WordPress › Support » Malware (counter-wordpress.com) Warning on Chrome

xsn0w
Member
Posted 9 months ago #

I have also changed MySQL passwords (and updated both wp-config.php and bb-config.php (buddypress/bbpress user don't forget this), admin passwords, cpanel passwords and changed auth salt keys in wp-config.php. I suggest everyone not skip these tedious step for protection. I have cleared my browser's cache and the warning is still coming up for me (on Mac - Chrome and Safari) but not for my P.C. using colleagues. I am super paranoid and this has triggered a delusional bout of paranoia. Have I missed anything?

Oh, and Google webmaster tools doesn't, and hasn't ever "found" any malicious software on my site. Where are the warnings coming from? Who is issuing them, as google apparently never found anything wrong with my site?
xsn0w
Member
Posted 9 months ago #

I now know that iSlidex's copy of timthumb.php was the entry point for my attack. Don't overlook any active WP install on your server. Every live WP site on my server was infected.
sanjeevmohindra
Member
Posted 9 months ago #

Check WP-Config.php for more than 92 lines, it might look empty but it will have code later at around 2000-5000 lines, code is small around 20-30 line...If somebody wants a snippet can ping me...You don't need those lines, file should be 91 line only.

In the raw visitor log on server check for server 91.196.216.20, this was the infection point for my site. this URL has the script also which has been executed...this script can give you an idea about what files you need to check. (Don't open it with the full url, you need to take the number like 15.txt from the url and use it like http://91.196.216.20/15.txt to open the script)

If wordpress is installed in root folder, you can move wp-config.php up by one level, which will bring it out of public folder.

Also make sure that you either reinstall wordpress or change the security key, delete all the cookies and browsing data from the browser.

Hope this will help.
xsn0w
Member
Posted 9 months ago #

Thank you Sanjeev. I had scrolled way down but had missed the lines way down. They have now been removed. Thank you for this valuable tip.
MickeyRoush
Member
Posted 9 months ago #

@ iamlenox

Chris my sites are receiving "Malware (counter-wordpress.com) Warning on Chrome" just like everyone else is so while majority are using TimThumb which seems to be largely affected by this issue they aren't the only wordpress sites affected.

Some themes and plugins have renamed timthumb.php to thumb.php or thumbs.php. If you see one similar to those in your theme(s) or plugin(s) please contact the particular developer to find out exactly if they are using timthumb or a derivative of it.
sanjeevmohindra
Member
Posted 9 months ago #

I have created an step by step guide to help, You can also suggest or use it.

http://makewebworld.com/2011/08/tips/how-to-remove-counter-wordpress-malware/
sammiej
Member
Posted 9 months ago #

Thankyou for all your help with this issue, members...I think I found all the offending files and updated what was needed. Wouldn;t have had a clue without this forum!

Sam
elegantthemes
Member
Posted 9 months ago #

For any ElegantThemes members, be sure to update your theme to the latest version. This vulnerability was fixed several weeks ago. I have noticed two major hacks going around. If you have already been hit, then the first thing you should do is open wp-config.php and delete everything after:

require_once(ABSPATH . 'wp-settings.php');

Next open index.php and delete everything between:

require('./wp-blog-header.php');

...

?>

After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as http://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.

Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It's also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don't have any timthumb.php files laying around.

ET members, feel free to send me an email if you need help: http://www.elegantthemes.com/contact.html
esmi
Theme Diva & Forum Moderator
Posted 9 months ago #

This script is very popular throughout the theme community.
As far as I'm aware, it's not been allowed in any WPORG theme for a while now.
elegantthemes
Member
Posted 9 months ago #

There are still many themes outside the repository that use the script. It's worth checking your inactive themes for the file.
MickeyRoush
Member
Posted 9 months ago #

@ sanjeevmohindra

May I make a suggestion. (Sorry I didn't have time to register with your site.)

These lines may not work for everyone:
deny from superpuperdomain.com
deny from superpuperdomain2.com

Deny based on remote hostname will only work on a server that has reverse-DNS lookups enabled (some don't).

Better to use SetEnvIfNoCase Referer. Something like this:
SetEnvIfNoCase Referer ^(www\.)?superpuperdomain\.com ban
SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2\.com ban
deny from env=ban

So:

SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2?\.com ban
order allow,deny
deny from 91.220
deny from 91.196
deny from env=ban
allow from all
mlrose45
Member
Posted 9 months ago #

i have got a problem in my site fun54.com, i came to know through webmaster tool that my site is linking to counter-wordpress.com which consist of malware malicious software, i consult to the web hosting and they said that they clean my Jquery files and updated,

first i was checking the status of my site here:
http://sitecheck.sucuri.net/scanner/
and the result was bad, but after the replacement or updating of Jquery files my website status gone GREEN. OK . FINE. :)

but the problem actually listed below which i am still facing:

URL 1: http://www.fun54.com/10-inspirational-love-quotations-sayings-for-him-and-her

URL 2: http://www.fun54.com/10-inspirational-love-quotations-sayings-for-him-and-her?fb_xd_fragment

Google Webmaster Tool, displays these kind of URLs of my site in Malware error report,
if the Jquery error has been removed then why still URL 2 working?

and my site is still under harmful listed sites in Google, why it is not removed from google's suspecious site's list?

if anyone can help / reply , then plz

i will be thank full to you

bye

Emily
WordMe
Member
Posted 9 months ago #

My site has been infected with malwere

I have done everything and now my site is clean here: http://sitecheck.sucuri.net/scanner/

But Google's search results say I have malware: "This site may harm your computer" and I can no longer open my website with Google Search. I can open it only through direct link.

Please, help me!
melvinramos
Member
Posted 9 months ago #

Hi,

I just re-install wordpress and the warning go away. But I don't know if any futher hacking was done.

Regards,
Melvin
sanjeevmohindra
Member
Posted 9 months ago #

@MickeyRoush

Thanks Mickey for the suggestion. In fact I was thinking of removing domain name because I am not sure attack comes only from that domain.

IP I am sure and I have checked log on my server to confirm that also.

Any how its better to use as you suggested, I will change it on my guide.

PS: You don't need to be register to put the comment there..:)
sanjeevmohindra
Member
Posted 9 months ago #

@mlrose45 @melvinramos @WordMe

I hope you guys has checked your wp-config.php file as mention in all the posts.

If you are not sure about all files check on this post.
MickeyRoush
Member
Posted 9 months ago #

@ sanjeevmohindra

PS: You don't need to be register to put the comment there..:)

My bad, all I saw was something about 'log in to reply'. So I just came back, sorry.

Thanks Mickey for the suggestion. In fact I was thinking of removing domain name because I am not sure attack comes only from that domain.

IP I am sure and I have checked log on my server to confirm that also.

Any how its better to use as you suggested, I will change it on my guide.

Plus I believe deny based on host name requires the server to work harder then doing it my suggested way.

Here is another way you could possibly do it as well, including the other two known domains in question. Difference is no need for the '(www\.)?' as leaving it out almost achieves the same effect, '[^.]?' assumes any character or not after superpuperdomain (someone can correct me if I'm wrong), and I removed the 'com' to cover all domain suffixes.)

SetEnvIfNoCase Referer ^(superpuperdomain[^.]?|newportalse|counter-wordpress)\. ban
order allow,deny
deny from 91.220
deny from 91.196
deny from env=ban
allow from all

Not sure how much good these rules will help if the attack is using a sock and they can change their domain name and IP. I guess it could help and really wouldn't hurt anything to use them, unless you really want that traffic from those IPs & domains and you believe it's worth the risk. For me, I choose to be safe than sorry and I will take the chance on loosing that traffic. :)
Mackelberg
Member
Posted 9 months ago #

Thanks alot CupRacer, your guide worked like a charm!
sanjeevmohindra
Member
Posted 9 months ago #

@ MickeyRoush

Yes I completely agree with you, better safe than sorry. I am also ready to loose the traffic from these server, as long as my sites are safe.

Also sorry about my comment, after you mentioned I went back and checked and indeed that little stupid checkbox was ticked. So it was asking you to log in. It will not do that again...

I always open my sites for comment and thought I did the same for this new domain also....
JeanetteM
Member
Posted 9 months ago #

Hello all, I am having this problem right now on my site: http://kitchen.amoores.com

I have found one of the files mentioned on this thread, the upd.php file and have deleted it.

I haven't been able to find any of the other files mentioned though.
When I scan my site on http://sitecheck.sucuri.net/ this is the message I get.

Malware found on javascript file:
http://www.kitchen.amoores.com/wp-includes/js/l10n.js?ver=20101110
Malware found on javascript file:
http://www.kitchen.amoores.com/wp-includes/js/jquery/jquery.js?ver=1.6.1

Should I delete these two files? or just the section of code listed on that scan?
esmi
Theme Diva & Forum Moderator
Posted 9 months ago #

What to do if you've been hacked:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
sanjeevmohindra
Member
Posted 9 months ago #

@ JeanetteM

You can check the removal process here, reinstall of wordpress from the dashboard should take care of these two files, but make sure you clean you wp-config.php file if infected.
JeanetteM
Member
Posted 9 months ago #

Thank you! I will try reinstalling wordpress and your other suggestions. I will let you know if it works.
hollybret
Member
Posted 9 months ago #

I have worked with HostGator and done the steps mentioned above to rid my site of malware. I am no longer getting the warning screen when logging into my wp-admin. Scans through http://sitecheck.sucuri.net/scanner/ are clean.

However, now when I log in to a plug-in running on the site, I get the warning screen. {http://blogboutique.com is fine and http://blogboutique.com/wp-admin is fine; however, http://blogboutique.com/dap/admin shows "Suspected Malware Site" in the google bar and causes the warning screen to come up.} Running this URL {with dap/admin through the sucuri scanner comes out clean.

I've tried to have my site reviewed by Google. However, Google shows no malware on the site and has not blacklisted it, so there is no option for review.

I have only ever gotten the warning in Safari and Chrome ~ Firefox has been fine.

Any thoughts or ideas? I'd really appreciate it!
JeanetteM
Member
Posted 9 months ago #

@sanjeevmohindra, I cleaned up the wp-config.php file and reinstalled wordpress and now the blog is scanning green! Thank you :)

I have submitted it to Google for review. Hopefully it will be taken out of blacklist soon.
xsn0w
Member
Posted 9 months ago #

@hollybret get a clean version of ALL plugins, especially any that contain java or timthumb.php The infected java files will usually be in a folder inside the plugin folder called js, jquery or Ajax. I found that I was attacked through a plugin - iSlidex

Does anyone have more info about the nature of the attack, what was the purpose and what info were they targeting/collecting?

« Previous 12

Reply

You must log in to post.

WordPress.org

Forums

Malware (counter-wordpress.com) Warning on Chrome (56 posts)

Reply

About this Topic

Tags

Code is Poetry