There is a leak in old versions of TimThumb, read the article about it here. This week (started on august 22) many WordPress (with TimThumb) users encountered problems with there websites. Google marked there websites as a risk (including one of my websites).
The websites connected to counter-wordpress.com. The script/malware had the abbility to enter your database, create a database dump, play sounds (?), get your WordPress password and more.. With the curl_setopt function there were able to install php scripts on your server.
So for those who have problems, a quick guide to fix this. And for those who doesn’t have problems yet. Update TimThumb (latest version here)!
Fix this malware warning step by step:
- Remove code from your wp-config.php or upload a clean version.
- Inspect your wp-confip.php. They add like 3000 of empty Lines. Somewhere in the middle there is the malicious code. Delete it!
- Delete the files the injected with the curl_setopt function:
- wp-admin/upd.php
- wp-content/upd.php
- Some WordPress users (I didn’t) found a ‘temp’ folder in there current theme folder with a file like eab9c5e9815adc4c40a6557495eed6d3.php, or something like that. Delete it.
- Update your WordPress if possible!
- Replace the following file with original files from a clean WordPress installation:
- wp-settings.php
- wp-includes/js/jquery/jquery.js
- wp-includes/js /l10n.js
- * If you have problems overwriting them, delete them first (on your FTP) and then upload the new file
- Replace timthumb with the latest version
- Change your FTP password
- Change your DB password and change it in wp-config.php
- If Google is warning your visitors (right above the result description in the SERP). Login to webmastertools and ask for a review. It should be gone in 24 hours
- To be sure check your website with these tools:
- Download the Sucuri WP Check, and follow the ‘how to use’ steps on theyre website
- Check your site on with a security scanner
- You’re done!
Hopefully your site will be clean after your followed the steps above. Did you found other suspisious thing please let me know by writing a comment.
Great, first one to comment. Your blog came in the right time as this issue with my website just happened this morning. I did all the steps you have given me. Im just waiting for the review from webmaster tools. I hope it will work. Big thanks for this
You’re welcome! If you still encouter problems tomorrow please let me know.
Disable curl could also help:
http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/
Thanks Willian, thats good to know. When you like to update WordPress you could enable it again, because it needs the curl function.
This was in my wp-config I deleted it:
Yes thats the part
TimThumb How do I upgrade? Where can I find this file? In recital?
Request a clue
Latest version is here: http://timthumb.googlecode.com/svn/trunk/timthumb.php
Download it, search your WordPress site for (an older version) timthumb.php and replace it with the file above.
Ok thx
Many thanks!!. Great post. solved my problem!
Many thanks!! I also got infected and could fix it
Thanks for your post!
My problem was also one line in the header:
I added: wp_deregister_script(‘l10n’); in my Themes’ function.php and I got rid off the Google-warnings…
Your welcome! Well just removing the l10n from the header isn’t the best solution. Download a fresh copy of wordpress and replace the file in wp-includes/js /l10n.js. Good luck!
I know it’s not the best way to do it, but a fresh l10n.js didn’t help in my situation. Maybe the reason is that the Google warning message is not about my site but about an invisible link to “counter-wordpress” (I don’t know where or why this link is comming from). At least my system is working, and also seem to download faster…
Allright! It works and it’s faster, you win
No seriously I think the Google warning stucked there because it just didn’t reviewed your site yet, that takes some time. I don’t know why it dissapeared when you deleted the file, maybe the warning is ‘hooked’ to the l10n.js file. So even if it isn’t infected Google will show the warning for a while.
You will find a explanation about the l10n.js file here (and why you shouldn’t remove it):
http://wordpress.stackexchange.com/questions/5451/what-does-l10n-js-do-in-wordpress-3-1-and-how-do-i-remove-it
Hi,
Thanks for this useful information!
Since I’ve installed the WEBphysiology portfolio software, I was infected with the malware code.
I found the extra lines in my wp_config file and I’ve removed it. In fact I’ve followed exactly your steps.
Although it looks like my site is clean, I still get the warning message when logging in.
I’ve checked my webmaster dashboard, but it says there is no malware found…
Any idea how to solve this problem? And how can I figure out if I am really clean?
Thanks for your useful help so far!
Hi Ruben, I checked out WEBphysiology portfolio software and it uses timthumb.php to.. so there is there problem. Update the timthumb.php in the WEBphysiology portfolio software folder to (it’s in the folder scripts/thumb).
In my case it took like 6 hours before the warnings disappeared on the Google search engine results page. You can submit your site for a review (http://googlewebmastercentral.blogspot.com/2007/08/malware-reviews-via-webmaster-tools.html) and then just be patient
Hmm, the strange thing is on my Google webmaster dashboard I can see my site isn’t infected…. For that reason I simply can’t submit my site for a re-check.
But if login to the wp admin, I still see the warning :S
What do you think?
Whats the URL? I will take a look.
http://www.hetmarketingmeisje.nl.
But the malware warning is only visible after login
send me an email (info@reinaris.nl) with login details, I will take a look in the wp-admin then.
I have the same problem, only is the message visible through whole my website. Also can’t re-check with Google webmaster because he says that my website isn’t infected.
Any thoughts?
I don’t see any message on your website. Also not in Google, security scan seems to be allright to. Clean your cache maybe?
for some reason I cannot delete/overwrite my wp-config.php It had the huge gap and the code half way down – just as you had described. I downloaded it from my ftp and altered it. I then uploaded the new/clean version and put it back into the same folder. I then renamed the old corrupt config file and moved it, hoping it wont be read at all. I AM READ THANKSS
Hello William and thank you for the insights. Both my websites got hit with the malware. One has been blocked by google: http://www.fotografomatrimonioroma.it
I followed your clear and precise instructions up to: replace the following file with original files from a clean WordPress installation:
wp-settings.php
wp-includes/js/jquery/jquery.js
wp-includes/js /l10n.js
When I tried to substitute the files from a previous clean wordpress backup the website went down missing info in different lines. When I inspected the p.e. wp-settings.php files they vary in other content other than the maleware code. So I wasn’t able to fully recuperate the situation: when I run the scuri scanner it still tells me that the site is javascript infected. I also ran the scuri WP check and it tells that the site is ok. Do you think I am ok like this or is there something I can do to fix the corrupted javascript? Many thanks for your help
Yes your site is still infected.
You can or replace the js files manually, the infected files are:
http://www.fotografomatrimonioroma.it/wordpress/wp-includes/js/l10n.js
http://www.fotografomatrimonioroma.it/wordpress/wp-includes/js/jquery/jquery.js
Replace them with a clean version or a fresh WordPress copy (of your version) or a local backup.
Or do a WordPress update (or reinstall) in your admin (http://www.fotografomatrimonioroma.it/wordpress/wp-admin/update-core.php).
Reinstalling wordpress seems to have gotten me out of it. Thank you so much for you valuable help!
I’ll try what the thread says… I have this virus and its really a big problem.
At least I know thanks for this post.
Geezz… so many things to do. O_O Thanks for the step by step. I thought it’s just in my theme. But when I view the source, I fonder nothing about the counter-wordpress.com domain. I’m soooo dooomed if I haven’t read this post! Thanks again!
I have recently got this problem –
for some reason I cannot delete/overwrite my wp-config.php It had the huge gap and the code half way down – just as you had described. I downloaded it from my ftp and altered it. I then uploaded the new/clean version and put it back into the same folder. I then renamed the old corrupt config file and moved it, hoping it wont be read at all.
I also have this file as you described ed59d62e1b1e2167275feed65b374079.php
But I cannot find it anywhere on my ftp to delete – any ideas where I can find this thing?
Thanks for pointing out the overwrite problem, had the same thing, I will putt a note in my post so other people know.
Do you mean you can’t find the ed59d62e1b1e2167275feed65b374079.php (or something like that) file on your server?
I didn’t had that file either, but some other users had. So if you can’t find it don’t worry, I think it was never there.
I contacted the support team that supplied me with the theme. They knew all about this error. It was something that involved Timthumb script – it was vulnerable.
They uploaded a newer version of the theme which appears to have solved the error messages. The new theme does not support timthumb script either. Touch wood I wont have a repeat of such matters. Thanks for you help on this. Anybody reading this just try updating to the newest version of your blog theme, and delete any that your not using.
This post was excellent – three WordPress sites all effected in the same way and found it very easy to follow the steps above to rectify. Thank you!
Thank you, you just saved me from a massive headache.
Hi,
Just an update about the status of my malware warning screen.
It seems all my problems are solved!
As described in my previous reply, I sill got the malware warning after login to the admin.
Today I finally fixed this issue! It seems like the warning is caused by the plugin google-analytics-dashboard. Since I’ve removed that plugin, instantly the warning is gone.
So the beware, there could be something wrong with this plugin.
Thanks for your update! That’s pretty strange. Didn’t you find any strange files in the google-analytics-dashboard folder?
thanks for the tips, two of my wordpress sites are using timthumb were affected. Doing the cleaning now.
My sites are clean now following your steps. Thanks.
You’re welcome!
Pingback: counter-wordpress.com Uyarısı ve Çözümü | İnternet Durağı
I followed these steps. I found the site to be clean upon following. I have even changed the data base user passwords. But the problem seems to be never ending. The malware is coming back again and again. The problem is with these two files, I10n.js and Jquery.js.
I have some 3 to 4 wordpress installations on my hosting account. All of them are having same problem.
How can I solve the issue? Thanks in advance.
Did you really followed all the steps? Also overwritten the files l10n.js and jquery.js with clean files? Updated timthumb.php?
If you need help send me an e-mail at info[at]reinaris.nl
Hi Rein,
I didn’t update the timthumb.php files! I did it now. Hope this fixes everything. What about the timthumb.txt which I found in some of the cache folders when I searched? Do I have to delete them?
Thanks a lot for the help!
Yes you should clear (delete all files) the cache folder to be sure!
The problem is back!
Jquery.js and I10n.js got infected again.
I updated timthumb.php on all the wordpress installations. Followed all other steps as you told, but still the issue is back..!
Can you help me in resolving this issue
If you really did al steps I mentioned above (like removing the upd.php files etc) and you still have problems I can help you out. Send me an email (info[at]reinaris.nl) with FTP/WP-Admin details and i will take a look.
But please try it yourself by following al the steps in the post above curefully.
Hi, I have done all the things you said except these.
I didn’t find upd.php files any where in the directories you mentioned.
I don’t have an FTP account. I installed it through the fantastico deluxe. So do I have to change the cPanel login also? I already changed the DB passwords and updated it in config file.
I am hopeless of getting rid of it. I set the permissions of the two files I10n.js and jquery.js to 444 revoking writing rights even for the admin, and hope it will work.
So far the site is good. The malware infection is happening exactly once in a day..
If the problem persists, I will definitely mail you and seek your help. Thanks a lot for being so kind.
No you don’t have to change your cpanel pass. If you still encounter problems, create an ftp account and contact me
I hope your website will be malware-free!!
Yes, I removed them too! Thanks a lot brother! I hope I will not get bothered by this malware again!
And very useful post! Keep posting!
Pingback: Malware Attack! | Oddly Enough
Pingback: Mein Blog hats erwischt: Warnung Malware gefunden – counter-wordpress.com « Fene-Blog
Hi,
Thanks you for the great tutorial.
I have a problem with this step – ‘Change your DB password and change it in wp-config.php’
Where do I change the database password?
Thanks!
Somewhere in your hosting admin panel (like DirectAdmin, cPanel or Plesk). Contact your hosting company
Thanks!
1 question:
“upd.php” = “upgrade.php” ???
I didn’t find upd.php files any where in the directories just “upgrade.php”….
i need delete this:
wp-admin/upgrade.php
wp-content/upgrade.php
???
tks!
Please take a look at the file. If it looks something like this:
Than it’s the malware. Delete it!
I read the ‘malware people’ are changing theyre filenames…
Or
“upd.php” = “update.php” ???
Thanks a lot! You’re a hero! These steps saved me a lot of time!
Thanks for this awesome post. I fixed the virus a few months ago but I didn’t realize that it left some remnants of its ill coding in some of my WordPress files. I think I finally got my site cleaned now!
I have a website (wordpress / magento) infected by this malware.
When I look at the wp-config.php the informations about database connection are not the good ones. And my database is empty.
As anyone already get the case ?
Pingback: Script installation service