Support » Fixing WordPress » How to remove this scam popup

Viewing 8 replies - 46 through 53 (of 53 total)
  • Thread Starter aages

    (@aages)

    @clarus-dignus

    SELECT post_title FROM wpek_posts WHERE post_title = “404testpage4525d2fdc” resulted in 0.

    Better Search & Replace did not find anything − = 0 for all.

    Will spend some time to look into:
    SELECT post_title FROM wpek_posts

    Bye the way, all error pages that Securi is finding are identical.

    If I cannot solve this happenings myself or with Support assistance I will most likely close down the site for good as it is a charity none commercial site and the site depends on me and how much I can use of own resources to keep it up, however I am very grateful for all assistance you have given.

    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    • This reply was modified 5 months, 4 weeks ago by aages.
    Thread Starter aages

    (@aages)

    Finally – I found!!!!

    After nearly 7 days of sleepless nights and with a lot, a lot of assistance here I found the script :
    “Known javascript malware: malware.injection?100

    eval(function(p,a,c,k,e,d…… ( see previous posts for complete file)” – it was added in the footer.php so far down that I did not even check it all when I had a look on it earlier. I found it using search in Kate opening my backed up files.

    …and now Sucuri is giving a clean “status” and now I will try to make it more secure.
    At the end a great experience and a lot of learning – THANKS AGAIN ALL!

    • This reply was modified 5 months, 3 weeks ago by aages.
    • This reply was modified 5 months, 3 weeks ago by aages.
    • This reply was modified 5 months, 3 weeks ago by aages.

    Excellent. Well done finding it.

    Periodically check your site with Sucuri over the next few weeks just in case.

    Is the “eval(function(p,a,c,k,e,d)” only in the malicious script?? Or can there be legitimate uses of that in my files? I will be able to find sections that include that code, but I don’t want to delete it if it is meant to be there.

    Thread Starter aages

    (@aages)

    Look at my earlier past link: https://radio-alanya.no/Securi_results.txt

    I found the script in the the Theme Footer – footer.php.
    Check it out but it was far below at the very end of the file – and I deleted it – result – clean and site working like new.

    • This reply was modified 5 months, 3 weeks ago by aages.
    • This reply was modified 5 months, 3 weeks ago by aages.
    • This reply was modified 5 months, 3 weeks ago by aages.

    @carotelfer

    eval(function(p,a,c,k,e,d){...}) isn’t necessarily malicious, though it can be. It decompresses compressed and obscured JavaScript.

    When you encounter it, copy and paste it here to unpack it and see what it’s doing:

    https://matthewfl.com/unPacker.html

    If you encounter it in your files or database tables, you could contact the respective theme/plugin author and confirm whether or not it’s supposed to be there. For theme/plugin files, you can just download the files and compare them to your installed files.

    @aages

    Using the unpacker, I unpacked the JavaScript malware that Sucuri found on your site.

    It matches the JavaScript malware addressed in this Sucuri article published this month:

    https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html

    The malware is always injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long series of empty lines, no doubt trying to stay hidden.

    Thread Starter aages

    (@aages)

    However I cleaned out my problems with removing this script in my footer.php and nothing else had to be done – the pop-up gone and clean results from Sucuri

    • This reply was modified 5 months, 3 weeks ago by aages.
Viewing 8 replies - 46 through 53 (of 53 total)
  • You must be logged in to reply to this topic.