WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Malware from wp-count.php (24 posts)

  1. cosmocatalano
    Member
    Posted 2 years ago #

    Received a malware notification from Google Webmaster tools yesterday for my cycling blog, http://cyclocosm.com, informing me that one post and two index pages (yearly for 2012, monthly for June 2012) were putting malware on visiting computers from 3rd-party URLs.

    Reading through the malware report, it became evident that a file called wp-count.php was serving up JS downloads to users on page load. wp-count.php wasn't part of a relatively clean WP install I had on a different site, and reading the contents of the file, it began "This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited"—obviously, something was up.

    I Googled "wp-count.php" and found some mentions of malware attacks, but no real fixes. Twitter search just pulled up this post in Japanese: http://twitter.com/strive/status/217218845251870722

    The site was still on 3.4, so I updated to 3.4.1 and tried deleting and renaming wp-count.php, but it immediately reappeared. The next step I took was to delete the contents of the file, and replace them with a single "0". So far this seems to have worked. Google has re-scanned the site and given it a clean bill of health.

    I don't have complete control over my site hosting, so I'm talking with my admin about reinstalling from a previous version, and then reposting the updates I'd made since then.

    Anyone else encountering/encountered a similar issue?

  2. s_ha_dum
    Member
    Posted 2 years ago #

    The site was still on 3.4, so I updated to 3.4.1 and tried deleting and renaming wp-count.php, but it immediately reappeared.

    If wp-count.php comes back after you delete wp-count.php I suspect that the real problem is elsewhere-- another .php file or possibly an application on your server that is checking for the presence of wp-count.php and putting it back if you delete it. Filling in the '0' seems to have tricked it, but I would worry that the infection is still there and you don't know what else it can do. Reinstalling, as you seem to be planning, would be prudent.

  3. cosmocatalano
    Member
    Posted 2 years ago #

    No ambiguity here—reinstall is the desired solution. But like I said, it's not entirely within my ability to do so at the moment.

    I had some more time to look around today and found a wp-apps.php file that was pretty much the same as wp-count.php. Googling that brought up this forum post which mentions a wp-configure.php (which I didn't have) doing similar things.

    I deleted wp-apps.php and my modified wp-count.php, and neither has returned since, so I'm breathing *slightly* easier. Still going to reinstall.

  4. s_ha_dum
    Member
    Posted 2 years ago #

    I don't know if you need to re-install a previous version, just a clean one. Your database would be the only real worry-- a rogue admin user, for example.

  5. violaine12
    Member
    Posted 1 year ago #

    I have exactly the same malware infection and the wp-count.php reappears just like you said.

    I am noooo techie at all but in my google webmaster acount I also got this information.

    suspected malware injected code:

    <meta http-equiv="refresh" content="0;url=[ redacted, don't post that here again please. ">

    What can I do with this?

    Thanks

  6. @violaine12, Unless you are on the same server, with the same plugins, theme, versions, etc. OR you have the solution for cosmocatalano...

    Please start your own topic.

  7. jellis05
    Member
    Posted 1 year ago #

    Has anybody had an success in determining where these files are coming from? I have found that they are being included in the footer.php and page_home.php files located in my themes directory.

  8. perezbox
    Member
    Posted 1 year ago #

    Hey All,

    Sounds like a backdoor is still being left on the server, for the newbs you might want to check out this post as it gives you some advice on what you can and can't remove and how: http://sucuri.net/website-malware-removal-wordpress-tips-tricks.html

    For those suffering from the same issue, I'd recommend opening that wp-count.php or wp-apps.php and try grepping the rest of your server for the same content. Some times you'll have the same payload using different file names.

    If you pastebin the payload I'll be happy to take a look see if we have it in our definitions somewhere.

    Cheers.

  9. Some Guy
    Member
    Posted 1 year ago #

    Does anyone has more information about this Malware, specific information?

    I keep getting the same malware again and again. I'm running the latest version of WordPress. What do I do to get rid of it for good?

  10. violaine12
    Member
    Posted 1 year ago #

    He Some guy,

    It is a nasty thing but I have found a perfect free plugin which will take care of it. I was soo glad I found this one. I have installed it on all my websites and is called "wordfence". Works awesome

  11. kmessinger
    Volunteer Moderator
    Posted 1 year ago #

  12. violaine12
    Member
    Posted 1 year ago #

    Talking to bluehost did not work for me though. They left me completely in the dark as far as help to get rid of it. Just a few resources with theory which a normal guy would not understand at all :)

  13. perezbox
    Member
    Posted 1 year ago #

    Hi Violaine12

    Count20 can be a pretty persistent bugger. Here is something you want to try:

    In terminal, try grepping for all count20.php instances:

    grep -ri 'count20.php' .

    The reason I say that is if you're using an online scanner it might be pulling up the JS files, but more often than not you'll find it in the index files as well. You want to be sure to remove all instances. Too often folks will remove the index instances or the JS instances, but not both.

    The other thing you want to do is kill php execution in your uploads directory and wp-includes. You can try it in your theme directory, but some themes area bit finicky.

    Also, I would take some time to go into your bluehost cpanel and download both your error and access logs - raw logs.

    Not sure what all you have done, but seems that you might want to do some investigation to see what the source is, I'd be willing to bet its some kind of compromised credential.

    Thanks

  14. violaine12
    Member
    Posted 1 year ago #

    Hi perezbox,

    Thanks for your help!

    Luckily the plugin "wordfence" did remove all files! It is not only a scanner but also removes stuff. The malware did not return last 2 months.

    Vio

  15. Amaryder
    Member
    Posted 1 year ago #

    @cosmocatalano i am getting the same Malware for my website its 3rd time i got attacked, feeling frustrated to recover again and again have you got any solution broo please help me.

    I found both file wp-count and wp-app which are not included by wordpress i think reply me soon.

    thanks!

  16. perezbox
    Member
    Posted 1 year ago #

    Hi

    Hard to give any advise without knowing the peculiars of what you have or haven't done.

    Thanks

  17. Amaryder
    Member
    Posted 1 year ago #

    I m using WordPress with Genesis theme and this is 3rd time i got Malware called Wp-count.php file i don't know how they really Injected this code again and again but please help me to resolve this problem!

  18. perezbox
    Member
    Posted 1 year ago #

    Yeah, sorry, that really didn't say anything.

    What have you done the previous 2 times to get it resolved? Have you followed the steps already outlined above?

    Have you read any of the posts offered by kmessinger?

    I would also recommend reading this post: http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html

    Thanks

  19. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    I found both file wp-count and wp-app which are not included by wordpress i think reply me soon.

    Not necessary that your site can be hacked only through the above files. If you found the same files, it only shows that it is a usual way to infect your site. There are several other routes for malware to penetrate and damage your sites. If you are hacked repeatedly, it means that you leave security holes every time you cleanup. Or you may be hosted in an insecure environment that pass on infection from other sites on the same server.

  20. Amaryder
    Member
    Posted 1 year ago #

    @Krishna broo how to secure properly and resolve this Malware problem broo still getting notification from webmaster tools help me!

  21. kmessinger
    Volunteer Moderator
    Posted 1 year ago #

    how to secure properly and resolve this Malware problem

    There are NO shortcuts.

    Talk to your host. Find out if anyone else on the server was hacked. Let them know you were hacked so they can check the server.

    You also need to start working your way through these resources:
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  22. GiraffeDog
    Member
    Posted 1 year ago #

    Do you guys know if your theme is using timthumb.php or thumb.php to resize images? This seems to be how some sites are getting breached.

    You need to check if you're allowing timthumb.php to be called from remote websites (it's in the prefs somewhere in the file).

    Additionally you could try adding the following to your .htaccess file. It stops the requests dead.

    RewriteEngine On
    
    # TimThumb Forbid RFI By Host Name But Allow Internal Requests
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteRule . – [S=1]‘

    Source: http://graphiclineweb.wordpress.com/2012/08/22/stop-timthumb-attacks-at-server/

  23. hadoanngoc
    Member
    Posted 1 year ago #

    My site was also infected by wp-count and wp-apps.php files. So it's been a year since this topic is raised but no solution? Is this really a wordpress's vulnerability issue or a server configuration problem?

    I did a google search and also checked my site. I found these files are infected:
    - themes/[mytheme]/footer.php (...eval($_POST['wp-load'])..)
    - wp-apps.php and wp-count.php are added in root folder
    - /wp-includes/js/js/*.php are added
    - /wp-includes/wp-var.php is added
    - index.php files
    - wp-register.php; xmlrpc.php; wp-comments-post.php; wp-links-opml.php files are infected

    So find out infected files are easy, I can remove the injected code or re-install a fresh copy. but HOW they are infected? How can it changes the file content and adds new files??? Please, WordPress developers & masters?

    (my site is on Centos 5 server, Apache 2.2 and PHP 5.4)

  24. esmi
    Forum Moderator
    Posted 1 year ago #

    Your blog being "hacked" is not a security issue. A security issue will involve knowing how the attacker got in and hacked your site. If you have details on the attack vector, then email us.

    http://codex.wordpress.org/FAQ_Security#What_is_a_.22security.22_issue.3F

    For starters, why are you using an older version of WorPress. The current version is 3.5.1 - not 3.4.1.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    Next time, and as per the Forum Welcome, please post your own topic instead of tagging onto a 9-month old topic.

Topic Closed

This topic has been closed to new replies.

About this Topic