Support » Fixing WordPress » inkangood.com

  • Resolved kristelc

    (@kristelc)


    Hi,

    Since this morning I have been experiencing an issue when editing pages. Everytime I add text, this line gets added:
    <script src=”//linkangood.com/xxx.js” async=”” type=”text/javascript”></script>

    When I last worked on the site on friday, it dit not do this.

    I can not find what this is exactly (I can not realy read javascript) nor can I find how to get rid of this. Except for always deleting the line of code before saving.

    Please help

    • This topic was modified 2 weeks, 2 days ago by  Steve Stern.

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 18 total)
  • Nevermind, we found the issue. It was a Chrome extension that interfered

    What extension did you find that was causing this issue, because this is MALWARE and I’ve just discovered it on my site as well.

    I am also seeing this linkangood.com show up under GTMetrix scan. What Chrome extension caused your problem @kristelc ? Thank you

    @budget101 Where can I read up on this malware, find no mention of it anywhere. Thank you

    @tigervilja you can load the link in the browser window and look at the source code directly to see that it overwrites your ads & injects it’s own.

    http:// linkangood (dot) com/21ef897172770ca75d.js

    remove space and insert the .

    I would like to know what extension cause this .. I am also getting this code in my editing. Super annoying.

    Thanks

    For me it was the extension: Video Downloader professional

    I couldn’t find any information on the linkandgood thing either. I just tried local first and still got it, so next a different browser and it went away.

    So last step was just turn off all extensions and turn them on again one by one.

    Hi @kristelc @budget101 Thank you both for helping out. Could I ask your advice because I am a novice totally when it comes to malware infections. I also had the Video Downloader Professional installed in Chrome, I deleted it and ran GTMetrix and all linkangood references were still there. I then checked all tables in the WordPress installation by using Better Search Replace and found https://linkangood.com mentioned in 34 tables. This must mean I have been infected with malware and need to delete the whole website and redo it from scratch, sigh.. But could it have been this Video Downloader professional that somehow inserted this linkangood stuff into my wordpress installation while editing it using Chrome while this extension Video Downloader Plus was still active and installed in Chrome? Sorry if this is a stupid question but any insight would be greatly appreciated.

    @tigervilja I think indeed that this is the case. But I have also found that when you just delete these pieces of code (preferably when the extension is no longer running) It wil not return, so if you can just find those tables and delete those pieces you should be fine.

    Thank you @kristelc could I ask your input on the following! It seems to have hooked itself onto primarily woocommerce tables. A Malware like this could also potentially see webhook codes and secret login codes from credit card companies that I have input in payment details on the wordpress installation. Am I right in assuming this is the case? Having this malware on the site they would have a door in to take all info they want from there? I do believe I will redo the whole site since I am connected to these payment services. Thank you for any input, this is taxing to say the least!

    And just for everybodys information, I have two sites running the same theme, one of them is the one infected by this linkangood malware the other one is clean. The clean one today updated to a new version of the theme, the infected one is not updating the theme. so I would guess this malware does more than steal your ads.

    Not only with WP, but also while editing my Mailchimp newsletter, I was seeing this code appear in the <> code view … and could not figure out what the hell was going on …… it appears to have been resolved by disabling the Video Downloader extension that I had been using.

    Thanks for sending me in the right direction!

    tigervilja

    (@tigervilja)

    Removed installation of WordPress, Video Downloader long gone, reinstallation and after installing woocommerce and Avada theme and demo, linkangood is now showing up again in a table after running Better Search Replace, found in table wp32_posts.

    Does anyone have more information what this is all about? Does anyone else have this showing up again?
    Is this malware too new because nothing is found. And I am running Mac with Avast.

    Compuchenna

    (@compuchenna)

    You can run a malware scan on your website, but it doesn’t appear to be malware. If anything, it’s likely browser adware. Just need to reset your browser, or find out where it’s coming from, i.e. which plugin; and erase it.

    You should log into your cpanel and do a search on your database from within there, as it’s unlikely the ‘virus’ would be in a fresh installation of WordPress. Most hackers insert some kind of file into your root domain and use that as backdoor access into your site. From there, they edit specific code, which allows them to embed their redirects. But that typically takes weeks or months, after a successful reinstallation, since they work in bulk (infect many sites), and are typically unawares; when their code has been removed.

    tigervilja

    (@tigervilja)

    @compuchenna Thank you so much. Been searching my databases and found references to linkangood in 3 of 10 and the below I found in information_schema / processlist. I actually found one new mention of linkangood in the new installation I did a couple of hours ago as well so it is as you explained, it injects itself again. I am grateful for you taking the time to explain all this.

    But what can I do from now on? Is this harmless?

    I run a web shop that sells products and I am linked to both Paypal and Stripe for credit cards. I don’t use ads at all so I really don’t care if they steal my ad space.
    The two things I am worried about are, can they steal my secret codes that are used for payments that are inserted into woo commerce and thereby get access to my accounts? And can this make Google punish my site for ranking, having all this browser adware inserted into my site?

    Not expecting you to have answers to all of this but any insight would be much appreciated.

    Thank you again..

    SELECT * FROM information_schema.PROCESSLIST WHERE (CONVERT(ID USING utf8) LIKE ‘%linkangood%’ OR CONVERT(USER USING utf8) LIKE ‘%linkangood%’ OR CONVERT(HOST USING utf8) LIKE ‘%linkangood%’ OR CONVERT(DB USING utf8) LIKE ‘%linkangood%’ OR CONVERT(COMMAND USING utf8) LIKE ‘%linkangood%’ OR CONVERT(TIME USING utf8) LIKE ‘%linkangood%’ OR CONVERT(STATE USING utf8) LIKE ‘%linkangood%’ OR CONVERT(INFO USING utf8) LIKE ‘%linkangood%’ OR CONVERT(TIME_MS USING utf8) LIKE ‘%linkangood%’ OR CONVERT(STAGE USING utf8) LIKE ‘%linkangood%’ OR CONVERT(MAX_STAGE USING utf8) LIKE ‘%linkangood%’ OR CONVERT(PROGRESS USING utf8) LIKE ‘%linkangood%’ OR CONVERT(MEMORY_USED USING utf8) LIKE ‘%linkangood%’ OR CONVERT(EXAMINED_ROWS USING utf8) LIKE ‘%linkangood%’ OR CONVERT(QUERY_ID USING utf8) LIKE ‘%linkangood%’ OR CONVERT(INFO_BINARY USING utf8) LIKE ‘%linkangood%’ OR CONVERT(TID USING utf8) LIKE ‘%linkangood%’)

Viewing 15 replies - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.