If you are using WordPress, there is a malware going on, which is not detected by all browsers.
Many users have reported that Google chrome is reporting malware on their site. This is a security attack with timthumb script security hole.
If you are affected by that malware here is step by step guide to remove it.
1. Check you wp-config.php file. This file should have around 92 line and end with
require_once(ABSPATH . ‘wp-settings.php’);
Don’t get fooled with empty lines, go down and see if your cursor is passing that line and going down…If yes than go till the last point, usually after 2000-3000 lines you will get a code, which needs to be removed.
Follow the steps below to remove the code:
- Copy all the code from the beginning to around line 92 (the line mentioned above), then create new file named test.php, and paste the code copied into it, (optional:you can create another as a backup of your configuration settings), then save the file.
- Check that the new file exists, open it to make sure the pasted settings are in place within the file(PLEASE, don’t skip this step ).
- Then rename the old wp-config.php to say “wp-config-old.php”, then rename the test.php to wp-config.php.
2. If your WordPress is installed in the root of you public_html then move your wp-config.php file to one level up. if you have it on subdomain or sub-folder than leave it as it is.
3. Check your site at http://sitecheck.sucuri.net/scanner/, and see what files are infected. you need to restore those files with the known good backup version, or re-install the WP from the dashboard and re-scan.
4. You have to manually check your .js files for strings like
If there are any than you need to update those files also.
5. Check if you have below mention file on your server.
/wp-content/themes/[theme’s name]/temp/eab9c5e9815adc4c40a6557495eed6d3.php (or similar)
If yes than remove those files.
6. Check index.php and delete everything between:
7. Check which of your plugin is using timthumb, you need to disable that plugin or update to the latest one. (You have that malware suggest that you have timthumb also)
8. Change the admin password (you should not have a user as admin on your site, this is actually a security threat. You can have any user name with administrative access), SQL password, cpanel password etc.
9. Change your Unique Keys and Salts in wp-config file. (If you are not sure about this than Check Here.)
10. You might still receive the message if you have accessed your blog earlier, because you have to update Google via your Google webmasters tool.
You can go to your domain dashboard for which you are having the message, go to diagnostics-malware, and request a review and in less than 60 seconds, the message is gone (if Google has not recorded it yet, clearing cookies will get rid of message).
I know it looks a lot but this all needs to be done to make sure that your site is safe.
Hope this will help you saving your site from the malware attack, if you have any more tip than share with us through comments.
Update: you can add below lines in your .htaccess in your root folder, not in the public_html file.
SetEnvIfNoCase Referer ^(www.)?superpuperdomain2?.com ban
deny from 91.220
deny from 91.196
deny from env=ban
allow from all
This should not grant access to these hackers. Thanks MickeyRoush for the tip on SetEnvIfNoCase.