remove website malware

This project was awarded to valerianmartin for $25.5 USD.

Get free quotes for a project like this
Project Budget
$30 - $100 USD
Total Bids
Project Description

A rogue script has somehow managed to hack my site [url removed, login to view] so that it manages to keep getting access to the site's .htaccess file and modify it to redirect search engines to this viagra page: <[url removed, login to view]:bHAiI9EzoK0J:[url removed, login to view]+superjam&cd=1&hl=en&ct=clnk&gl=uk>

That means that when users search for "superjam" on google, they see this:

### [Viagra cheap | Cheap Viagra Online - #1 Canadian PHARMACY][1]

25 Jun 2010? **...**? Viagra cheap | Official Canadian Pharmacy | FDA Approved Drugs. Extra Low Prices<wbr />. Worldwide Shipping, No Prescription Needed, Fast Delivery.

I need this security error fixed asap.

## Deliverables

Dreamhost support said of the error:

WordPress (v2.9.1) : /home/mediaroots/[weareunleaded<wbr />.com/BK/][2]? (OUTDATED!)

Zen Cart ([url removed, login to view]) : /home/mediaroots/[eventworldtic<wbr />[url removed, login to view]][3]? (OUTDATED)

Zen Cart ([url removed, login to view]) : /home/mediaroots/[eventworldtic<wbr />[url removed, login to view]][4]? (OUTDATED)

- WordPress installations need to be updated to the current secure releases of 2.9.2 or 3.0.

- ZenCart installations need to be updated to version 1.3.9d.

- Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.


Go through all files under the affected user and look for anything that may have been modified or placed by the hacker. ? It is common for the intruder to place extra <?php> blocks, iframes, javascript <script> tags, etc., frequently at the top or bottom of otherwise legitimate files. ? Often times this code is obfuscated or encoded such that you cannot tell what it does simply by reading it. ? Also note that hackers often leave behind shell/backdoor scripts that thy can later use to re-exploit the site even after all other vulnerabilities have been patched. Often these scripts are given innocuous names like "[url removed, login to view]" or "[url removed, login to view]", or they may be more direct -- anything called "c99shell" or "r57shell" or "[url removed, login to view]" is a dead giveaway.

Likely hacked code / hacker shells were found under mediaroots here:

/home/mediaroots/[<wbr />uk/pstore/<wbr />[url removed, login to view]][5]

Awarded to:
Skills Required

Looking to make some money?

  • Set your budget and the timeframe
  • Outline your proposal
  • Get paid for your work

Hire Freelancers who also bid on this project

    • Forbes
    • The New York Times
    • Time
    • Wall Street Journal
    • Times Online