/webmasters/community?hl=en
/webmasters/community?hl=en
8/18/11
Original Poster
TroubledUser1

Malware in Wordpress

I have read the FAQs and checked for similar issues: YES.
My site's URL is: http://bit.ly/qcFZgI
Not listed by Google for malware: http://bit.ly/mUkmwS
Screenshot of browser error: http://bit.ly/qxCVAe
Description (including timeline of any changes made): In the last 24-hours Chrome and Firefox have been intermittently reporting malware on my site ( http://bit.ly/qcFZgI ). Google's has not flagged the site ( http://bit.ly/mUkmwS ) and in Google Webmaster tools nothing is detected either. The site is running Wordpress. The two sites that links are being found to are: teenburgmovies [dot] [biz] newportalse [dot] [com]. I cannot find any traces of them through a site search at the file level.
Facts:
- Webmaster tools not reporting any issue.
- Site is running Wordpress.
- Warning shows up intermittently.
- I have removed a plugin that was installed within the past 24 hours although I did not find malicious code in it. Tweet Old Posts.
- I searched the site to find files modified in the past 4 days. The only malicious code found was:
-- A file named: c5ab6cebaca97f7171139e4d414ff5a6.php, which I removed.
-- I also found a blank file named MJ12_BF5C5B49DA2CE4F7C0838367EE7DE4F7.txt, which I removed).
From the many sites I have read this sounds like it may be the issue, but I cannot find out where the malicious code is living on the site:
http://bit.ly/rmgdG1
Any tips on how to find the malicious code? Despite my efforts the issue is still happening. Since the issue is intermittent I am at the mercy of user reporting. Over the past 24 hours I have only personally received the error once.
Community content may not be verified or up-to-date. Learn more.
All Replies (6)
Google user
8/18/11
Google user
Hopefully we will hear back from the OP/Sucuri on what they found on the site!   Are you running a file named  timthumbs.php  ?
8/18/11
Original Poster
TroubledUser1
I was rename about 48 hours ago and deleted about 24 hours ago.
Google user
8/18/11
Google user
There are alot of WP sites getting hacked through the timthumbs.php, it has allowed hackers to upload malicious files to sites using it.  You need to check your .htaccess file and make sure the hackers have not modified it.  Also need to check your core WP files such as wp-load.php, wp-config.php
/wp-content/plugins/plugin.php.  There is a listing for a simple script at http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html  which you can place on your site which may be helpful in finding any additional malware files.


8/18/11
Original Poster
TroubledUser1
http://sitecheck.sucuri.net/scanner/ found a JS file that was infected. I have deleted the file but the scanner still indicates the file exist/infected.
 
I have checked the .htaccess. Will check the others.
 
THANKS. I will post back later on what I find.
8/18/11
Original Poster
TroubledUser1
Looks like Securi is giving me the all clear now.
8/18/11
Original Poster
TroubledUser1
SOLUTION -------------------
 
The source of the malware was <site root>/wp-includes/js/l10n.js & <site root>/wp-includes/js/l10n.dev.js
 
I deleted both and it appears as though the malware warnings are gone.
 
http://sitecheck.sucuri.net/scanner/ helped me identify the file and confirm the malware is gone.
 
If I find any new traces I will update this post.
Were these replies helpful?
How can we improve them?
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.