WordPress.org

Ready to get started?Download WordPress

Forums

Virus alert and white space (14 posts)

  1. 8gomad
    Member
    Posted 3 years ago #

    I recently updated to 3.1. Since then, some visitors to my blog get a virus warning, some get a big white space and the top of the page, and others have no problems. I deactivated all plugins, and switched to the TwentyTen theme, but the problem is still there. Also, the site is now very slow to load in, as is the admin panel. Can anyone help?

    http://blog.8gomad.co.uk/

  2. 8gomad
    Member
    Posted 3 years ago #

    Some additional info: The virus warnings seem to happen to people viewing in IE or Chrome. Firefox users are reporting that it is loading fine. Safari users are seeing the white space. I use Chrome but don't get the virus warning, I do get the white space though.

  3. 8gomad
    Member
    Posted 3 years ago #

    I completely deleted and re installed everything, but today the same problems are being reported. The only browser that seems to be unaffected is Firefox. Can anyone help?

  4. Post the generated source code of your homepage in the pastebin: http://pastebin.com/

    People should not click on your link since your site might be infected.

  5. 8gomad
    Member
    Posted 3 years ago #

    This is the code from 'view source' I notice there's a whole load of stuff before the HTML starts.

    http://pastebin.com/raJVKHaP

  6. Normally there shouldn't be anything before your <!DOCTYPE html> line.

    Can you paste the contents of your header.php file into another pastebin?

  7. 8gomad
    Member
    Posted 3 years ago #

  8. I'm not sure what's going on here - where all that <script> code before your doctype is coming from. I hope someone else has some ideas. I'm guessing that's what's triggering the virus alert.

  9. ClaytonJames
    Member
    Posted 3 years ago #

    There is hidden iframe with a link in it pointing to //clck.ru/7qKy in the domain //8gomad.co.uk and two inline scripts outside of the html tag on the sub-domain //blog.8gomad.co.uk.

    The scripts however, may be legit. function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/....

    You should confirm that they are.

    http://www.google.com/safebrowsing/diagnostic?site=clck.ru

    http://www.google.com/safebrowsing/diagnostic?site=blog.8gomad.co.uk

  10. 8gomad
    Member
    Posted 3 years ago #

    What does that mean? How can I get rid?

  11. ClaytonJames
    Member
    Posted 3 years ago #

    What does that mean? How can I get rid?

    On your home page at 8gomad.com.uk, just before the closing body tag, there is a hidden iframe.

    <iframe src=...//clck.ru/7qky width"0" height"0" frameborder="0"></iframe>

    ...at the very least, it needs to be removed, and you need to find out how it got there in order to prevent it happening again.

    You will also see one of the inline scripts on that same page, just after the opening body tag. You need to verify that it belongs there and is legitimate. Then you should do the same with the scripts on blog.8gomad.co.uk.

  12. 8gomad
    Member
    Posted 3 years ago #

    I've deleted the dodgy html from 8gomad.co.uk, but not sure how to do the same for blog.8gomad.co.uk as it's all php/css and I don't have a clue what to do!

    Thanks for all your help thusfar :)

  13. Daniel Cid
    Member
    Posted 3 years ago #

    Clayton: That bit of code at the top is malicious even though it looks legit.

    Post some details about it here:
    http://sucuri.net/malware/malware-entry-mwjs612

    *seeing some other sites infected with it.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.