How to Remove Counter-WordPress Malware

22
1236
counter-wordpress malware removal

counter-wordpress malware removal

Image: Idea go

If you are using WordPress, there is a malware going on, which is not detected by all browsers.

Many users have reported that Google chrome is reporting malware on their site. This is a security attack with timthumb script security hole.

If you are affected by that malware here is step by step guide to remove it.

1. Check you wp-config.php file. This file should have around 92 line and end with

require_once(ABSPATH . ‘wp-settings.php’);

Don’t get fooled with empty lines, go down and see if your cursor is passing that line and going down…If yes than go till the last point, usually after 2000-3000 lines you will get a code, which needs to be removed.

Follow the steps below to remove the code:

  • Copy all the code from the beginning to around line 92 (the line mentioned above), then create new file named test.php, and paste the code copied into it, (optional:you can create another as a backup of your configuration settings), then save the file.
  • Check that the new file exists, open it to make sure the pasted settings are in place within the file(PLEASE, don’t skip this step ).
  • Then rename the old wp-config.php to say “wp-config-old.php”, then rename the test.php to wp-config.php.

2. If your WordPress is installed in the root of you public_html then move your wp-config.php file to one level up. if you have it on subdomain or sub-folder than leave it as it is.

3. Check your site at http://sitecheck.sucuri.net/scanner/, and see what files are infected. you need to restore those files with the known good backup version, or re-install the WP from the dashboard and re-scan.

4. You have to manually check your .js files for strings like

x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63x28x22x33

If there are any than you need to update those files also.

5. Check if you have below mention file on your server.

/wp-content/upd.php
wp-admin/upd.php
/wp-content/themes/[theme’s name]/temp/eab9c5e9815adc4c40a6557495eed6d3.php (or similar)

If yes than remove those files.

6. Check index.php and delete everything between:

require(‘./wp-blog-header.php’);

?>

7. Check which of your plugin is using timthumb, you need to disable that plugin or update to the latest one. (You have that malware suggest that you have timthumb also)

8. Change the admin password (you should not have a user as admin on your site, this is actually a security threat. You can have any user name with administrative access), SQL password, cpanel password etc.

9. Change your Unique Keys and Salts in wp-config file. (If you are not sure about this than Check Here.)

10. You might still receive the message if you have accessed your blog earlier, because you have to update Google via your Google webmasters tool.

You can go to your domain dashboard for which you are having the message, go to diagnostics-malware, and request a review and in less than 60 seconds, the message is gone (if Google has not recorded it yet, clearing cookies will get rid of message).

I know it looks a lot but this all needs to be done to make sure that your site is safe.

Hope this will help you saving your site from the malware attack, if you have any more tip than share with us through comments.

Update: you can add below lines in your .htaccess in your root folder, not in the public_html file.
SetEnvIfNoCase Referer ^(www.)?superpuperdomain2?.com ban
order allow,deny
deny from 91.220
deny from 91.196
deny from env=ban
allow from all
This should not grant access to these hackers. Thanks MickeyRoush for the tip on SetEnvIfNoCase.

22 COMMENTS

  1. For the ordinary folk like me, the instructions are easy and helpful. I successfully worked through removing the malware with the little knowledge in code.
    Do the software available against malware help prevent the attack?
    Some very informative information though. Thanks

  2. I have a website (wordpress / magento) infected by this malware.
    When I look at the wp-config.php the informations about database connection are not the good ones. And my database is empty.
    As anyone already get the case ?

    • I have not heard anything like that before, most of the time it was a redirect setup to some other malware sites and some code added way down in wp-config.php file?
      were you able to recover your data?

      • It was a mistake from me (no database hacked).
        The web hosting company has proposed a wordpress auto install witch doesn’t use the customer database and wich is not accessible by phpmyadmin so my confusion.

  3. Hi Sanjeev.
    I have started a blog on IBPS. I have a problem. I am able to open my website http://ibpsupdates.com in general browser but same web page i am not able to open from Google Organic Search Results. When i am type ibpsupdates in google search all my web pages will be displayed but not able to open. It will be great help if you can solve that problem.

    Regards,
    Santosh.

    • Santosh, I am not able to browse you sites from anywhere, if you still able to see it from you local browser than you might be seeing a cached version, try clearing you cache and reloading. looks like some issue with the way you have setup as I always get network error, could you check it your domain has correct name-servers associated with it..

  4. Good to know this. My question is, how does it get there in the first place?have my htacces

    I do limit access to my wp-admin folder using my htaccess file, to IP Addresses only I use. So no one else could login even if they stole the password.

    Is this the route the Malware gets in, or is it even more sinister than that?

    Best wishes

    Tony

    • This actually gets an entry from an old timthumb script, which can be there in any plugin or in the theme. This is actually not from wp-admin folder.

      Good way to check if your blog is vulnerable or not, is through Timthumb Vulnerability Scanner plugin, it is available in plugin library. Install that plugin and run it, it will tell what files are vulnerable and it also provide a quick way to patch it (install latest version of timthumb script).

  5. Thanks for all the great sharing I’m seeing here. I am trying to rid a site of the counter-wordpress malware for a friend and I’m in over my head, not being a PHP programmer. Without this help he would still be stuck, but we’re not quite out of the woods yet. Securi scan is now showing no malware, but Google’s malware check in their tools shows a problem with “/wp-includes/js/l10n.js?ver=20101110”. I replaced l10n.js from a fresh dl of wordpress and my meager toolkit doesn’t show the long block of hex that Google is objecting to and thus keeping it on its blacklist. Two questions for you gurus:
    1) what does the “?ver=20101110” do in the PHP here?
    2) is it possible Google is really slow clearing its own cache(s) so that 6-8 hours later it is still seeing the old l10n.js that I replaced with a fresh one from wordplus?

    Thanks

    • Re my previous quote, about 30 minutes after Google says we pass the malware test, so just the speed (over 8 hours) one should expect, I suppose.

      Also I have since learned a smidgen of js and now understand the ?ver= syntax. Hope I got this up before anyone wasted any time on it.

      Thanks again!

  6. What do you think about it: (could be much better?)

    SetEnvIfNoCase Referer ^(superpuperdomain[^.]?|newportalse|counter-wordpress)\. ban
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from env=ban
    allow from all

    Thank you.

  7. This is my .htacess info:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    Where I have to insert your suggest?
    Thank you.

  8. Add these to your .htaccess, looks like attack is coming from these servers:

    SetEnvIfNoCase Referer ^(www\.)?superpuperdomain2?\.com ban
    order allow,deny
    deny from 91.220
    deny from 91.196
    deny from env=ban
    allow from all

  9. List of file which may be infected, if you have any of them check those:

    jquery-1.0.1.js, jquery-1.0.1.pack.js, jquery-1.0.2.js, jquery-1.0.2.pack.js, jquery-1.0.3.js, jquery-1.0.3.pack.js, jquery-1.0.4.js, jquery-1.0.4.pack.js, jquery-1.0.js, jquery-1.0.pack.js, jquery-1.1.1.js, jquery-1.1.1.pack.js, jquery-1.1.2.js, jquery-1.1.2.pack.js, jquery-1.1.3.1.js, jquery-1.1.3.1.min.js, jquery-1.1.3.1.pack.js, jquery-1.1.3.js, jquery-1.1.3.pack.js, jquery-1.1.3a.js, jquery-1.1.4.js, jquery-1.1.4.pack.js, jquery-1.1.js, jquery-1.1.pack.js, jquery-1.1a.js, jquery-1.1a.pack.js, jquery-1.1b.js, jquery-1.1b.pack.js, jquery-1.2.1.js, jquery-1.2.1.min.js, jquery-1.2.1.pack.js, jquery-1.2.2.js, jquery-1.2.2.min.js, jquery-1.2.2.pack.js, jquery-1.2.2b.js, jquery-1.2.2b.min.js, jquery-1.2.2b.pack.js, jquery-1.2.2b2.js, jquery-1.2.2b2.min.js, jquery-1.2.2b2.pack.js, jquery-1.2.3.js, jquery-1.2.3.min.js, jquery-1.2.3.pack.js, jquery-1.2.3a.js, jquery-1.2.3a.min.js, jquery-1.2.3a.pack.js, jquery-1.2.3b.js, jquery-1.2.3b.min.js, jquery-1.2.3b.pack.js, jquery-1.2.4.js, jquery-1.2.4.min.js, jquery-1.2.4.pack.js, jquery-1.2.4a.js, jquery-1.2.4a.min.js, jquery-1.2.4a.pack.js, jquery-1.2.4b.js, jquery-1.2.4b.min.js, jquery-1.2.4b.pack.js, jquery-1.2.5.js, jquery-1.2.5.min.js, jquery-1.2.5.pack.js, jquery-1.2.6-vsdoc.js, jquery-1.2.6.js, jquery-1.2.6.min.js, jquery-1.2.6.pack.js, jquery-1.2.js, jquery-1.2.min.js, jquery-1.2.pack.js, jquery-1.3.1.js, jquery-1.3.1.min.js, jquery-1.3.1.pack.js, jquery-1.3.1rc1.js, jquery-1.3.1rc1.min.js, jquery-1.3.1rc1.pack.js, jquery-1.3.2.js, jquery-1.3.2.min.js, jquery-1.3.2.pack.js, jquery-1.3.js, jquery-1.3.min.js, jquery-1.3.pack.js, jquery-1.3b1.js, jquery-1.3b1.min.js, jquery-1.3b1.pack.js, jquery-1.3b2.js, jquery-1.3b2.min.js, jquery-1.3b2.pack.js, jquery-1.3rc1.js, jquery-1.3rc1.min.js, jquery-1.3rc1.pack.js, jquery-1.3rc2.js, jquery-1.3rc2.min.js, jquery-1.3rc2.pack.js, jquery-1.4.1-vsdoc.js, jquery-1.4.1.js, jquery-1.4.1.min.js, jquery-1.4.2.js, jquery-1.4.2.min.js, jquery-1.4.3.js, jquery-1.4.3.min.js, jquery-1.4.3rc1.js, jquery-1.4.3rc1.min.js, jquery-1.4.3rc2.js, jquery-1.4.3rc2.min.js, jquery-1.4.4.js, jquery-1.4.4.min.js, jquery-1.4.4rc1.js, jquery-1.4.4rc1.min.js, jquery-1.4.4rc2.js, jquery-1.4.4rc2.min.js, jquery-1.4.4rc3.js, jquery-1.4.4rc3.min.js, jquery-1.4.js, jquery-1.4.min.js, jquery-1.4a1.js, jquery-1.4a1.min.js, jquery-1.4a2.js, jquery-1.4a2.min.js, jquery-1.4rc1.js, jquery-1.4rc1.min.js, jquery-1.5.1.js, jquery-1.5.1.min.js, jquery-1.5.1rc1.js, jquery-1.5.1rc1.min.js, jquery-1.5.2.js, jquery-1.5.2.min.js, jquery-1.5.2rc1.js, jquery-1.5.2rc1.min.js, jquery-1.5.js, jquery-1.5.min.js, jquery-1.5b1.js, jquery-1.5b1.min.js, jquery-1.5rc1.js, jquery-1.5rc1.min.js, jquery-1.6.js, jquery-1.6.min.js, jquery-1.6b1.js, jquery-1.6b1.min.js, jquery-1.6rc1.js, jquery.js, l10n.js, jquery-1.6rc1.min.js

Comments are closed.