How to remove this scam popup

@clarus-dignus

I scanned my PC without any problems found and also changed to a new one and removed admin account from WP.

Aditional I deleted my Firefox with all home/.mozilla files and reinstalled a clean one without any add-ons – so let see if I got it cleaned up – will report back.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Well – It is back but looks like only on the main site pages and so far not seen when I am logged out as administrator and notthin when I am on the /wp-admin part.

Have made a few screenshots from console (Firefox):

Main page logged in: https://radio-alanya.no/Loggedin_as_administrator.png

Main page not logged in: https://radio-alanya.no/Not-Loggedin.png

…and in my-admin part: https://radio-alanya.no/wp-admin.png

Anything to do with this JQMIGRATE?

Go to https://sitecheck.sucuri.net/ and input:

https://radio-alanya.no

It’ll confirm that your website is hacked:

Your site is hacked and needs immediate attention. Malicious code was detected on your site by our automated scanner.

Using one of these WordPress plugins, scan for the malware and remove it:

1. https://www.ads-software.com/plugins/wordfence/
2. https://www.ads-software.com/plugins/sucuri-scanner/
3. https://www.ads-software.com/plugins/gotmls/
4. https://www.ads-software.com/plugins/quttera-web-malware-scanner/

https://kinsta.com/blog/scan-wordpress-for-malware/

Before scanning, back up your website using the Updraft Plus plugin:

https://www.ads-software.com/plugins/updraftplus/

https://kinsta.com/blog/backup-wordpress-site/

I don’t think JQMIGRATE is significant.

WordPress uses jQuery migrate to ensure backwards compatibility for any plugins or themes you might be using which use functionality removed from newer versions of jQuery. This message isn’t any sort of error, but rather just letting you know that some plugins installed may be relying on older jQuery functionality. The only way to remove this “notice” would be to ensure that all of your plugins/theme code do not rely on any old jQuery methods or classes. However, I wouldn’t recommend trying to remove this notice since it’s not best practice for WordPress.

https://www.ads-software.com/support/topic/jqmigrate-migrate-is-installed-version-1-4-1-8/#post-12573895

Once again: Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

The sucuri.net is not working at all – b…s..t only strongly trying to get business as their result is out of line repeating their foundlings even after us doing all the changes they recommend. Belive more in Quttera Web Malware Scanner. after cleaning up plugins nothing to report.

Still the problem exist but only when I am logged in as administrator – when I am out nothing pups up – sure not correct though.
Have removed 6 – 7 plugins all from WP plugins which should have been tested prior to be accept as wp plugins – I am more confused now than ever before.

Ref link https://radio-alanya.no/Screenshot_20220408_213232.png

But the annoying pop-up only occurs when I am longed in as administrator ??

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

Try scanning with these two plugins:

1. https://www.ads-software.com/plugins/wordfence/
2. https://www.ads-software.com/plugins/gotmls/

Last night I checked the popup and found:

https://dating-point.top/js/push/ext2/?encodedPath=L2V4dDIvPw==&ext=1&affiliateId=&userId=ra9pd06&tracker=66&site=https%3A%2F%2Fradio-alanya.no%2F&userAgent=Mozilla%2F5.0+(X11%3B+Linux+x86_64)+AppleWebKit%2F537.36+(KHTML%2C+like+Gecko)+Chrome%2F99.0.4844.84+Safari%2F537.36&language=nb-NO&subscribeMethod=chat_popup_ext_subscribe_v3&vertical=datingPush&extImageUrl=..%2Fimages%2Fen.jpg&extTpl=1&extMessage=Ashley%2C+26

• This reply was modified 2 years, 7 months ago by aages.

Moderator should remove this last thread as it only links up to the porn chat entrance.

• This reply was modified 2 years, 7 months ago by aages.

Did scan the site several times today using:

https://www.ads-software.com/plugins/wordfence/ and
https://www.ads-software.com/plugins/gotmls/

All resulted in nothing found – Clean

Tried Securi again see: Screenshot of Securi scan https://radio-alanya.no/Securi_scan.png

Comments on finding:
I cannot find any https://radio-alanya.no/.git/HEAD in file manager

and do not understand which file referred to in:
https://radio-alanya.no/wp-includes/css/

Took care of both “More Details” when opened them if needed.

• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.
• This reply was modified 2 years, 7 months ago by aages.

It’s odd that the plugins aren’t detecting the malware.

I can now see the pop-up on my end. It appears when I visit either of the links detected by Securi:

• https://radio-alanya.no/.git/HEAD&#8221
• https://radio-alanya.no/wp-includes/css/

Compare your /wp-includes/css/ folder to this to see if you have any extra files/folders.

I think the dot at the beginning of “.git” means “git” is a hidden folder. Your file manager should have a setting to show hidden files/folders.

Yes I see .htaccess in the folder but no .git using cPanel

@clarus-dignus

Hi again, thank you so much for bearing with me and assisting me a lot.

Checked all the css folders and under folders and it was the same number here and what you had, and – I did not see any funny change dates either on mine as this pop_up started only about a week or two ago.
Have made a link to Securi findings.

https://radio-alanya.no/Securi_results.txt

See this answer regarding searching all your WordPress files for eval( or base64_decode.

Your file manager or computer should have a way of searching the contents of the files to save you having to open and search each file one by one.

Try posting a question on Stack Overflow, e.g., “Can’t find location of JavaScript-injecting malware detected by Sucuri.”

If you provide them this link, they’ll be able to see the scan results, malware, and malware location:

https://sitecheck.sucuri.net/results/https/radio-alanya.no

After searching your files, you might need to search your database:

https://medium.com/@ostapkorkuna/fighting-a-russian-hacker-a-story-of-one-infected-wordpress-website-5ca0318f7a7a

This what I got from Stack Overflow:

Welcome! FYI this is off-topic here, as it has nothing to do with programming. But also: you’re posting a link that people have to follow, to even begin to understand what you’re referring to. And you’ve tagged this as malware and spam – really, nobody should be clicking on that link. –
David Makogon
53 mins ago