Redirecting

This is happening to my site too. First I had the unverf.com redirect. I got rid of that and then the next day I am not getting tuniaf.com and can’t figure out how to get rid of it. I paid someone to fix it. It was gone for a day and now back. Need help too.

Check this out:

https://www.inmotionhosting.com/blog/attention-wordpress-ultimate-member-plugin-users-new-security-information/

Hello, I am facing this issue too.

All you can do is to follow the instruction in this article https://www.inmotionhosting.com/blog/attention-wordpress-ultimate-member-plugin-users-new-security-information/ (Thanks to PeepSo, Inc)

I have one solution in mind,

1. Delete permanent the ultimate-member plugin directory inside your wp-content/plugins/
2. Follow the instruction inside the link above!
– Delete all PHP Files inside wp-content/uploads/ultimatemember/temp/, and exclude this directory wp-content/uploads/ultimatemember/ and it subdirectories from PHP execution or if your web server / cpanel has AntiVirus, you can quarantine it

I’ll tell you how it goes with my site after fixing this, and I hope you will tell us too

Updated, based on the article written by Sucuri Team
https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html

I saw the attacker also injected javascript code from cdn.allyouwant[dot]online,

And I ran search for “cdn.allyouwant..”, I found one PHP code contains codes as you can see on this screenshot

https://ibb.co/nLg4yU

Probably this code under the name of _common.php was used to inject the JavaScript code. I deleted it from my cpanel.

Is it not the responsibility of Ultimate Members to publish a guide on how to remove this virus? Or a plugin that removes the virus? I could not remove

• This reply was modified 6 years, 6 months ago by izaascj.
• This reply was modified 6 years, 6 months ago by izaascj.

Hi

After some cleanning and removing files, folders… some antimalware says me all is clean but I have been still facing the redirect problem.

Finally, my solution was to restore a full backup of the web before it was infected (my first infection was on August 22th).
Regarding the database, in my case the status was not changed but I guess the database is not necessary to be restored because it seems the infection in on files not in database.

Also I will appreciate a official response from Ultimate Members team. I do not trust using the plugin again until then.

Regards,

I received a response from the UM members support and they said they did fix the plug in and I have to update but I also have to clean my site for traces of the virus left in certain files. Ugh,

• This reply was modified 6 years, 6 months ago by denhamfmly.

great! I already installed the new version. But and now? What and where to clean? I installed Sucuri that shows me many altered pages, but how do I know which ones are infected?

Did you delete the plugin and then reinstall it? As far as cleaning it use a virus scanner plugin that detects backdoors and malware. I do not know how to check my files either. I am having to pay a freeleancer to help me.

However today I deleted the plugin, then reinstalled the new version and ran the Anti-Malware Security and Brute-Force Firewall plug in I recently installed. It cleaned files and right now I am not getting redirected anymore. But, so far I have noticed when I get it to stop it comes back by the next day. At this point I am going to see if this works by waiting until tomorrow.

History:
I had first had the cdn.allyouwant[dot]online virus and cleaned that myself out of my theme plugin and that worked. The following day I ended up with this new one, tuniaf.com. I updated UM and did a virus scan and it went away. But then came back. I had the freelancer help and he did a quick fix that helped it go away, but then it came back the next day. He did it again to fix it and it did, until today (next day) it was back again. So now I deleted the plugin instead of just updating it and then reinstall it then ran the scan. It doesn’t redirect. So we’ll see.

• This reply was modified 6 years, 6 months ago by denhamfmly.

How to Clean your WordPress site:

before you attempt to do number 2 and so on, I encourage you to install and use Visual Studio Code or Atom to help you find malicious code easier by searching on all folders and files inside your WordPress (and of course, download your sites folder by zipping it as one archive file and check it offline, and remember you will need it later)

1. Delete permanent the ultimate-member plugin directory inside your wp-content/plugins/
2. Follow the instruction inside the link above!
– Delete all PHP Files inside wp-content/uploads/ultimatemember/temp/, and exclude this directory wp-content/uploads/ultimatemember/ and it subdirectories from PHP execution or if your web server / cpanel has AntiVirus, you can quarantine it.

3. Inside your themes directory, search for _common.php (in my case, I found it under wp-content/themes/publisher/header/_common.php. (screenshot: https://ibb.co/nLg4yU)
If you found the same code, it is safe to delete them all or delete the file

4. Open your VS Code, -> Open Folder (choose your site folder), click on the ‘search’ icon at the left corner of your VS Code Tab. Type “var po”, You will find maybe hundreds of your jQuery or JavaScript files are infected. (screenshot: https://ibb.co/bE2Yxz) and search for “var need_t”. (var need_t is under var po), they are 2 lines on the top of your jQuery files.

Codes var po = and var need_t = are placed on the top of your jQuery or JS Codes, remove them all, you can use VS Code to remove them in all jQuery files by using the Search built-in function by VS Code, or you can of course remove it one by one.

5. Check your database as it might infected as well, export your database and have it open with VS Code, type for “db.allyouwant.online”, if you found them, it means your database got infected as well. (screenshot: https://ibb.co/jUCGHz)

You can deleted them all by one or two click with VS Code Search built-in function, but before you do that, backup or duplicate your infected database.

6. Be sure to clean your server too, if you are using managed or shared hosting, contact your hosting provider, if you are not, clean it yourself.

Once all clean, archive your clean WordPress files and reupload it to your server using FTP Client or cPanel File Manager. Deleted your database and reupload the clean one.

Thanks to Sucuri’s staff, who provides us helpful insights.

I thank you from the heart!
For me it will not work, because I’m Brazilian and I use the translator, this advanced language is very difficult!
I know your guide is going to work for many, I think I can only do it if someone creates a video tutorial one day.
I came up to the part that is to find the “var po” and the “var need_t”, but do not understand if it is to delete everything resend the files to the server. I got scared!
Thank you so much! It helped a lot of people!

Dear izaascj,

I’m sorry I don’t speak Brazilian or Portuguese, If I were or could, I would write it in Brazilian / Portuguese language.

thank you so much

I definitively gave away the Ultimate Member

I deleted the last folder in uploads

I passed the sucuri and restored all the files

the address https://cdn.allyouwant.online was inside “header”. I downloaded the theme folder and sent a new header.

Not satisfied, I refresh the subject.

The action worked for a few minutes, but it became infected again

What did not I do?

You may want to investigate website access log for suspicious HTTP requests that may lead to this reinfection.

Optionally (if infection getting via theme) you may want temporary to switch to another theme (removing directory hosting current theme).

If with the alternative theme the reinfection won’t occur, you found the source of reinfection.

Do you have other websites under the same hosting account?
Did you run internal (server side) scan?