WordPress.org

Ready to get started?Download WordPress

Forums

Malware Detected by Chrome (46 posts)

  1. lynne-enroute
    Member
    Posted 2 years ago #

    Need help. Chrome's saying a malware has been detected somewhere on our site from IP address 31.184.242.102.

    We haven't updated anything and it seems that it's a problem being experienced by other WordPress users.

    Please let me know how to address this issue.

  2. RichardWPG
    Member
    Posted 2 years ago #

    Where are you hosted with?

  3. lynne-enroute
    Member
    Posted 2 years ago #

    We're hosted under http://www.doublebweb.net/.

  4. dkatzman
    Member
    Posted 2 years ago #

    same in servage.net

    http://www.google.es/support/forum/p/Webmasters/thread?tid=39907801f6c83cde&hl=en

    It seems to be something with th JavaScript files

  5. Sabinou
    Member
    Posted 2 years ago #

    First steps is acting accordingly to that page :
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Next you can come back and things will get more "productive" :)

  6. esmi
    Forum Moderator
    Posted 2 years ago #

  7. rftreyes
    Member
    Posted 2 years ago #

    Hi. Lynne and I are from the same site. I handle most of the technical stuff. We scanned using the sucuri tool at and we saw that it is in some of the plugins. I was able to remove most of it, but I don't know how to access this jscript since it's not in one of the plugins installed:

    http://www.lynne-enroute.com/numlock/wp-includes/js/jquery/jquery.js?ver=1.7.1

    It showed the malware code in it and if I just know what file that is, I can access it in the Editor and delete the malware code. Can anyone help me in what part of the WordPress admin I can look for this script?

    Thanks in advance

  8. Nikki Blight
    Member
    Posted 2 years ago #

    That's part of wordpress core. You don't have access to it via the admin dashboard. You'll have to grab it via FTP, edit it, and re-upload it.

  9. dionsis
    Member
    Posted 2 years ago #

    I have this same issue now

    Anyone managed a temporary solution?

  10. rftreyes
    Member
    Posted 2 years ago #

    Oh ok. Thanks for the feedback. I'll get in touch with our hosting service about it

  11. slai
    Member
    Posted 2 years ago #

    A lot of people also have the same problem, thread can be found at: http://www.google.im/support/forum/p/Webmasters/thread?tid=39907801f6c83cde&hl=en

    Would be very interested to know of a fix that does not involve starting from scratch and reinstalling everything.

    Does anyone know if WP have a virus/malware scanner inbuilt or as plugin?

  12. petercue
    Member
    Posted 2 years ago #

    I just had the same problem. It seems ALL the .js files in my installation were modified at 1:23 am this morning.

    I learned this by doing a scan with sucuri.net

    The following code was included at the bottom of each file.

    [Code moderated as per the Forum Rules. Please use the pastebin]

    I just downloaded all my wordpress installation... used notepad++ to run a search and replace in files .... then uploaded the whole thing again, overwriting all files from the server with the newly corrected files.

    Sucuri.net re-scan.. and all clean..

    This is a temporary solution as I am not sure where the hackers got in, or what caused the problem... so I am sure it will come up again..

    If anyone else knows the source of the problem... please let us know!! :)

    Hope this helps you all.

  13. Peter Wooster
    Member
    Posted 2 years ago #

    One of the most common ways these hacks start is a compromised FTP password that was picked up by malware on a Windows PC. I recommend the following:
    - scan your PC for viruses and trojans,use more than one scanner
    - change your FTP password
    - don't use Windows as an FTP client
    - if you must use Windows, don't use the same machine for casual surfing
    - if you must surf from that machine don't use Internet Explorer(especially old versions)

    /peter

  14. dionsis
    Member
    Posted 2 years ago #

    Fair play to Securi, had forgotten about that site

    Was using Totalvirus.com and was showing the site as clean.

    Back online properly again. If they got in by guessing my FTP password fair play to them, mine is 14 characters long and I don't save passwords in Filezilla. I am at a loss at how all these malware can keep getting into my site.

  15. Peter Wooster
    Member
    Posted 2 years ago #

    Check your PC, you may have a key logger.
    /peter

  16. dionsis
    Member
    Posted 2 years ago #

    I've ran Bulldog Internet Security, Spybot S&D and A Squared looking for anything on the machine.

    Any other scanners reccomended?

  17. fellowito
    Member
    Posted 2 years ago #

    Im having the same problems.

    I had to replace every js file, and now, it now, it only appears when I try to access to the admin panel (/wp-admin/).

    When I use Sucuri, it says "WordPress version outdated: Upgrade required", but I have 3.3.1 version. I have tryied re-installing it, but I was unlucky. Any help?

    I think is a problem relates to the theme. I don't why, but I think the theme was also infected.

    Updated: I managed to solve "WordPress version outdated: Upgrade required" problem, I just uploaded again my theme. However, It still appears the malware warning when I try to enter to the admin panel.

    Besides, if I try to add a new post, my antivirus (Eset Nod32) detects a trojan: Agent.Nef Trojan.

    What is happening?

  18. Peter Wooster
    Member
    Posted 2 years ago #

    A quick look on Google lists Agent-nef as a Windows based Trojan that steals credentials and provides a back door into the system. It sounds like a serious threat.

  19. phil_denton
    Member
    Posted 2 years ago #

    I just finished cleaning all the infected files off my site as well. Just FYI, I also found malicious code on my site in a "theme" called "config". The folder had three .php files in it - yup, main, and configs. Be on the lookout for those also, just in case...

  20. human2
    Member
    Posted 2 years ago #

    I got it with the 31.184.242.102 "harmful" google chrome hack today. Here is a great site with the fix: http://redleg-redleg.blogspot.com/2012/02/malware-hosted-on-31184242102.html?showComment=1329285003052#c5421789068641877560

  21. fellowito
    Member
    Posted 2 years ago #

    @human2 that website has the virus. My antivirus doesn't let me enter in that web.

  22. redleg-too
    Member
    Posted 2 years ago #

    @fellowito The website/page ref by human2 does not have the virus, however the post does have a listing of the javascript used in the hack. The listing is benign but the listing must be triggering a warning from your AV software.

    Would appreciate knowing what AV software you are running so I can check into it.

    Also never ever ignore a warning from your AV software, and never ever take some random poster's word for it that his site is not malicious!

    redleg

  23. fellowito
    Member
    Posted 2 years ago #

    @redleg-too thank you for getting back, my AV is Eset Nod32.

    I have news, the problem is in some plugins. Even I tried re-installing them (delete and then install), the malware warning still appears. It's quite frustrating.

  24. redleg-too
    Member
    Posted 2 years ago #

    In all the sites I have seen so far the hack has been some obfuscated javascript added to the end of some/all of the legitimate javascript files on the site. Since the listing of the code triggers you A/V I will try posting just a snippet here the code starts out

    var _0x80d0=["\x64\x67

    and then those \xdd goes on forever.

  25. fellowito
    Member
    Posted 2 years ago #

    Sorry, I don't know what do you mean.

    I know it's some kind of code added in some files, but I've uploaded again all the wordpress files and my themes files, and plugins with problems, have been replaced too, always using new files. So, I don't know what other things I must replace.

  26. redleg-too
    Member
    Posted 2 years ago #

    I am new to this forum so not familiar with the rules but you you post you URL and I will take a look at the site. You can use a service like http://goo.gl/ to mask your URL.

  27. fellowito
    Member
    Posted 2 years ago #

    Oh, ok, sorry, my mistake.

    http://goo.gl/Vhw6J

    Anyway, the problem only appeared in my admin panel, and right now I think it's solved because I deactivated two plugins.

  28. redleg-too
    Member
    Posted 2 years ago #

    I am not turning up anything so hopefully it is all behind you. Appreciate the info on the alert from Eset Nod32 on my blog. Guess I need to figure out away to put the code examples in my post so that they do not trigger a warning!

    Good Luck

  29. MickeyRoush
    Member
    Posted 2 years ago #

    dionsis wrote:

    I've ran Bulldog Internet Security, Spybot S&D and A Squared looking for anything on the machine.

    Any other scanners reccomended?

    Malwarebytes and SuperAntiSpyware.

  30. fellowito
    Member
    Posted 2 years ago #

    @redleg-too anyway, maybe u have found the code, but where is it? I mean, I've replaced a lot of .js files, but I still have the problem. In what files are that code?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags