Malware

Viewing 15 replies - 1 through 15 (of 19 total)
  • Plugin Author Frank Goossens

    (@futtta)

    wow, that’s a first. the only idea I can come up with that makes sense; one of the original JS-files is infected. you could temporarily disable js optimization, hoping that Google will then point at the exact culprit?

    hope this helps,
    frank

    Thread Starter rapidpage

    (@rapidpage)

    Hi Frank, the Malware software by https://gotmls.net/ has identified 91 infections and is trying to quarantine them, they are all in the cache section of the plugin, this has infected every site that uses the Autoptimize plugin.

    After the scan i will do as you said and temporarily turn off the plugin and go to my google webmaster tools and ask them to rescan the site.

    Thanks for your quick response!

    Cheers, Nicholas

    Thread Starter rapidpage

    (@rapidpage)

    …/public/wp-content/cache/autoptimize/js/autoptimize_1fe1b254bc450b56822c902bcab6d89a.js
    ?…/public/wp-content/cache/autoptimize/js/autoptimize_26864880039e2124703e3f43bf62fe4e.js
    ?…/public/wp-content/cache/autoptimize/js/autoptimize_2c7bfed92f49a1f57471c7989a300e97.js
    ?…/public/wp-content/cache/autoptimize/js/autoptimize_2d6c0ea2da090a62efb264cc56b0605d.js
    ?…/public/wp-content/cache/autoptimize/js/autoptimize_342a4d71161c830ea5d67ddcb338ebcb.js
    ?…/public/wp-content/cache/autoptimize/js/autoptimize_3527a18ab30e6806f51ecbc9d908a9c8.js

    Are some of the questionable files

    Plugin Author Frank Goossens

    (@futtta)

    Hmm, didn’t know gotmls scanner. In that case I would empty AO-cache and disable AO (or the JS-optimization) and run that malware software immediately to try to identify the offending script (instead of waiting for google). That way you can remove the plugin that carries the malware, re-enable AO and go on being merry? ??

    kind regards,
    frank

    Plugin Author Frank Goossens

    (@futtta)

    re the list of questionable files; as AO merely aggregates & minimizes the original JS of your WP-installation, the list of files in cache/autoptimize/js/ is specific to your site and is of little or no further use I’m afraid.

    Instead you’ll really have have the scanner run on your site without AO’s JS optimization active, to identify which of the original JS-files (probably as part of plugin) are effectively infected.

    frank

    Thread Starter rapidpage

    (@rapidpage)

    Hi Frank, how do i turn off .js optimization in AO? I did what you have said and rescanning, looking very good now,
    Nicholas.

    Thread Starter rapidpage

    (@rapidpage)

    I found the setting for javascript optimize and i have turned that off, so far still looking really good, thanks.

    Thread Starter rapidpage

    (@rapidpage)

    after turning off the js optimize i drop from 80% page speed by https://gtmetrix.com to 75 an B rating to C rating, any ideas?

    Plugin Author Frank Goossens

    (@futtta)

    well, with js optimization disabled you should re-run the scanner, to find out if there is a plugin with rogue js and remove (quarantine/ disable) that. once all is safe, you can re-enable AO JS-optimization.

    frank

    Thread Starter rapidpage

    (@rapidpage)

    ok, will try now, thanks!

    Thread Starter rapidpage

    (@rapidpage)

    i have done as suggested and will wait for google to rescan my site

    Thread Starter rapidpage

    (@rapidpage)

    i am still getting this from the malware detection, should i just exclude this folder from the scan?
    …/wp-content/cache/autoptimize/js/autoptimize_03d021713a3c0d9b69f4dc3860fda666.js
    !…/wp-content/cache/autoptimize/js/autoptimize_047ec405a908a7192028aba5a8f8bf49.js
    !…/wp-content/cache/autoptimize/js/autoptimize_08d324be4db6a1df50875ec3a7116269.js
    !…/wp-content/cache/autoptimize/js/autoptimize_09e750987f338c52c161b5eb5cdc11ac.js
    !…/wp-content/cache/autoptimize/js/autoptimize_0afe0c2f37dd64da5cb348bf8af6bbc7.js
    !…/wp-content/cache/autoptimize/js/autoptimize_0b373a98b997f630bb11a784e45bffe3.js
    !…/wp-content/cache/autoptimize/js/autoptimize_0c9ea23713dd7c2102d7054015d56707.js
    !…/wp-content/cache/autoptimize/js/autoptimize_0ed87a18497bc07cf29936391b95a4f3.js
    !…/wp-content/cache/autoptimize/js/autoptimize_10826c852a3d54301948e3f3862cdf70.js
    !…/wp-content/cache/autoptimize/js/autoptimize_10a48a8659b5fc7efb0b130df5adfbdc.js
    !…/wp-content/cache/autoptimize/js/autoptimize_12d6f370bfc2abae5004e3615809ea1e.js
    !…/wp-content/cache/autoptimize/js/autoptimize_156b0f54732c4403c0e2e700aade63d7.js
    !…/wp-content/cache/autoptimize/js/autoptimize_15d19f27151eb55ed208b002e0d43c72.js
    !…/wp-content/cache/autoptimize/js/autoptimize_164e9cf6e3dba5a386d99118bd735a9a.js
    !…/wp-content/cache/autoptimize/js/autoptimize_178c20ec721f7dacb7d9934cb1997de5.js

    Thread Starter rapidpage

    (@rapidpage)

    https://salesintegration.ca/wp-includes/js/json2.min.js, it had injected code, i am doing a complete reintallation of WordPress

    Plugin Author Frank Goossens

    (@futtta)

    1. never exclude any directory from being scanned, better to have false positives that prove wrong then false negatives (which one would not know about).

    2. json2.min.js might point tot soaksoak, which currently is targetting old versions of revslider, see https://blog.sucuri.net/2014/12/soaksoak-new-wave-evolution-attacks.html for more info.

    stay strong & updated in 2015 ??

    frank

    Thread Starter rapidpage

    (@rapidpage)

    I updated the json2.min.js with the latest from the wordpress install and resubmitting to google…
    Thanks again.
    Nicholas

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘Malware’ is closed to new replies.

Tags