Support » Plugin: Anti-Malware Security and Brute-Force Firewall » Cant remove MW:SPAM:SEO

  • Resolved ziggynerja1

    (@ziggynerja1)


    Hi there, Sucuri has detected the known malware MW:SPAM:SEO on our webstie. We ran the plugin and removed a number of threats within the kses.php file. However, we are still receving ad’s all over our website, and sucuri is picking up the same threats.

    What can I do to get the issues resolved? I’m not sure if it could be a bad plugin, or currupted FTP password? I’d really appreciate your help, and be happy to donate.

    Thank you!

    http://wordpress.org/extend/plugins/gotmls/

Viewing 15 replies - 1 through 15 (of 26 total)
  • Plugin Author Eli

    (@scheeeli)

    I doubt it’s your FTP password but it never hurts to change a password
    (unless you forget what you changed it to 😉

    Assuming you have updated the definitions and scanned the whole site with my plugin then I would say you probably have a new threat that my plugin is not aware of. The next step, if you are willing, is to give me access to your WP Admin and I will find this new threat and define it so that it can be automatically removed by my plugin.

    If you want to send me a login you can email me directly: eli at gotmls.net

    Plugin Author Eli

    (@scheeeli)

    Hey Jack,
    Just following up to make sure your site is staying clean. You haven’t had that virus come have you?

    Let me know if you need any more help.

    Aloha, Eli

    My site is infected now with same thing.

    I just installed the plugin, hope it will solve things up.

    Any instructions for a better scan in case the scan misses things?

    Sucury provided several links that have been infected already, from 2 now is spreaded to 8 links.

    Worked nicely, scanned, found, fixed. Thank you!

    Hi,

    I have just installed your scanner in one of my test sites, (www.majalla.eu), and it did scann, but it did not find the “MW:SPAM:SEO” code. I still have them on the site, and I have checked almost all the files but canot find the location of these codes…

    Below is the Securi scanners results …

    ===
    url: http://sitecheck.sucuri.net/results/majalla.eu

    web site: majalla.eu
    status: Site infected with malware
    web trust: Not Blacklisted
    *Cached results from the last 24 hrs.

    Malware found in the URL: http://www.majalla.eu/
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/404testpage4525d2fdc
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/404javascript.js
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/about-us
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/writers
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/submissions
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    Malware found in the URL: http://www.majalla.eu/category/turkey-news
    Known javascript malware.
    Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
    t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();

    ===

    Based on the Securi Results when I check the ViewSource for the home page for example, and on the ViewSource I search for the abouve code snipets, I can easily find that on the Source, but canot find it on any files…

    ===

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    ===

    Can you kindly get the abouve located and cleaned ASAP …

    Thanking you,

    Best regards,

    Fawaz

    Plugin Author Eli

    (@scheeeli)

    Majalla,
    It looks like you have already removed this threat. I just helped someone else remove it too. It was in the social-media-widget plugin. Is that where you found it too?

    It would help me to add a definition for it if you were able to send me the code you removed from that file. Can you contact me and let me know what you found?

    Thanks, Eli

    Hi Eli,

    Yes, you are right. Your Malware Tool is great, but unfortunately it did not have the definitions I guess and did not much of a good. But some of our great friends from WP Camp, helped me point to the right direction. Dave from LA Marketing was able to identify the culprit on the “Social Media Widget” plugin. Simply updating the plugin was able to resolve the issue.

    Yes, I downloaded the full site yesterday to review the files before updating the plugin. I got the file … “social-widget.php” … seems it was trying to connect to a URL and fetching a file named “c.php” and imploding it …

    === The Script is as below ===

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    Hope this helps …

    For more help pls. feel free to contact Dave who was the original genius who helped identify this from LA Marketing

    Thanks and Regards,

    Fawaz

    Plugin Author Eli

    (@scheeeli)

    Thanks Majalla,
    I have added this new threat to my Definition Update so it can now be repaired automatically with my Amti-Malware.

    I really appreciate your help in identifying this new threat.

    Aloha, Eli

    I also ran sucuri and it detected MW:SPAM:SEO. But running the scanner did not detect on my site. Am i doing something wrong?

    Plugin Author Eli

    (@scheeeli)

    zahweb,
    You might have a new variant of this threat that has not yet been identified in my Definition Updates. If you are willing to let me into your WP Admin I will track it down and add it to my definitions so the It can be automatically removed.

    You can send login credentials directly to my email: eli at gotmls dot net
    Don’t post them here 😉

    Aloha, Eli

    Just sent to you, if you can update thanks.

    Plugin Author Eli

    (@scheeeli)

    zahweb,
    I see you have restored your site and the ad link injected on your homepage is gone. That’s good but we didn’t figure out where it was coming from so it could come back if your server still has the same vulnerability that let it in the first time. If you do get re-infected consider my offer to copy your site to my server for further testing.

    Aloha, Eli

    Aloha

    I have the sames issue as zahweb. The plugin cannot find MW:SPAM:SEO as detected by sucuri.

    Was a cure found? I would be willing to assist in it’s demise. What can I do? How can I find this damn thing?

    Thanks
    Frank

    Plugin Author Eli

    (@scheeeli)

    MW:SPAM:SEO is a very generic definition. There are lots of threats that my plugin will find and fix that fall under that description. There are also always new threat coming out that my plugin cannot always identify and automatically fix until add them to my definition update.

    If yo are willing to give me a WP Admin login to your site I will look for this new threat and add it to my definition update so that it can be automatically removed.

    You can email me directly at: eli AT gotmls DOT net

    Aloha, Eli

    Eli,

    I found the code in the theme header.php file. I sent it to you. Please add it to your definitions. I will wait to remove it so I can test your plugin.

    Thanks
    Frank

Viewing 15 replies - 1 through 15 (of 26 total)
  • The topic ‘Cant remove MW:SPAM:SEO’ is closed to new replies.