ShoutMeLoud – Shouters Who Inspire

Superlinks
≡ Menu

How I Removed Malware Counter-WordPress.com on my Hacked WordPress blog

How I Removed Malware Counter-WordPress.com on my Hacked WordPress blog

I have read ShoutMeLoud post on WordPress sites using Timthumb.php is Prone to Hacking couple of days back, and after 2-3 days

wordpress security tips back I encountered a very strange problem on Chrome browser. When ever I opened my WordPress blog on Chrome browser, it shows following message:

“www.abc.com contains content from counter-wordpress.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.”

I also check my site at different browsers (Mozilla, IE & Opera) but this weird message was appearing only on Chrome browser. I was certain that my site is hacked and like any other guy, I searched about this issue on Google and found tons of useful information which helped me to recover my Hacked WordPress blog.

Since timthumb.php hack is going to last for some time as many people haven’t updated their themes, plugin or unknowingly some plugin might be using this script. So here I’m going to note down steps which I have taken and other steps which you can take to recover your hacked site.

Update everything:

Most of the plugins and themes which were using bugged timthumb.php script have updated and you can easily find updates by going to your dashboard and click on updates. If it’s a premium theme which you are using, you should check with your theme provider and see if they rolled out an update. For example, templatic and Thesis theme are free from timthumb hack but many other premium WordPress theme club were using old timthumb and now they have rolled out an update to fix the timthumb hack issue.

Scan your site for hacked content:

Once these hackers get access to your WordPress, they will be adding malicious code at different places and deep down. So finding all the malicious code won’t be that easy. Though you can look at time stamp and see which file has been updated recently and check that file for any instance of malicious code.

I also used http://sitecheck.sucuri.net/scanner/ to check my site and it revealed that there are malicious code  in my java file located at wp-includes/js/l10n.js . I accessed my hosting using FTP software and replaced this file with the original file from the latest version of wordpress 3.2.1 zip folder.

Change Passwords:

Though for better online security we always suggest to keep changing your password,  but as soon as you fix your site, you should change all your passwords like FTP, wp-admin and cPanel. Make sure there is no hidden admin user or no extra FTP account is added.

Reinstall WordPress:

This is one of the easy method, you can click on updates in your Wp dashboard and reinstall WordPress. So if Hacker has added malicious code in any of core file, it will be gone. And since you already followed above steps, your site will be clean.

Based on my research on Google for timthumb hack issue, you might find some of the infected file at these locations:

  • wp-settings.php
  • wp-includes/js/jquery/jquery.js

Replace these files with the original files like step 2

Step 5 : Delete the following files if you found :

  • /wp-content/upd.php
  • /wp-content/data.php
  • /wp-admin/upd.php
  • /wp-admin/js/config.php
  • /wp-admin/common.php
  • /wp-content/uploads/feed-file.php
  • /wp-content/uploads/feed-files.php
  • /wp-content/themes/*[your themes names]*/cache/.htaccess
  • /wp-content/themes/*[your themes names]*/temp/[eab9c5e9815adc4c40a6557495eed6d3.php]

Step 6 : Open “wp-config.php” and check for  empty code contains of huge  empty lines. Clear it all.

Step 7 : Replace timthumb with the latest version

Step 8: Log into your Google webmasters tool and check in Diagnostics if it is showing any malware warning, if it so then after cleaning up send it for review otherwise no need as it will gone automatically (as in my case )

Here are some more WordPress security tips which you should read right away:

I hope these above steps will be useful to remove the malware or warning counter-wordpress.com from your site. If you find this article informative, do consider sharing it on Google plus and Facebook.
This is a guest post by Arunii who blogs at arunii. If you would like to write for ShoutMeLoud, check our guest posting guidelines.
  • Author Bio

  • Latest Post

Article by Arun garg

has written 1 articles.

If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.


    { 7 comments… add one }

    • Harry Sehgal

      Thanks Arunii for these Tips. I will also scan my Blog for Virus so that it cant be compromised.

      Reply
    • Hamza Tariq

      lol, you can skip all of the above mentioned steps. Simple open your web, and press CTRL + U (for Source Code) and then CTRL + F to find (counter-wordpress.com) that’s it! it will directly shows you the effected plugin, file…etc!

      Reply
    • Vijay

      make sure you update thumb.php to latest version as well.. some themes are using the timthumb.php by name thumb.php

      Reply
    • Rakesh Narang

      Thanks a lot for this enlightening article, i think my theme is using timthumb, i am going to update it right away.

      Reply
    • Kunal @ TechHogger

      OH! Thanks I just checked my both blogs. And they both are safe. Good article.

      Reply
    • Anand Kumar

      I will check my WP directory for the files, which you specified.

      Thanks for sharing!!

      Reply
    • Kunal

      hey nice work ..!! seems these will work for the all the bloggers…!! if they are attacked by the by the hackers..!! hoping everything is fine with your blog now..!!:)

      Reply

    Leave a Comment