WordPress.org

Ready to get started?Download WordPress

Forums

Malware (counter-wordpress.com) Warning on Chrome (56 posts)

  1. deathski
    Member
    Posted 2 years ago #

    I'm having this warning on Chrome browser. Seems fine on IE and FF. Been doing some research but found no clear root and solution. My theme (Elegant theme) and WordPress is updated. How do i fix this? Please HELP. Thanks

    http://www.integrativefamilycare.com/

    "www.integrativefamilycare.com contains content from counter-wordpress.com, a site known to distribute malware. Your computer might catch a virus if you visit this site."

    Screenshot: https://www.elegantthemes.com/forum/download/file.php?id=15696

  2. jintech
    Member
    Posted 2 years ago #

    I've same problem with my website: http://www.jintech.in and i'm also using elegant theme. waiting to see any replies for this problem.
    website works in ff and ie fine but chrome display http://counter-wordpress.com/frame.php
    it may occur CDN, please help me ??? :(

  3. ivan.arnaudov
    Member
    Posted 2 years ago #

    ElegantThemes used the TimThumb library until a big hole was discovered in TimThumb recently (beginning of August).

    I am in the exact same mess right now; I am not a security expert and a friend is helping me out but basically you should assume that your hosting is compromised (the attacker can see your passwords and everything in your hosting panel).

    Begin by stopping the website, dumping the files on your HDD and scanning them for the following:

    eval(base64_decode
    $a = ‘m’.’d5′
    $y = ‘base’.’6′

    and also for all references to counter-wordpress.com

    Change your host panel password, SQL database website and everything else that may be accessible to somebody who can log on to your hosting.

    I will appreciate comments from other, more knowledgeable folks as well.

  4. cawel
    Member
    Posted 2 years ago #

    I am also experimenting the same issue in Chrome and Safari, that is, a warning saying I have malware content from counter-wordpress.com

    I'm using Striking, a WP theme also using TimThumb. Not sure how to get rid of that, but it needs to go because this week is a crucial week for my business :(

  5. Rein Aris
    Member
    Posted 2 years ago #

    Same problems here. Just updated TimThumb.. Hope this fixes the issue?

  6. ivan.arnaudov
    Member
    Posted 2 years ago #

    Updating TimThumb alone ***will not*** fix the issue.

    1. The hack entry must be removed -- for me it was two files called
    /blog/wp-content/upd.php
    /blog/wp-content/eab9c5e9815adc4c40a6557495eed6d3.php

    2A. All references to counter-wordpress.com inside html/php files must be removed by hand, or
    2B. The WP and theme files must be deleted and restored from a secure copy.

  7. Rein Aris
    Member
    Posted 2 years ago #

    For me it was an .js file. Updated wordpress and did a rescan on: http://sitecheck.sucuri.net/scanner/, it says No threats right now. Changed password (WP) and DB, FTP

  8. cupracer
    Member
    Posted 2 years ago #

    I ran into this problem, too. I was able to fix it and blogged about it. I'm sorry, it's German only, but nevertheless it may help some of you:

    http://www.mynakedgirlfriend.de/hacker-angriff-aufgedeckt/

  9. dionsis
    Member
    Posted 2 years ago #

    I had this problem yesterday too

    I'd like to point out I found a malicious exe file nod32security.exe or something along those lines in the WP-Includes/js/jquery folder

    I've now deleted all my files to clean any extra files that got in and reuploaded all the new files including version 2.8 TimThumb.

    Hopefully this will keep it all out

  10. Rein Aris
    Member
    Posted 2 years ago #

    Also remove wp-admin/upd.php (CupRacer says it in his blog, but its german :))

  11. ChrisPaca
    Member
    Posted 2 years ago #

    [Updated]
    Just fixed the same issue on my site (onlywarsaw.com) in 3 easy steps that took me 10 minutes:

    1. deleted 3 files:
    /wp-content/upd.php
    /wp-content/themes/[theme's name]/temp/eab9c5e9815adc4c40a6557495eed6d3.php
    (or similar)
    wp-admin/upd.php

    2. updated timthumb.php script to the latest version available here:
    http://timthumb.googlecode.com/svn/trunk/timthumb.php

    3. cleared Chrome's cash for cookies and cashed sites.

    Google Chrome is not displaying the warrning message anymore.

    Changing the passwords for admin accounts and SQL database might be a good step too.

    Thanks guys for all your tips!

  12. Rein Aris
    Member
    Posted 2 years ago #

    And it's good to run the script on:
    http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html

    And check your site with: http://sitecheck.sucuri.net/scanner/

    I didn't had the temp folder with the 'random hashed' filename by the way.. But i did had an extra upd.php file in my wp-admin, so look out for that one to!

  13. ChrisPaca
    Member
    Posted 2 years ago #

    Thanks Rein Aris - Just found this extra upd.php on my server as well!

  14. cupracer
    Member
    Posted 2 years ago #

    Okay, for those of you who don't understand German, here's the short version of what I've written in my blog entry (see above):

    1. Delete the following files:
    wp-admin/upd.php
    wp-content/upd.php

    2. Replace the following files with the original files from wordpress.org:
    wp-settings.php
    wp-includes/js/jquery/jquery.js
    wp-includes/js/l10n.js

    3. Open "wp-config.php" and check for malicious code and massive empty lines. Clear it all.

    4. My theme is "Arthemia Premium". There's a file which should be deleted, too:
    wp-content/themes/arthemia-premium/scripts/cache/external_{MD5Hash}.php

    5. Replace timthumb.php with the latest version (http://timthumb.googlecode.com/svn/trunk/timthumb.php).

    6. Change your MySQL password and update wp-config.php.

    7. Change the secret keys in wp-config.php aswell.

    8. Clear your browser cache, cookies etc.

    HTH,
    Thomas

  15. gmsniperx
    Member
    Posted 2 years ago #

    i am having Evid Theme from ElegantThemes, but i am not able to figure out malicious files or code. I don't have those malicious files specified for "arthemia premium" in previous posts.

    Any help will be highly appreciated :-)

    sniper

  16. ChrisPaca
    Member
    Posted 2 years ago #

    Hey Sniper,

    Actually I also use eVid theme, so the instructions above should fit exactly your theme as well.

    Chris

  17. iamlenox
    Member
    Posted 2 years ago #

    I'm using headway theme and I can't find any of the files or code that anyone is referring to. I've already lost one of my sites and its still showing malware warning so any assistance would be appreciated.

    http://www.autobuds.com

    http://www.objectcalled.com (lost all site files so its a fresh install and still malware warning appears)

  18. iamlenox
    Member
    Posted 2 years ago #

    I'm not using TimThumb by the way.

  19. Rein Aris
    Member
    Posted 2 years ago #

    This malware warning won't go away in a second because Google has to review your site again. The message you see is (most of the times) based on Google data. So you can clean up your site and wait or submit a review of your site in Google webmaster tools.

  20. iamlenox
    Member
    Posted 2 years ago #

    ok that takes care of one of the sites but what about the other?

  21. Rein Aris
    Member
    Posted 2 years ago #

    Scan your site with http://sitecheck.sucuri.net/scanner/ please.
    What does it says?

  22. iamlenox
    Member
    Posted 2 years ago #

    0 malware and 0 viruses found but blacklisted by Google. So I guess at this point I can submit a review request to reinstate with Google for that site as well now.

  23. Rein Aris
    Member
    Posted 2 years ago #

    If the scanner is right; yes

  24. ChrisPaca
    Member
    Posted 2 years ago #

    Also, pls mind that we're talking here about issues with TimThumb, so obviously your sites are facing some different problems and therefoere solutions developed here rather won't work for you.

  25. iamlenox
    Member
    Posted 2 years ago #

    Chris my sites are receiving "Malware (counter-wordpress.com) Warning on Chrome" just like everyone else is so while majority are using TimThumb which seems to be largely affected by this issue they aren't the only wordpress sites affected.

  26. lukethomasmedia
    Member
    Posted 2 years ago #

    I followed Cupracer's instructions and I have a few simple questions:

    1. According to http://sitecheck.sucuri.net/scanner/, the issue lies within a jquery.js file (specific to my theme). I re-uploaded the new file, and I still receive the same error. Does this take time to propagate?

    2. Are there any other malware scanners that would assist me?

  27. jintech
    Member
    Posted 2 years ago #

    i've removed upd.php, and also remove eab9c5e9815adc4c40a6557495eed6d3.php kind of file but my site shows display malicious warning in chrome .
    Please help me i'm in trouble.
    my website. http://www.jintech.in

  28. xsn0w
    Member
    Posted 2 years ago #

    Yeah. We got hacked too. I have removed upd.php from wp-content and wp-admin and the long hash .php from wp-content. updated timthumb.php inside of plugins/islidex/js. Still have the browser warning. What is this attack doing? Should I warn my users?

  29. SH101
    Member
    Posted 2 years ago #

    Clear your browser cache!

    I have trouble with the admin interface. Tried reinstalling everything. Changing to default theme and so on. I still can't change the publishing date for example. Seems to be a jquery problem. Any ideas?

  30. SH101
    Member
    Posted 2 years ago #

    I get Uncaught TypeError: Object #<Object> has no method 'prop' btw.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.