• X

    How I Removed Malware Counter-WordPress.com on my Hacked WordPress blog

    By in Browsers

    Bluehost hosting

    I have read ShoutMeLoud post on WordPress sites using Timthumb.php is Prone to Hacking couple of days back, and after 2-3 days

    wordpress security tips How I Removed Malware Counter Wordpress.com on my Hacked WordPress blog back I encountered a very strange problem on Chrome browser. When ever I opened my WordPress blog on Chrome browser, it shows following message:

    “www.abc.com contains content from counter-wordpress.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.”

    I also check my site at different browsers (Mozilla, IE & Opera) but this weird message was appearing only on Chrome browser. I was certain that my site is hacked and like any other guy, I searched about this issue on Google and found tons of useful information which helped me to recover my Hacked WordPress blog.

    Since timthumb.php hack is going to last for some time as many people haven’t updated their themes, plugin or unknowingly some plugin might be using this script. So here I’m going to note down steps which I have taken and other steps which you can take to recover your hacked site.

    Update everything:

    Most of the plugins and themes which were using bugged timthumb.php script have updated and you can easily find updates by going to your dashboard and click on updates. If it’s a premium theme which you are using, you should check with your theme provider and see if they rolled out an update. For example, templatic and Thesis theme are free from timthumb hack but many other premium WordPress theme club were using old timthumb and now they have rolled out an update to fix the timthumb hack issue.

    Scan your site for hacked content:

    Once these hackers get access to your WordPress, they will be adding malicious code at different places and deep down. So finding all the malicious code won’t be that easy. Though you can look at time stamp and see which file has been updated recently and check that file for any instance of malicious code.

    I also used http://sitecheck.sucuri.net/scanner/ to check my site and it revealed that there are malicious code  in my java file located at wp-includes/js/l10n.js . I accessed my hosting using FTP software and replaced this file with the original file from the latest version of wordpress 3.2.1 zip folder.

    Change Passwords:

    Though for better online security we always suggest to keep changing your password,  but as soon as you fix your site, you should change all your passwords like FTP, wp-admin and cPanel. Make sure there is no hidden admin user or no extra FTP account is added.

    Reinstall WordPress:

    This is one of the easy method, you can click on updates in your Wp dashboard and reinstall WordPress. So if Hacker has added malicious code in any of core file, it will be gone. And since you already followed above steps, your site will be clean.

    Based on my research on Google for timthumb hack issue, you might find some of the infected file at these locations:

    • wp-settings.php
    • wp-includes/js/jquery/jquery.js

    Replace these files with the original files like step 2

    Step 5 : Delete the following files if you found :

    • /wp-content/upd.php
    • /wp-content/data.php
    • /wp-admin/upd.php
    • /wp-admin/js/config.php
    • /wp-admin/common.php
    • /wp-content/uploads/feed-file.php
    • /wp-content/uploads/feed-files.php
    • /wp-content/themes/*[your themes names]*/cache/.htaccess
    • /wp-content/themes/*[your themes names]*/temp/[eab9c5e9815adc4c40a6557495eed6d3.php]

    Step 6 : Open “wp-config.php” and check for  empty code contains of huge  empty lines. Clear it all.

    Step 7 : Replace timthumb with the latest version

    Step 8: Log into your Google webmasters tool and check in Diagnostics if it is showing any malware warning, if it so then after cleaning up send it for review otherwise no need as it will gone automatically (as in my case )

    Here are some more WordPress security tips which you should read right away:

    I hope these above steps will be useful to remove the malware or warning counter-wordpress.com from your site. If you find this article informative, do consider sharing it on Google plus and Facebook.
    This is a guest post by Arunii who blogs at arunii. If you would like to write for ShoutMeLoud, check our guest posting guidelines.

    Get Free Blogging updates in your Email

    Find more Topics based on Keywords

    Article by

    has written 1 articles.

    If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.

    { 7 comments… read them below or add one }

    Kunal

    hey nice work ..!! seems these will work for the all the bloggers…!! if they are attacked by the by the hackers..!! hoping everything is fine with your blog now..!!:)

    Reply

    Anand Kumar

    I will check my WP directory for the files, which you specified.

    Thanks for sharing!!

    Reply

    Kunal @ TechHogger

    OH! Thanks I just checked my both blogs. And they both are safe. Good article.

    Reply

    Rakesh Narang

    Thanks a lot for this enlightening article, i think my theme is using timthumb, i am going to update it right away.

    Reply

    Vijay

    make sure you update thumb.php to latest version as well.. some themes are using the timthumb.php by name thumb.php

    Reply

    Hamza Tariq

    lol, you can skip all of the above mentioned steps. Simple open your web, and press CTRL + U (for Source Code) and then CTRL + F to find (counter-wordpress.com) that’s it! it will directly shows you the effected plugin, file…etc!

    Reply

    Harry Sehgal

    Thanks Arunii for these Tips. I will also scan my Blog for Virus so that it cant be compromised.

    Reply

    Leave a Comment

    Previous post:

    Next post:

    `