WordPress.org

Support

Support » How-To and Troubleshooting » Malware Detected by Chrome

Malware Detected by Chrome

  • lynne-enroute
    Member

    @lynne-enroute

    Need help. Chrome’s saying a malware has been detected somewhere on our site from IP address 31.184.242.102.

    We haven’t updated anything and it seems that it’s a problem being experienced by other WordPress users.

    Please let me know how to address this issue.

Viewing 15 replies - 16 through 30 (of 45 total)
  • fellowito
    Member

    @fellowito

    Im having the same problems.

    I had to replace every js file, and now, it now, it only appears when I try to access to the admin panel (/wp-admin/).

    When I use Sucuri, it says “WordPress version outdated: Upgrade required”, but I have 3.3.1 version. I have tryied re-installing it, but I was unlucky. Any help?

    I think is a problem relates to the theme. I don’t why, but I think the theme was also infected.

    Updated: I managed to solve “WordPress version outdated: Upgrade required” problem, I just uploaded again my theme. However, It still appears the malware warning when I try to enter to the admin panel.

    Besides, if I try to add a new post, my antivirus (Eset Nod32) detects a trojan: Agent.Nef Trojan.

    What is happening?

    A quick look on Google lists Agent-nef as a Windows based Trojan that steals credentials and provides a back door into the system. It sounds like a serious threat.

    phil_denton
    Member

    @phil_denton

    I just finished cleaning all the infected files off my site as well. Just FYI, I also found malicious code on my site in a “theme” called “config”. The folder had three .php files in it – yup, main, and configs. Be on the lookout for those also, just in case…

    human2
    Participant

    @human2

    I got it with the 31.184.242.102 “harmful” google chrome hack today. Here is a great site with the fix: http://redleg-redleg.blogspot.com/2012/02/malware-hosted-on-31184242102.html?showComment=1329285003052#c5421789068641877560

    fellowito
    Member

    @fellowito

    @human2 that website has the virus. My antivirus doesn’t let me enter in that web.

    redleg-too
    Member

    @redleg-too

    @fellowito The website/page ref by human2 does not have the virus, however the post does have a listing of the javascript used in the hack. The listing is benign but the listing must be triggering a warning from your AV software.

    Would appreciate knowing what AV software you are running so I can check into it.

    Also never ever ignore a warning from your AV software, and never ever take some random poster’s word for it that his site is not malicious!

    redleg

    fellowito
    Member

    @fellowito

    @redleg-too thank you for getting back, my AV is Eset Nod32.

    I have news, the problem is in some plugins. Even I tried re-installing them (delete and then install), the malware warning still appears. It’s quite frustrating.

    redleg-too
    Member

    @redleg-too

    In all the sites I have seen so far the hack has been some obfuscated javascript added to the end of some/all of the legitimate javascript files on the site. Since the listing of the code triggers you A/V I will try posting just a snippet here the code starts out

    var _0x80d0=["\x64\x67

    and then those \xdd goes on forever.

    fellowito
    Member

    @fellowito

    Sorry, I don’t know what do you mean.

    I know it’s some kind of code added in some files, but I’ve uploaded again all the wordpress files and my themes files, and plugins with problems, have been replaced too, always using new files. So, I don’t know what other things I must replace.

    redleg-too
    Member

    @redleg-too

    I am new to this forum so not familiar with the rules but you you post you URL and I will take a look at the site. You can use a service like http://goo.gl/ to mask your URL.

    fellowito
    Member

    @fellowito

    Oh, ok, sorry, my mistake.

    http://goo.gl/Vhw6J

    Anyway, the problem only appeared in my admin panel, and right now I think it’s solved because I deactivated two plugins.

    redleg-too
    Member

    @redleg-too

    I am not turning up anything so hopefully it is all behind you. Appreciate the info on the alert from Eset Nod32 on my blog. Guess I need to figure out away to put the code examples in my post so that they do not trigger a warning!

    Good Luck

    MickeyRoush
    Member

    @mickeyroush

    dionsis wrote:

    I’ve ran Bulldog Internet Security, Spybot S&D and A Squared looking for anything on the machine.

    Any other scanners reccomended?

    Malwarebytes and SuperAntiSpyware.

    fellowito
    Member

    @fellowito

    @redleg-too anyway, maybe u have found the code, but where is it? I mean, I’ve replaced a lot of .js files, but I still have the problem. In what files are that code?

    MickeyRoush wrote:
    Malwarebytes and SuperAntiSpyware.

    Cheers Mickey

    Fellowito wrote:
    @redleg-too anyway, maybe u have found the code, but where is it? I mean, I’ve replaced a lot of .js files, but I still have the problem. In what files are that code?

    Replacing a lot isn’t enough. It needs to be every JS file. That means a fresh copy of the WP-ADMIN and WP-INCLUDES (delete the entire folders unless you’ve customised) then in WP-CONTENT you need to reinstall plugins and clean any JS your theme is using.

    Double check all folders 755 and files 644 permission etc etc as per links already given above

Viewing 15 replies - 16 through 30 (of 45 total)
  • The topic ‘Malware Detected by Chrome’ is closed to new replies.