I was contacted by a client who had experienced odd links / advertisements showing up in his WordPress setup. Furthermore, he had experienced emails bouncing back from his Contact Us form. The client has a dedicated servers with 5 ip addresses. Other websites are not experiencing any issues nor are the other 4 ip addresses. The odds are his entire server was not compromised.
Upon examining his infected website it appeared that majority of the links traced back to: http://www.genericstts.com. Some of the keywords that were used in linkage were: Play Craps Online, Play Bingo Online, and Meilleurs Casino en ligne.
This was a multiple task, first we needed to find out why his dedicated server was blacklisted and second, we needed to find out what was causing these links / advertisements.
There was absolutely no point in trying to un-blacklist his ip address because we needed to solve his website spam problem.
The obvious solution was to find if its a plugin or theme causing this or the actual WordPress that was compromised. After narrowing it down, it appeared that a plugin was compromised.
This is where you need to make a decision. Do you just wipe the entire system or delete just the plugin or trace the issue and try to eliminate the malware manually and keep the plugin and the website in tact. It all depends how much information you have stored in your wordpress setup, how much time you want to spend, or how much money you want to spend for someone to spend the time to narrow down the problem. The client wanted to trace the issue down. According to Fox IT, the proper solution should be to eliminate the user and to wipe the system down.
Now you can try and install clamav or maldet to see if it will find the malware and remove it for you, or you can try to find the issue manually.
I did it manually, since I knew which plugin was infected I took a look at each file manually. As it turns out it was a .PNG file that was infected. It did drop itself in two different spots. After getting rid of the two .PNG files, I also made sure you couldn’t write into those two directories.
After getting rid of the malware, I went to de-list the blacklisted IP.
All was back to normal.
If you require any sort of malware removal on your dedicated server (or shared) CONTACT US