WordPress.org

Forums

Malware (counter-wordpress.com) Warning on Chrome (56 posts)

  1. xsn0w
    Member
    Posted 3 years ago #

    I have also changed MySQL passwords (and updated both wp-config.php and bb-config.php (buddypress/bbpress user don't forget this), admin passwords, cpanel passwords and changed auth salt keys in wp-config.php. I suggest everyone not skip these tedious step for protection. I have cleared my browser's cache and the warning is still coming up for me (on Mac - Chrome and Safari) but not for my P.C. using colleagues. I am super paranoid and this has triggered a delusional bout of paranoia. Have I missed anything?

    Oh, and Google webmaster tools doesn't, and hasn't ever "found" any malicious software on my site. Where are the warnings coming from? Who is issuing them, as google apparently never found anything wrong with my site?

  2. xsn0w
    Member
    Posted 3 years ago #

    I now know that iSlidex's copy of timthumb.php was the entry point for my attack. Don't overlook any active WP install on your server. Every live WP site on my server was infected.

  3. Sanjeev Mohindra
    Member
    Posted 3 years ago #

    Check WP-Config.php for more than 92 lines, it might look empty but it will have code later at around 2000-5000 lines, code is small around 20-30 line...If somebody wants a snippet can ping me...You don't need those lines, file should be 91 line only.

    In the raw visitor log on server check for server 91.196.216.20, this was the infection point for my site. this URL has the script also which has been executed...this script can give you an idea about what files you need to check. (Don't open it with the full url, you need to take the number like 15.txt from the url and use it like http://91.196.216.20/15.txt to open the script)

    If wordpress is installed in root folder, you can move wp-config.php up by one level, which will bring it out of public folder.

    Also make sure that you either reinstall wordpress or change the security key, delete all the cookies and browsing data from the browser.

    Hope this will help.

  4. xsn0w
    Member
    Posted 3 years ago #

    Thank you Sanjeev. I had scrolled way down but had missed the lines way down. They have now been removed. Thank you for this valuable tip.

  5. MickeyRoush
    Member
    Posted 3 years ago #

    @ iamlenox

    Chris my sites are receiving "Malware (counter-wordpress.com) Warning on Chrome" just like everyone else is so while majority are using TimThumb which seems to be largely affected by this issue they aren't the only wordpress sites affected.

    Some themes and plugins have renamed timthumb.php to thumb.php or thumbs.php. If you see one similar to those in your theme(s) or plugin(s) please contact the particular developer to find out exactly if they are using timthumb or a derivative of it.

  6. Sanjeev Mohindra
    Member
    Posted 3 years ago #

    I have created an step by step guide to help, You can also suggest or use it.

    http://makewebworld.com/2011/08/tips/how-to-remove-counter-wordpress-malware/

  7. sammiej
    Member
    Posted 3 years ago #

    Thankyou for all your help with this issue, members...I think I found all the offending files and updated what was needed. Wouldn;t have had a clue without this forum!

    Sam

  8. Elegant Themes
    Member
    Posted 3 years ago #

    For any ElegantThemes members, be sure to update your theme to the latest version. This vulnerability was fixed several weeks ago. I have noticed two major hacks going around. If you have already been hit, then the first thing you should do is open wp-config.php and delete everything after:

    require_once(ABSPATH . 'wp-settings.php');

    Next open index.php and delete everything between:

    require('./wp-blog-header.php');

    ...

    ?>

    After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as http://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.

    Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It's also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don't have any timthumb.php files laying around.

    ET members, feel free to send me an email if you need help: http://www.elegantthemes.com/contact.html

  9. esmi
    Forum Moderator
    Posted 3 years ago #

    This script is very popular throughout the theme community.

    As far as I'm aware, it's not been allowed in any WPORG theme for a while now.

  10. Elegant Themes
    Member
    Posted 3 years ago #

    There are still many themes outside the repository that use the script. It's worth checking your inactive themes for the file.

  11. MickeyRoush
    Member
    Posted 3 years ago #

    @ sanjeevmohindra

    May I make a suggestion. (Sorry I didn't have time to register with your site.)

    These lines may not work for everyone:
    deny from superpuperdomain.com
    deny from superpuperdomain2.com

    Deny based on remote hostname will only work on a server that has reverse-DNS lookups enabled (some don't).

    Better to use SetEnvIfNoCase Referer. Something like this:
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain\.com ban
    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2\.com ban
    deny from env=ban

    So:

    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2?\.com ban
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from env=ban
    allow from all

  12. Fahad Bin Ali
    Member
    Posted 3 years ago #

    i have got a problem in my site fun54.com, i came to know through webmaster tool that my site is linking to counter-wordpress.com which consist of malware malicious software, i consult to the web hosting and they said that they clean my Jquery files and updated,

    first i was checking the status of my site here:
    http://sitecheck.sucuri.net/scanner/
    and the result was bad, but after the replacement or updating of Jquery files my website status gone GREEN. OK . FINE. :)

    but the problem actually listed below which i am still facing:

    URL 1: http://www.fun54.com/10-inspirational-love-quotations-sayings-for-him-and-her

    URL 2: http://www.fun54.com/10-inspirational-love-quotations-sayings-for-him-and-her?fb_xd_fragment

    Google Webmaster Tool, displays these kind of URLs of my site in Malware error report,
    if the Jquery error has been removed then why still URL 2 working?

    and my site is still under harmful listed sites in Google, why it is not removed from google's suspecious site's list?

    if anyone can help / reply , then plz

    i will be thank full to you

    bye

    Emily

  13. WordMe
    Member
    Posted 3 years ago #

    My site has been infected with malwere

    I have done everything and now my site is clean here: http://sitecheck.sucuri.net/scanner/

    But Google's search results say I have malware: "This site may harm your computer" and I can no longer open my website with Google Search. I can open it only through direct link.

    Please, help me!

  14. melvinramos
    Member
    Posted 3 years ago #

    Hi,

    I just re-install wordpress and the warning go away. But I don't know if any futher hacking was done.

    Regards,
    Melvin

  15. Sanjeev Mohindra
    Member
    Posted 3 years ago #

    @MickeyRoush

    Thanks Mickey for the suggestion. In fact I was thinking of removing domain name because I am not sure attack comes only from that domain.

    IP I am sure and I have checked log on my server to confirm that also.

    Any how its better to use as you suggested, I will change it on my guide.

    PS: You don't need to be register to put the comment there..:)

  16. Sanjeev Mohindra
    Member
    Posted 3 years ago #

    @mlrose45 @melvinramos @WordMe

    I hope you guys has checked your wp-config.php file as mention in all the posts.

    If you are not sure about all files check on this post.

  17. MickeyRoush
    Member
    Posted 3 years ago #

    @ sanjeevmohindra

    PS: You don't need to be register to put the comment there..:)

    My bad, all I saw was something about 'log in to reply'. So I just came back, sorry.

    Thanks Mickey for the suggestion. In fact I was thinking of removing domain name because I am not sure attack comes only from that domain.

    IP I am sure and I have checked log on my server to confirm that also.

    Any how its better to use as you suggested, I will change it on my guide.

    Plus I believe deny based on host name requires the server to work harder then doing it my suggested way.

    Here is another way you could possibly do it as well, including the other two known domains in question. Difference is no need for the '(www\.)?' as leaving it out almost achieves the same effect, '[^.]?' assumes any character or not after superpuperdomain (someone can correct me if I'm wrong), and I removed the 'com' to cover all domain suffixes.)

    SetEnvIfNoCase Referer ^(superpuperdomain[^.]?|newportalse|counter-wordpress)\. ban
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from env=ban
    allow from all

    Not sure how much good these rules will help if the attack is using a sock and they can change their domain name and IP. I guess it could help and really wouldn't hurt anything to use them, unless you really want that traffic from those IPs & domains and you believe it's worth the risk. For me, I choose to be safe than sorry and I will take the chance on loosing that traffic. :)

  18. Mackelberg
    Member
    Posted 3 years ago #

    Thanks alot CupRacer, your guide worked like a charm!

  19. Sanjeev Mohindra
    Member
    Posted 3 years ago #

    @ MickeyRoush

    Yes I completely agree with you, better safe than sorry. I am also ready to loose the traffic from these server, as long as my sites are safe.

    Also sorry about my comment, after you mentioned I went back and checked and indeed that little stupid checkbox was ticked. So it was asking you to log in. It will not do that again...

    I always open my sites for comment and thought I did the same for this new domain also....

  20. JeanetteM
    Member
    Posted 3 years ago #

    Hello all, I am having this problem right now on my site: http://kitchen.amoores.com

    I have found one of the files mentioned on this thread, the upd.php file and have deleted it.

    I haven't been able to find any of the other files mentioned though.
    When I scan my site on http://sitecheck.sucuri.net/ this is the message I get.

    Malware found on javascript file:
    http://www.kitchen.amoores.com/wp-includes/js/l10n.js?ver=20101110
    Malware found on javascript file:
    http://www.kitchen.amoores.com/wp-includes/js/jquery/jquery.js?ver=1.6.1

    Should I delete these two files? or just the section of code listed on that scan?

  21. esmi
    Forum Moderator
    Posted 3 years ago #

  22. Sanjeev Mohindra
    Member
    Posted 3 years ago #

    @ JeanetteM

    You can check the removal process here, reinstall of wordpress from the dashboard should take care of these two files, but make sure you clean you wp-config.php file if infected.

  23. JeanetteM
    Member
    Posted 3 years ago #

    Thank you! I will try reinstalling wordpress and your other suggestions. I will let you know if it works.

  24. hollybret
    Member
    Posted 3 years ago #

    I have worked with HostGator and done the steps mentioned above to rid my site of malware. I am no longer getting the warning screen when logging into my wp-admin. Scans through http://sitecheck.sucuri.net/scanner/ are clean.

    However, now when I log in to a plug-in running on the site, I get the warning screen. {http://blogboutique.com is fine and http://blogboutique.com/wp-admin is fine; however, http://blogboutique.com/dap/admin shows "Suspected Malware Site" in the google bar and causes the warning screen to come up.} Running this URL {with dap/admin through the sucuri scanner comes out clean.

    I've tried to have my site reviewed by Google. However, Google shows no malware on the site and has not blacklisted it, so there is no option for review.

    I have only ever gotten the warning in Safari and Chrome ~ Firefox has been fine.

    Any thoughts or ideas? I'd really appreciate it!

  25. JeanetteM
    Member
    Posted 3 years ago #

    @sanjeevmohindra, I cleaned up the wp-config.php file and reinstalled wordpress and now the blog is scanning green! Thank you :)

    I have submitted it to Google for review. Hopefully it will be taken out of blacklist soon.

  26. xsn0w
    Member
    Posted 3 years ago #

    @hollybret get a clean version of ALL plugins, especially any that contain java or timthumb.php The infected java files will usually be in a folder inside the plugin folder called js, jquery or Ajax. I found that I was attacked through a plugin - iSlidex

    Does anyone have more info about the nature of the attack, what was the purpose and what info were they targeting/collecting?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.