Malware (counter-wordpress.com) Warning on Chrome

I now know that iSlidex’s copy of timthumb.php was the entry point for my attack. Don’t overlook any active WP install on your server. Every live WP site on my server was infected.

Check WP-Config.php for more than 92 lines, it might look empty but it will have code later at around 2000-5000 lines, code is small around 20-30 line…If somebody wants a snippet can ping me…You don’t need those lines, file should be 91 line only.

In the raw visitor log on server check for server 91.196.216.20, this was the infection point for my site. this URL has the script also which has been executed…this script can give you an idea about what files you need to check. (Don’t open it with the full url, you need to take the number like 15.txt from the url and use it like https://91.196.216.20/15.txt to open the script)

If wordpress is installed in root folder, you can move wp-config.php up by one level, which will bring it out of public folder.

Also make sure that you either reinstall wordpress or change the security key, delete all the cookies and browsing data from the browser.

Hope this will help.

Thank you Sanjeev. I had scrolled way down but had missed the lines way down. They have now been removed. Thank you for this valuable tip.

@ iamlenox

Chris my sites are receiving “Malware (counter-wordpress.com) Warning on Chrome” just like everyone else is so while majority are using TimThumb which seems to be largely affected by this issue they aren’t the only wordpress sites affected.

Some themes and plugins have renamed timthumb.php to thumb.php or thumbs.php. If you see one similar to those in your theme(s) or plugin(s) please contact the particular developer to find out exactly if they are using timthumb or a derivative of it.

I have created an step by step guide to help, You can also suggest or use it.

https://makewebworld.com/2011/08/tips/how-to-remove-counter-wordpress-malware/

Thankyou for all your help with this issue, members…I think I found all the offending files and updated what was needed. Wouldn;t have had a clue without this forum!

Sam

For any ElegantThemes members, be sure to update your theme to the latest version. This vulnerability was fixed several weeks ago. I have noticed two major hacks going around. If you have already been hit, then the first thing you should do is open wp-config.php and delete everything after:

require_once(ABSPATH . ‘wp-settings.php’);

Next open index.php and delete everything between:

require(‘./wp-blog-header.php’);

…

?>

After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as https://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.

Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It’s also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don’t have any timthumb.php files laying around.

ET members, feel free to send me an email if you need help: https://www.elegantthemes.com/contact.html

This script is very popular throughout the theme community.

As far as I’m aware, it’s not been allowed in any WPORG theme for a while now.

There are still many themes outside the repository that use the script. It’s worth checking your inactive themes for the file.

@ sanjeevmohindra

May I make a suggestion. (Sorry I didn’t have time to register with your site.)

These lines may not work for everyone:
deny from superpuperdomain.com
deny from superpuperdomain2.com

Deny based on remote hostname will only work on a server that has reverse-DNS lookups enabled (some don’t).

Better to use SetEnvIfNoCase Referer. Something like this:
SetEnvIfNoCase Referer ^(www\.)?superpuperdomain\.com ban
SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2\.com ban
deny from env=ban

So:

SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2?\.com ban
order allow,deny
deny from 91.220
deny from 91.196
deny from env=ban
allow from all

i have got a problem in my site fun54.com, i came to know through webmaster tool that my site is linking to counter-wordpress.com which consist of malware malicious software, i consult to the web hosting and they said that they clean my Jquery files and updated,

first i was checking the status of my site here:
https://sitecheck.sucuri.net/scanner/
and the result was bad, but after the replacement or updating of Jquery files my website status gone GREEN. OK . FINE. ??

but the problem actually listed below which i am still facing:

URL 1: https://www.fun54.com/10-inspirational-love-quotations-sayings-for-him-and-her

URL 2: https://www.fun54.com/10-inspirational-love-quotations-sayings-for-him-and-her?fb_xd_fragment

Google Webmaster Tool, displays these kind of URLs of my site in Malware error report,
if the Jquery error has been removed then why still URL 2 working?

and my site is still under harmful listed sites in Google, why it is not removed from google’s suspecious site’s list?

if anyone can help / reply , then plz

i will be thank full to you

bye

Emily

My site has been infected with malwere

I have done everything and now my site is clean here: https://sitecheck.sucuri.net/scanner/

But Google’s search results say I have malware: “This site may harm your computer” and I can no longer open my website with Google Search. I can open it only through direct link.

Please, help me!

Hi,

I just re-install wordpress and the warning go away. But I don’t know if any futher hacking was done.

Regards,
Melvin

@mickeyroush

Thanks Mickey for the suggestion. In fact I was thinking of removing domain name because I am not sure attack comes only from that domain.

IP I am sure and I have checked log on my server to confirm that also.

Any how its better to use as you suggested, I will change it on my guide.

PS: You don’t need to be register to put the comment there..:)

@mlrose45 @melvinramos @wordme

I hope you guys has checked your wp-config.php file as mention in all the posts.

If you are not sure about all files check on this post.