Internet slow as hell, sites hacked. Can anyone help??

[MyOwnDemon]

Yeah, I'm probably going to have them send a technician out. I've scanned, rescanned, and then scanned my computer again. Disabled a bunch of processes. Can't find anything wrong with my actual computer. Everything is running fine except the internet.

Now, I'm just pissed off about my hosting being hacked and my sites being listed as malicious in google. I'm done with wordpress. I have so many problems with wordpress exploits I can't take it anymore.

 

[nachoninja]

if its DNS, manually set yours to Open DNS:

208.67.222.222 and 208.67.220.220

You can fix your sites with Google Webmaster by verifying your sites.

Wordpress is open source what do you expect, stay updated.

 

[Rage9]

Maybe it is just me, but I am a big fan of reformatting whenever I get these kinds of things. I have seen malware that will crawl your computer and replace links in html files or auto "bundle" itself with exe files on your machine. Not to mention usb speaders.. Also ftp is not in any way shape or form secure, passwords are sent in plain text and many ftp clients store usernames/passwords in plain text format.

I agree. Most of the time your going to spend way more time dicking around trying to solve the problem than if you just reformat and reinstall and restore your system.

 

[subigo]

If you're sure that they got in through a wordpress exploit and not your machine, it sounds like a technician definitely needs to come out to check the connection. It could be something as simple as rain water getting in the lines.

Having said that, I've had a few people I host contact me because they thought their wordpress install was hacked. And then I checked their logs and found the malicious file was uploaded by their IP address via FTP. So you should find out which file Google is calling malicious and then ask your host to find out how it got there.

As for Google blocking your sites, they normally whitelist them again within 1-2 weeks if you request a new scan.

 

[chatmasta]

Before you do anything, just do a simple test to see if it is your computer or something else. Plug another computer in!!! If the internet works fine, the problem is your computer and you may as well reformat. If the internet is still slow, then the problem is DNS, network, or something...call the technician.

Forgive me if you've already done this, but from your confusion over what the problem is it seems like you haven't. Funny how you can get so caught up in this shit and miss obvious tests like that.

EDIT: Plug the second computer directly into the modem, just to avoid the possibility that your router is infected.

 

[MyOwnDemon]

Unplugged my router, let it sit for a few minutes, reset it manually with a safety pin, changed password. It seems to be okay now. Only time will tell though.

Scanned my computer again and everything is coming back 100% clean just like it always does, so I have no idea.

As for my sites - I changed my FTP password, deleted everything off my webhost and reuploaded a couple of the important non-wordpress sites, and requested a review from google webmaster tools.

All I can do now is wait I guess. Thanks for all the help guys! Much appreciated.

 

[MyOwnDemon]

So you should find out which file Google is calling malicious and then ask your host to find out how it got there.

Hey subigo, thanks for the reply. How would I check which file it was? Google webmaster tools isn't really giving me any info other than it's infected.

Oh, also some of the sites infected I haven't touched in over 6 months, so it's doubtful it came from my system. I believe they got into my hosting somehow.

 

[turbolapp]

Myowndemon, every time you come in here with one of these problems, you freak me out. Glad things seem to be getting back track, though.

The ftp thing bothers me a bit. Are there some that are better than others with regards to security? I'm using fireftp currently.

 

[pocketrockets]

Which version of Wordpress were you using?

 

[MyOwnDemon]

Myowndemon, every time you come in here with one of these problems, you freak me out. Glad things seem to be getting back track, though.

The ftp thing bothers me a bit. Are there some that are better than others with regards to security? I'm using fireftp currently.

Hahah, hey Turbo - didn't mean to scurrrrrr you

I honestly think it's my hosting. It just sucks. 1and1. I'm so done with them and should have stopped using them last time I got hacked but I figured what are the odds of it happening again. I figured wrong. My sites hosted with them are constantly being injected with spam links and exploits. They have NO security measures in place and their customer service is horrible. Absolutely no help at all. No wonder they have terrible reviews all over the net. And ironic part being I think I actually infected my own computer by visiting my own websites.

I'll be happy when my sites aren't listed as dangerous in google anymore, because for the next 2 weeks (or however long it takes them to re-review my sites) I'm really going to take a major income hit. Hackers hit me in the wallet this time, and it's no fun.

 

[chatmasta]

Yeah I don't know why the fuck you're using 1and1. Personally I've been with HostGator for my shared hosting for about 2 years and never had any problems. I know a lot of other people report differently, but they've been great to me. They're also very reasonable.

 

[subigo]

Hey subigo, thanks for the reply. How would I check which file it was? Google webmaster tools isn't really giving me any info other than it's infected.

Oh, also some of the sites infected I haven't touched in over 6 months, so it's doubtful it came from my system. I believe they got into my hosting somehow.

Google won't tell you, but it's normally an iframe injected into your html source. Just go through all of your .html/.php files and look for something that you didn't put there (like I said, 99% of the time it'll be an iframe).

And then once you find the file just ask 1and1 to tell you the last IP to upload it or modify it.

 

[LogicFlux]

Yeah, I'm probably going to have them send a technician out. I've scanned, rescanned, and then scanned my computer again.

Dude, back your shit up and reinstall. I know it's a pain in the ass but it's probably worth it.

Now, I'm just pissed off about my hosting being hacked and my sites being listed as malicious in google. I'm done with wordpress. I have so many problems with wordpress exploits I can't take it anymore.

Were your versions up to date? Do you know what exploits they used? Had you been backing your shit up regularly before you got hit?

 

[zorba]

I think there's a substantial chance that your Internet slowness and your sites being hacked were two unrelated problems that happened to occur at the same time.

Since resetting your router took care of the local Internet slowness, it implies that that was being caused by the router, not by your PC. If that's the case, do you by any chance have a cheap consumer router (i.e. Netgear, Linksys, D-Link) that's more than a couple years old? If so, were you using BitTorrent? There's a known issue with a huge number of consumer routers that cause them to bog down to hideously slow if you run BitTorrent through them for more than a few hours. Stopping BT does not fix the problem -- only resetting the router or waiting an absurdly long time (24-72 hours) will fix it. If this was your problem, the only way to prevent it from happening again are 1.) don't use BitTorrent, 2.) get a new router, or 3.) upgrade your router's firmware with a 3rd-party firmware like DDWRT or Tomato.

As for the sites getting hacked, WordPress does have vulns discovered in it pretty often, so it's important to keep WP sites very up-to-date if you have them. However, it's quite possible that someone rooted the box at 1and1 through some other guy's site on the same server, then compromised every site there (this has happened to my installations before, when I used shared hosting.) The only way to prevent that is... to not use shared hosting. VPS or dedicated doesn't generally have that problem. A less lame hosting provider might help, but even if your hosting provider is great, as long as it's shared you can bet somebody is running a crappy, insecure site on it somewhere, and no hosting provider keeps everything patched and up-to-date all the time (to do so would require frequent reboots, and hosting companies know nobody likes their sites being down.)

If your PC really was infected by something (I'd scan for worms/viruses/zombies with Kapersky, then spware/adware with Spybot S&D), then the only way to be truly sure it's clean is to reinstall the OS ("nuke the facility from orbit, it's the only way to be sure.") That may be overkill for your average user, but if you're running a business off your PC... you want to be sure. The last thing you want is to change all the passwords on all your sites, only to find your PC is secretly emailing them to some dick in Russia. On the other hand, if Kapersky & Spybot say it's clean, the problem was probably the router, not the PC.

And finally, if your hosting provider allows you to disable FTP and use only SFTP/SSH... it's a good option to turn on. FTP sends your password in clear text over the Internet every time you log in.

 

[MyOwnDemon]

Called my ISP today, we did some speed tests, etc. They said everything looked fine and my speed was actually faster than I was supposed to be getting - so I asked them to explain why my net connection cuts out every 5 minutes and pages never load. Needless to say, they're sending a tech out on Monday.

As far as my sites, most have been unblacklisted in google. That was pretty quick, less than 24 hours. Webmaster tools ftw!

Oh, just final question if anyone could help. If I install the newest version of wordpress, would it be safe to just hook up my databases? If not, how do I check the DBs to see if they're infected - is there a tool for that?

 

[Lighthouse13]

Dude i got the same thing on my two 1and1 hosted sites. They get in VIA FTP. there will be a .JS lines on the top and bottom of the index files for your sites. they make an ifram attack on the front end of your site. was it from like nuotoll.com or something?

I swear 1and1 is the cause of someone getting in. I wish the main media would pick up on it but they would need multiple sources. Get your sites fixed ASAP.

Howfully you dont have the other virus that was going around that injects it into everyfile.

Once you clean everything resubmit a check to google through webmaster tools so you can be taken off the malicious list. Also Change EVERY PASSWORD known to your sites. the FTP being most important.

 

[Ferbent]

If I install the newest version of wordpress, would it be safe to just hook up my databases? If not, how do I check the DBs to see if they're infected - is there a tool for that?

I just fixed a couple of my hacked sites and had to manually remove the iframe code. The code was only in the pages of the site, not the posts.

To remove the code I did this sql query in phpmyadmin and then edited the text:

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'

 

[barman]

i'm not reading the thread, but the symptoms sound exactly what i went through a couple of months ago

1) reformat. had to. virus was too malicious to get rid of with software.
2) reset all FTP passwords
3) replace infected files on website with backups (little bug tends to install itself on home.* default.* and index.* and variation thereof, as well as javascript files.
4) stop storing passwords in Filezilla and or other ftp programs
5) fixing the site usually gets rid of the warning in due time, but you can get rid of it faster with google webmaster tools or requesting review though stopbadware.org (i think)

 

[Vox]

are you using Filezilla for your FTP? If so, then your probably infected with the gumblar exploit.
It's pretty nasty and a chore to clean out of your system. Norton won't catch it, and Avast will but not clean it from your system.

 

[Webferret]

1and1..

there's your problem.

try firebombing their offices.