How to remove this scam popup

Resolved aages
(@aages)

3 years, 2 months ago
On our website I am new to WP an getting this popup – how to remove as I have tried everything.

Here is a link of the screenshot – https://radio-alanya.no/Screenshot_20220330_134704.png
- This topic was modified 3 years, 2 months ago by aages.
- This topic was modified 3 years, 2 months ago by aages.
- This topic was modified 3 years, 2 months ago by aages.

Viewing 8 replies - 46 through 53 (of 53 total)

← 1 2 3 4

Thread Starter aages
(@aages)

3 years, 2 months ago
@clarus-dignus

SELECT post_title FROM wpek_posts WHERE post_title = “404testpage4525d2fdc” resulted in 0.

Better Search & Replace did not find anything − = 0 for all.

Will spend some time to look into:
SELECT post_title FROM wpek_posts

Bye the way, all error pages that Securi is finding are identical.

If I cannot solve this happenings myself or with Support assistance I will most likely close down the site for good as it is a charity none commercial site and the site depends on me and how much I can use of own resources to keep it up, however I am very grateful for all assistance you have given.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
Thread Starter aages
(@aages)

3 years, 2 months ago
Finally – I found!!!!

After nearly 7 days of sleepless nights and with a lot, a lot of assistance here I found the script :
“Known javascript malware: malware.injection?100

eval(function(p,a,c,k,e,d…… ( see previous posts for complete file)” – it was added in the footer.php so far down that I did not even check it all when I had a look on it earlier. I found it using search in Kate opening my backed up files.

…and now Sucuri is giving a clean “status” and now I will try to make it more secure.
At the end a great experience and a lot of learning – THANKS AGAIN ALL!
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
Clarus Dignus
(@clarus-dignus)

3 years, 2 months ago

Excellent. Well done finding it.

Periodically check your site with Sucuri over the next few weeks just in case.

carotelfer
(@carotelfer)

3 years, 2 months ago

Is the “eval(function(p,a,c,k,e,d)” only in the malicious script?? Or can there be legitimate uses of that in my files? I will be able to find sections that include that code, but I don’t want to delete it if it is meant to be there.
Thread Starter aages
(@aages)

3 years, 2 months ago
Look at my earlier past link: https://radio-alanya.no/Securi_results.txt

I found the script in the the Theme Footer – footer.php.
Check it out but it was far below at the very end of the file – and I deleted it – result – clean and site working like new.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
- This reply was modified 3 years, 2 months ago by aages.
Clarus Dignus
(@clarus-dignus)

3 years, 2 months ago

@carotelfer

eval(function(p,a,c,k,e,d){...}) isn’t necessarily malicious, though it can be. It decompresses compressed and obscured JavaScript.

When you encounter it, copy and paste it here to unpack it and see what it’s doing:

https://matthewfl.com/unPacker.html

If you encounter it in your files or database tables, you could contact the respective theme/plugin author and confirm whether or not it’s supposed to be there. For theme/plugin files, you can just download the files and compare them to your installed files.

Clarus Dignus
(@clarus-dignus)

3 years, 2 months ago

@aages

Using the unpacker, I unpacked the JavaScript malware that Sucuri found on your site.

It matches the JavaScript malware addressed in this Sucuri article published this month:

https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html

The malware is always injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long series of empty lines, no doubt trying to stay hidden.
Thread Starter aages
(@aages)

3 years, 2 months ago
However I cleaned out my problems with removing this script in my footer.php and nothing else had to be done – the pop-up gone and clean results from Sucuri
- This reply was modified 3 years, 2 months ago by aages.