I’ve same problem with my website: http://www.jintech.in and i’m also using elegant theme. waiting to see any replies for this problem.
website works in ff and ie fine but chrome display http://counter-wordpress.com/frame.php
it may occur CDN, please help me ??? 🙁
ElegantThemes used the TimThumb library until a big hole was discovered in TimThumb recently (beginning of August).
I am in the exact same mess right now; I am not a security expert and a friend is helping me out but basically you should assume that your hosting is compromised (the attacker can see your passwords and everything in your hosting panel).
Begin by stopping the website, dumping the files on your HDD and scanning them for the following:
eval(base64_decode
$a = ‘m’.’d5′
$y = ‘base’.’6′
and also for all references to counter-wordpress.com
Change your host panel password, SQL database website and everything else that may be accessible to somebody who can log on to your hosting.
I will appreciate comments from other, more knowledgeable folks as well.
I am also experimenting the same issue in Chrome and Safari, that is, a warning saying I have malware content from counter-wordpress.com
I’m using Striking, a WP theme also using TimThumb. Not sure how to get rid of that, but it needs to go because this week is a crucial week for my business 🙁
Same problems here. Just updated TimThumb.. Hope this fixes the issue?
Updating TimThumb alone ***will not*** fix the issue.
1. The hack entry must be removed — for me it was two files called
/blog/wp-content/upd.php
/blog/wp-content/eab9c5e9815adc4c40a6557495eed6d3.php
2A. All references to counter-wordpress.com inside html/php files must be removed by hand, or
2B. The WP and theme files must be deleted and restored from a secure copy.
For me it was an .js file. Updated wordpress and did a rescan on: http://sitecheck.sucuri.net/scanner/, it says No threats right now. Changed password (WP) and DB, FTP
I ran into this problem, too. I was able to fix it and blogged about it. I’m sorry, it’s German only, but nevertheless it may help some of you:
http://www.mynakedgirlfriend.de/hacker-angriff-aufgedeckt/
I had this problem yesterday too
I’d like to point out I found a malicious exe file nod32security.exe or something along those lines in the WP-Includes/js/jquery folder
I’ve now deleted all my files to clean any extra files that got in and reuploaded all the new files including version 2.8 TimThumb.
Hopefully this will keep it all out
Also remove wp-admin/upd.php (CupRacer says it in his blog, but its german :))
[Updated]
Just fixed the same issue on my site (onlywarsaw.com) in 3 easy steps that took me 10 minutes:
1. deleted 3 files:
/wp-content/upd.php
/wp-content/themes/[theme’s name]/temp/eab9c5e9815adc4c40a6557495eed6d3.php
(or similar)
wp-admin/upd.php
2. updated timthumb.php script to the latest version available here:
http://timthumb.googlecode.com/svn/trunk/timthumb.php
3. cleared Chrome’s cash for cookies and cashed sites.
Google Chrome is not displaying the warrning message anymore.
Changing the passwords for admin accounts and SQL database might be a good step too.
Thanks guys for all your tips!
And it’s good to run the script on:
http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
And check your site with: http://sitecheck.sucuri.net/scanner/
I didn’t had the temp folder with the ‘random hashed’ filename by the way.. But i did had an extra upd.php file in my wp-admin, so look out for that one to!
Thanks Rein Aris – Just found this extra upd.php on my server as well!
Okay, for those of you who don’t understand German, here’s the short version of what I’ve written in my blog entry (see above):
1. Delete the following files:
wp-admin/upd.php
wp-content/upd.php
2. Replace the following files with the original files from wordpress.org:
wp-settings.php
wp-includes/js/jquery/jquery.js
wp-includes/js/l10n.js
3. Open “wp-config.php” and check for malicious code and massive empty lines. Clear it all.
4. My theme is “Arthemia Premium”. There’s a file which should be deleted, too:
wp-content/themes/arthemia-premium/scripts/cache/external_{MD5Hash}.php
5. Replace timthumb.php with the latest version (http://timthumb.googlecode.com/svn/trunk/timthumb.php).
6. Change your MySQL password and update wp-config.php.
7. Change the secret keys in wp-config.php aswell.
8. Clear your browser cache, cookies etc.
HTH,
Thomas
i am having Evid Theme from ElegantThemes, but i am not able to figure out malicious files or code. I don’t have those malicious files specified for “arthemia premium” in previous posts.
Any help will be highly appreciated 🙂
sniper
Hey Sniper,
Actually I also use eVid theme, so the instructions above should fit exactly your theme as well.
Chris
