Hello and thank you for contacting us, a paid expert support site. My name is XXXXX XXXXX X'X be glad to assist you with your issue.
Can you please provide me a link to the site/page in question?
The last attack affected http://campnicolet.com/ we have cleaned the files since.
It was affected this AM.
Here are more specifics:
The line that causes this to happen is the file and hash is different in each occurrence
@include_once 'C:/inetpub/wwwroot/7sigma.com/wp-admin/calendar.php'; #17268ff29bbc2e2563b89b780c61bb8d
This calls a file that is server side script that is reversed base 64 encoded. Transferring a mobile device to whatever site the attacker indicates with the hash. Whatever is putting this in place is changing file permissions from read only to writable and then back to read only.
Interesting. So, then one of your files is insecure enough to allow for an injection of code. This may simply be a permission issue on a single file in your install.
But you said multiple sites - are they all on the same system?
All of them are Wordpress sites. That is the only commonality they share.
They are all on a Windows Server and we know that can affect this as well.
Are they all hosted on the same Windows server?
Yes. They're all hosted on the same Windows Server.
Ok, so we might be looking at an insecure IIS server, out of date PHP install or permissions.
Let's check PHP first - how familiar are you with PHP?
I'm not that familiar however, I have 3 programmers that are. I can have them answer what we need.
What you need.
I need a PHP Info page - they will know what that is but if you wanted to do it, you simply need to create a file in the root of any of the sites and call it something with a php extension. Inside the file put this: <?php php_info(); ?>
Then access (or provide me a link to) that page
We're doing it now. I will send the link in just a sec.
We're just about done.
Take your time, no rush.
Ok, part of the problem is that your PHP install is very out of date: Build Date Mar 17 2011 10:46:06
You should (or your developers) should update to the latest PHP which is 5.5.3. Which has a build date of 8/21. http://windows.php.net/download/#php-5.5
Now, you can stay on the 5.3 thread (which is currently at 5.3.27 which has a build date of 7/11) if you wish but I always recommend staying with the latest versions. 5.3 is available here: http://windows.php.net/download/#php-5.3
There are also some things that need to be changed in your php.ini (configuration file) file.
You should update your PHP install first, then we can look at the values as the latest version may have set them to proper values.
Ok. I'll get them to do this ASAP.
Great. If you want to review this in the meantime: http://www.iisunderground.com/securing-php-with-the-php-ini/
It is a good article on securing your PHP install.
Sadly, to know if it helped, we need to wait for another attack.
Thank you. We're reading it now.
No problem. Let me know if you need anything else for the time being.
We're updating our PHP version as we speak. We don't have http://www.iisunderground.com/securing-php-with-the-php-ini/ implemented, but will be doing this ASAP. Can I keep our chat open with you for questions? How long may I speak with you?
Of course. As long as you need. I will be here.
Great. We'll implement these two now and I'll be in touch if we have questions. Thank you!
One more question- we have search engine results for WP sites that are displaying results with foreign language and spam. Do you know how to stop this?
Can you provide me an example?
If you Google Camp Nicolet for Girls you get this result:
Oh wow, that is interesting. The description is in Russian.
Yes. We have the Akismet plug-in that is suppose to catch things like this, but it isn't working.
That doesn't look like spam - it looks like a bad sitemap or Google crawled the site at a bad time.
Do you have a sitemap plugin?
Also, if you have a caching plugin, you might want to clear/flush the cache.
Camp Nicolet does not have a site map plug-in. I'll check on the cashing plugin.
Sometimes SEO plugins have sitemap features - check that as well.
SEO Yost is one that we work with.
Yup, that one does sitemaps. You might want to see about re-generating one. I have no personal experience with it but it should be in settings somewhere.
No problem. Let me know if you need anything else.
Are we charged the flat quoted fee that I was given only? Or after a period of time do we get assessed more?
No, it's a flat fee.
Is there anything else I can help you with? If not, please be sure to rate the service in the bottom right corner.
Thank you for the update and all of your assistance! Have a great rest of your day!