sort the directory in your FTP program by modified date, and see what's up with the most recently updated ones (edited by a hacker).

 

[RiverStyx]

I had that problem once upon a time, I went to my host about it as I was told the problem was on their server...the host just denied anything was wrong. That was the last time I dealt with eukhost

 

[seogeek]

@CCarter Good idea. I'll look into that, I think it may be a plugin as well.

 

[seogeek]

so, I did a fresh install on WordPress and I'm still getting the problem. I'm going to try to delete some plug-ins, and see if that fixes the problem.

 

[CCarter]

Did you "DELETE" all the files or do a replace? Also it could be your theme is compromised cause you said javascript files.

 

[SmokeTree]

One thing I've done in the past and still employ sometimes is to use inotify to watch files and directories for changes. Timestamps are OK for more of a basic check to see if something has changed, but there is always the possibility of someone gaining access to the touch command (or uploading a custom shell), allowing them to change the timestamp itself (modified time included). You could write a script that would watch whatever files or directories you wanted and if there is a change, immediately take some kind of action which could be as simple as sending you an email, writing to a log file, release the kraken, etc. The script would run as a separate user set up for the purpose and run outside of webserver file space. I mostly code in Ruby so I use https://github.com/nex3/rb-inotify but you can find wrappers in other langs. If you are just looking for a way to see differences in a directory, you could use a tool like http://meldmerge.org/

Also, now would be a good time to do a security audit of your server and make sure file permissions, basic security and the like are in check.

 

[CCarter]

No offense to OP, but if he can't find simple compromised files by digging into the source code or by FTP - there is little likelihood he'll be able to do a security audit of his server. That's sort of something you should get an expert to do, or at least point him to a beginner's guide to help him understand why he should get a expert to do it for him.

The way it was compromised hasn't even be discovered cause he is still looking for the files that are trouble. It might be on a shared hosting where all sites on the server are compromised and it's the hosting company's fault.

 

[seogeek]

@CCarter I would not say im so experienced in using ftp. But, I had two of my friends look at who are pretty experienced using FTP servers, and this is kind of a last resort to check plugins.

 

[Ryuzaki]

You've definitely narrowed it down. If it's not in the Wordpress install, then it's the theme or plugins. You can use the process of elimination to sort it out. You COULD just search for all javascript files and then sort by last modified date, like @CCarter said. That'll be your fastest and easiest path. You'd probably want to log into cPanel and use the file manager, versus FTP, assuming you have cPanel.