Posted 1 year ago #
Seemingly randomly, and across 2 or 3 of my sites, I get the message at the very top of the page:
"The page you are looking for is temporarily unavailable.
Please try again later."
The pages load up just fine, it's just that this message pops up from time to time. Has anyone experienced this issue lately?
<img src="http://i.imgur.com/SgSqB.jpg" alt="" title="Hosted by imgur.com" />
Posted 1 year ago #
Is there something in your header (external link/image) it can't find?
Next time you get the error, look at the page source?
Posted 1 year ago #
Look at the <head> section of a page's source code and see if it is calling in any scripts or other stuff from servers other than your own.
Posted 1 year ago #
I am looking into this at the moment as well
This is what is happening on a site that is also being infected by Iframe injections, seemingly at RANDOM.
I cant figure out where its being called in from, I disabled all plugins and it still shows...
It looks like Javascript is loading a site and then removing the iframe from visibility, this is very malicious if I am right. This has happened ton a development site but has not spread to any other live sites. Only one site, and I cant figure out why.
Would love to compare notes. I think my contact info is in my profile.
Posted 1 year ago #
I´m having the same problem in 7 of my 12 wordpress sites. I have been fighting with malware during last week. All began with Timthumb script hack ... my sites were full with invisible links in the header stright to sites selling viagra, etc.
I cleaned some malicious code in the index and replaced de js files with updated and clean ones. It seemed to be resolved, but now I have the same problem you talked about; some sites don´t load and the others have the "the page you are looking for ..." in the header.
Any idea about how to solve it??
Posted 1 year ago #
I figured out the issue. Just solved it.
The problem is a function injected into wp-settings.php
Its causing a huge mess,
the function is called counter_wordpress
It has tons of encrypted data that loads info on your site, I am writing a blog on it, and will post it soon.
DELETE THAT FUNCTION. its near the end of your wp-settings.php
But before you modify the file check the last time it was updated and see if it is the same as other files on your server, otherwise it may be in a different location on yours. The script is dynamic and works in any function, it may be randomized.
Check all your file permissions and see if they have changed.
If anything scan your wordpress directory for wp_head and see if anything looking like the code I am about to post in the blog is there.
Will leave instructions on blog as well.
Posted 1 year ago #
Ah.... thanks Geilt. I spent half the day working on it and came back hoping someone had a clue.
I'll take a look, and anxiously await your blog post!
Posted 1 year ago #
Here is the blog post, its a long explanation, but has a shortlink to the solution.
Man that was exhausting. Hope it helps!
Shortlink: http://esote.ch/pvqXUA
Posted 1 year ago #
¡¡¡ Great post Geilt!!! Perfectly explained. If it´s useful for you, this is what I found in one of my infected sites (www.example.com):
In the header.php, this line:
http://www.example.com/xmlrpc.php?rsd"
And that takes to:
<?xml version="1.0" encoding="UTF-8" ?>
- <rsd version="1.0" xmlns="http://archipelago.phrasewise.com/rsd">
- <service>
<engineName>WordPress</engineName>
<engineLink>http://wordpress.org/</engineLink>
<homePageLink>http://www.example.com</homePageLink>
- <apis>
<api name="WordPress" blogID="1" preferred="true" apiLink="http://www.example.com/xmlrpc.php" />
<api name="Movable Type" blogID="1" preferred="false" apiLink="http://www.example.com/xmlrpc.php" />
<api name="MetaWeblog" blogID="1" preferred="false" apiLink="http://www.example.com/xmlrpc.php" />
<api name="Blogger" blogID="1" preferred="false" apiLink="http://www.example.com/xmlrpc.php" />
<api name="Atom" blogID="" preferred="false" apiLink="http://www.example.com/wp-app.php/service" />
</apis>
</service>
</rsd>
Of course, I dont´t know what http://archipelago.phrasewise.com .. Maybe other infected site???
Posted 1 year ago #
May I ask what the permission settings are on the files and directories? I need to update my blog post with that part of the explanation tomorrow, with logs I saved
Posted 1 year ago #
Make sure do do a grep search thru your source for wp_head and examine what's loading.
Posted 1 year ago #
Thank you very much! I was wasting a lot of days trying to solve it. I wish I could give you any useful information to your article. This is how it happened to me:
- I had some WP websites that used themes from Elegant Themes with an script called timthumb. This script was hacked and hackers could infect all the sites I had in my server. You can know more about this here ( http://markmaunder.com/2011/08... )
- Some of my sites were blacklisted by Google and the infection still goes on, as you described before. I have found hundred of links hidden, linking to viagra sellers.
- Before I was hacked by timthumb.php hole, my permissions were 777 (great error!!). I think this was the way they used.
Now I´m probing your solution in all my sites. You´ll receive feedback. Thanks!
Posted 1 year ago #
Update... I just visited my site, and was redirected to a different page.
Google intercepted it and tossed up a Malware alert page.
The page in question is winorislic.345.pl.
So... off I go to clean up the mess. Thanks again for everyone's help.
Posted 1 year ago #
Also, for what it's worth, when I made the deletion in the wp-settings.php file, many of my widgets and plug-ins disappeared from the index page. Everywhere else on the site seems to be ok.
Posted 1 year ago #
In spite of deleting just a part of wp-settings.php I have deleted it completely, and then I have uploaded the original wp-settings.php of wordpress version (3.2.1), without having problems with widgets ...
Posted 1 year ago #
Good idea. Let me give that a try.
My widgets are gone from the back end also. What a mess!
Posted 1 year ago #
It works perfectly.
Thanks GTD2011 and Geilt. You've saved a lot of grief!
Posted 1 year ago #
I have restored all my pages, all of them working after one week of nighmare.
Thanks again for help received!
Posted 1 year ago #
GTD2011 thanks for the PDF link. the code shown is exactly what I had found and removed and is posted in my blog. The payload, or effect on yours was different than mine. because the iframe and malware scripts that load actually come from a third party server.
The effects can be chosen based on the virus programmers criteria, thats why you got viagra ads and i got different ads. more than likely the algorithm is based off the users collected data that is sent in the cURL| function.
Posted 10 months ago #
@GTD2011, you said:
"Of course, I dont´t know what http://archipelago.phrasewise.com .. Maybe other infected site???"
I have the same inside my xmlrpc.php file which for the last two weeks I have not been able to log into my WP blog via mobile apps.
Clicking on the 'Daniel" guy at archipelago site redirect, Google gave me a stern warning this site was a know malware infection site. So now i'm freaked out and wondering why this isn't more widely warned amongst new WP bloggers.
I don't have a solution yet, but am reading the posts and have reset all my pw's. I would suggest people do like wise.
PM99
This topic has been closed to new replies.
