Support » Fixing WordPress » Malware link

  • Resolved ParamasivanPN

    (@paramasivanpn)


    It is automatically generating malware

    <script type="text/javascript" src="http://[redacted]"></script>

    How to remove it ?

    [Moderated: Please do not link to malware!]

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 16 total)
  • Try to find the location on this comment as the mentioned JavaScript injection occurs just after this comment

    <!– jQuery –>

    Probably it worth to download website sources to your desktop and search PHP files for string

    “<!– jQuery –>”

    Did you scan your WordPress with any internal (server side) scanner to locate this infection?

    I downloaded total files and scanned like ‘3’ ‘v’

    The search result for <!– jQuery –> returned no results.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    If this tag is not part of source code then it should present in WordPress database. You can dump it using phpmyadmin or any other database management tool.

    If you open source of HTML page via website browser, you can see that after the mentioned jQuery tag, there is another script injection commented out. Try to look for this string as well.

    In general you need to perform internal (server side) scan of your website. Our plugin provides internal scanner. You can try it out or install another one.

    You may want to compare WordPress core files. For this you need to download WordPress sources and compare what you have on your site. Modified source files can point on infection.

    Try to investigate WordPress options table. Such Javascript injection may come from this table as a result of malware injection via one of vulnerable plugins installed on your site.

    Have you downloaded a template by torrent?

    This was most likely a random attack. First follow the steps recommended by @anevins to clear the hackers out of your site. If you have backups, be prepared to restore your website to the last known good version if all else fails. It’s better to lose a few days or even weeks of work then to let hackers have free run of your website.

    Regardless of what you do, you’ll need to change all your passwords associated with your website, any of them could have been compromised by the hackers. If you need some help with how to make your logins strong I wrote this article on that [redacted]

    If you have the money, WordFence can do a one time cleanup of your website for about USD 250 or so. Now that your website’s been hacked, it’s also likely been flagged by the hacker community as a vulnerable site, so expect more attacks in the coming months. WordFence is also a very good firewall which I install on all my client’s websites. It’s a plugin you install like any other, but adds security protections to your website that will make a repeat of this problem much less likely.

    If you find you need a deeper level of security, I can also recommend SiteLock as well, who I use on my own website and I’ve been attacked by hackers but they have never been able to breach sitelock in the nearly 4 years I’ve used them.

    Lastly, since the attack seems to have installed Malware on your site, I’d also recommend doing malware scans on your computer. I use Norton for my primary security, and MalwareBytes for secondary protection and scans. You can also try Hitman Pro, which comes with a 30 day free trial and I’ve used it with great success as well.

    • This reply was modified 2 years, 3 months ago by Andrew Nevins.

    I have the same difficulty, and I´ve used several external and internal security and scanning components inside wp, such as sucuri, Wordfence Security, Quttera, etc and I could not find anything… i got clean analysis reports from other sites (virustotal etc.. scan tools).. also i follow instructions from https://fixmywp.com/blog/detect-clean-wordpress-malware-redirect.php and the server put some sucuri apache settings recomendations and stills on the code …

    thanks!!

    The thing to know about scans is they can tell you there’s a problem if they detect something, but if they don’t detect anything, that does not mean there’s not a problem, only that they didn’t detect any. Hacks and malware can be stealthed or a new variety that the scans don’t detect, and can be hidden for days, weeks, or even months. I had a client who’s website was hacked and the hack didn’t become apparent until about 6 months later. That was a monster project restoring 6 months of updates and blog articles for them when we did find the hack and had to go back to a 6 month old backup!

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    We really do appreciate the effort people have put in, but I have to raise the following:

    • @quttera, Don’t ask people to contact you;
    • @radiantfreedom, Try to put all the information from your article into the forum post instead of linking back to your site;
    • @calohk, That article removes all the symptoms of the hack and does nothing to resolve the hack itself

    None of the ideas and solutions proposed, including, websites, dump verification, search in source code solved. Apparently it’s encoded or hidden somewhere. I even reinstalled WordPress.

    This 3vwp link appears only when NOT logged as an administrator, only guest. Google continues to deny due this reference.

    <script type=”text/javascript” src=”//www.XXXX.org/jquery.js”></script>

    • This reply was modified 2 years, 3 months ago by .

    Hi Everyone,
    I have exactly the same problem.

    Google told me that the problem is in a page that doesn’t exist on my website.
    Hope for a solution!

    @anevins – That’s a long article, and the reason I wrote it was because I kept having to repeat that same information and found it more efficient put it in an article to reference for people who need that extra help. I don’t know if the full article would even fit in a post here and even if it did, it would get both our sites in potential trouble with Google over duplicate content.

    @rvae – I suggest you try deleting all files on your website and find an earlier backup you can revert to. The hack may be coming from a NON WordPress file on your server. Also, you need to change all passwords associated with your website, including all admin WordPress logins, all Hosting account logins, all FTP logins, and maybe even your database login.

    Or, if you’re worried about too much data loss, and have the budget, hire WordFence or SitLock security experts to do a full cleanup for you.

    Regardless of how you kick the hackers out, as soon as you have access, install WordFence right away, and if you need to recover from a backup from before you installed WordFence, re-install it right away.

    If you can afford it, SiteLock is a very good option as well. They ARE pricey but extremely good.

    I know from experience cleaning up a hacked website can be VERY frustrating, and once they’ve broken in once, they’ll keep trying for some time to come. So you need to be prepared for that and have security in place to block them.

    When I’ve had to deal with hacked websites, I’ve had increased hacking attempts on those sites for as long as a year afterwords.

    Hi All,

    Thanks for your replies.

    I deleted the unwanted files present in the domain and also deactivated one plugin. Then that malicious script didn’t appear. Then I updated that plugin and activated. Now the site is clean.

    I asked the client to change ALL passwords (cpanel, ftp, wp-admin)

    @paramasivanpn Can you write what files were deleted and which plugin was updated? I have the same problem.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Malware link’ is closed to new replies.