Google issuing warnings about WP site: "content from counter-wordpress.com"?

Hello!
I went through all the steps of changing passwords FTP and MySQL, uploading new version of WordPress, but and when I run https://example.com/wp-admin/install.php I get a message that says “You appear to have already installed WordPress. To reinstall please clear your old database tables first.” Do I have to clear the actual DB, install, and then execute a copy of the DB? I don’t want to loose all I have on my site!!
Thanks for helping…

I have an Elegant Theme and they said they don’t use TimThumb anymore because of its known vulnerabilities (no kidding!!)

you can download a fresh theme from them without TimThumb, i would suggest that. those are the themes that made me an expert overnight on TimThumb. lol

(PLEASE TRY THIS BEFORE RANDOM RE-INSTALLATIONS, WHICH IS VERY TIME-CONSUMING, AND DOESN’T ENSURE RECURRENCE EVERYDAY)

Hi everyone who is facing the Google Chrome security issue, the resolution consist of two processes, that should be done in sequence:

1)Log-in to you cpanel, and open the wp-config.php file and note that the file should not exceed 92 lines,with

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . ‘wp-settings.php’);

that should be the last line in the file.
but surprisingly, it will exceed the 6000 lines, scroll down, and you might think its empty, well its not, around line 5000 you will find a strange code patch.Don’t try to edit the file by removing the code, because simply when you delete all the code after the line mentioned above and save the file, you will get a fatal error. So Copy all the code from the begining to around line 92 (the line mentioned above), then create new file named XXXXXX.php, and paste the code copied into it, (optional:you can create another as a backup of your configuration settings), then save the file. Check that the new file exists, open it ensure the pasted settings are in place within the file(PLEASE, dont skip this step ). Then, you will rename the old wp-config.php to say “OLD-wp-config.php”, then rename the XXXXX.php to wp-config.php.

2)You will still receive the message if you accessed your blog, because you have to update google via your google webmasters tool , and go to your domain dashboard that you are having the message for,go to diagnostics-malware, and you should receive this message “Google has not detected any malware on this site.”, and request a review and in less than 60 seconds, the message is gone.

After that i recommend that you change your admin password, and change the permission settings for the new wp-config.php, which is the vulnerability we left open to wordpress competitors, i guess we all know them, so it got nothing to do with wordpress, its users created vulnerability we did.
PLEASE PROVIDE ME WITH FEEDBACK,I Hope i helped.

“You appear to have already installed WordPress. To reinstall please clear your old database tables first.” Do I have to clear the actual DB, install, and then execute a copy of the DB?

Sad to say, I’m not using the old database because I felt it might be compromised. I also have not had the time to research the database to find any injected tables. I had to rebuild from scratch but I caught these issues when I was building a new Website, not when it was in production. I have literally done double the work to get my Network back to production level.

I wasn’t going to take any chances because it will be deployed to a very discriminating client base. I’m not saying to do anything that I did, I’m simply giving you information on my experience.

The attack on my site had different simptoms than others, example: I found two /upd.php files (one in my /wp-content directory and the other in /wp-admin dir) and I recognized them as injected files. While others experienced this same issue, other issues they mentioned were not present on my site and everyone that I have spoken to has had a slightly different experience.

Best wishes

oohh…. ??
I think I messed it up… I already earased and reinstalled everything
The “home” is here, but it doesn’t find the rest of the contents…
https://www.devargas.com.es
Any clue?…

the file should not exceed 92 lines

it’s more if it’s a Network install, or if you’re running a plugin like Simple Facebook Connect and inserted code into the /wp-config.php file.

Whatever,BUT NOT AROUND 5000 lines of settings, you will still find a strange code injected after more than 3000 empty lines,right?,its not the time for nit-picking, i just hope you get the idea, and it will work, which is much better than seeing that most of the people here has lost the time, and, CONTENT, and it will re-happen,right?, and above all nothing was fixed, I just wrote and i hope it works for even one person in this forum, Thanks Everyone

What I did:
Backup the Site using BackWPup which also saves an XML export.
Nuked site completely, from re-seller account.
Re-created site.
Re-install wordpress with updates theme to fix tinthumb hole.
Imported wordpress XML.
Uploaded uploads directory using ftp.

I definitely took the long way home, but it seems that it’s now fixed… Thank you for helping!!

Thank you nihadnagi!

My site https://www.acbestpractices.com got warnings in Chrome, but no apparent problem in other browsers. I did a scan with https://sitecheck.sucuri.net/scanner/ and it found that one of the files in the /wp-includes/js/ folder was infected with a known javascript malware. I re-uploaded that file from a reference copy of WP 3.2.1, then rescanned at Sucuri and it came up clean.

THEN, I went to the wp-config.php file, and found it was 4000+ lines in length. I followed nihadnagi’s advice, and copied the first 94 lines (in my case) to a new php file, made sure it was properly saved, then uploaded it and renamed it to wp-config.php (after renaming the other corrupted file).

Now my site scans clean, and I know that the wp-config file is restored to a proper state. I’ll go ahead and change all my passwords too.

One problem remains: in Chrome, the URL still comes up with a warning, but Google Webmaster Tools says the site is OK – so I can’t request a malware review. They say that in some cases it may take a day or more for GWT to have the malware information, and to check back later – so for now I think I’m clean but the site will still come up with warnings in Chrome for visitors.

Any other advice??

Alright I did everything that was recommended and now my blog is gone! It’s completely wiped out. I have no idea what to do – how do I get my posts back? I wasn’t able to back anything up because I couldn’t even get to my dashboard.

Oh and I STILL can’t get onto my dashboard. I just want to get my posts and go back to Blogger. I’ve had problems with WP since day one.

Hi, i have been infected with this hack.
Maybe this can help somebody.
More than one .js file could be affected and the scanner will not detect it.
Search for
var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D
or similar on your -js files.
I found several -js files infected on plugins and themes.
Also i found more timthumb.php files on plugins and themes, and i removed them all too.
Now everything is clean.

I am truly happy it worked for you Eric, but let me note something about this issue, the question is how did anyone got access to any plug-in code in the first place?, and change any js libraries?, via this security hole!!!, whatever changes that might work today, they can manipulate This is specially for Eric, you are right about the update to take place, to do it INSTANTLY, you can either:
1)
search the help center for the term “malware” and choose the result named “Request a malware review of your site “, or follow this link directly:

https://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=163633

a pop-up window named “Request a malware review of your site” will appear, and you will find this text:

Once you’re sure your site is free from any infected code and content, you can request a malware review. (CLICK ON THE LINK IN THE ABOVE TEXT IN A NEW TAB, and then click the second process), and then click on the link “reconsideration request”, and then recheck instantly you are done.

OR
2)resubmit the whole url (you have 10 re-submissions/month)

But the first will do, cause it did for me, and was all gone in seconds.

That will do Eric, glad it worked for you and everybody in this forum no matter what changes was done today, the hole via this config file will remain open, good-luck everyone. Thank you Eric.

SORRY FOR THE LINE,MY POST REPOSTED FOR ERIC & EVERYONE

I am truly happy it worked for you Eric, but let me note something about this issue for everyone, the question is how did anyone got access to any plug-in code in the first place?, and change any js libraries?, via this security hole!!!, whatever changes that might work today, they can manipulate them again tomorrow. R u ready for that?
This is specially for Eric, you are right about the update to take place, to do it INSTANTLY, you can either:
1)
search the help center for the term “malware” and choose the result named “Request a malware review of your site “, or follow this link directly:

https://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=163633

a pop-up window named “Request a malware review of your site” will appear, and you will find this text:

Once you’re sure your site is free from any infected code and content
, you can request a malware review. (CLICK ON THE LINK IN THE ABOVE TEXT IN A NEW TAB, and then click the second process), and then click on the link “reconsideration request”, and then recheck instantly you are done.

OR
2)resubmit the whole url (you have 10 re-submissions/month)

But the first will do, cause it did for me, and was all gone in seconds.

That will do Eric, glad it worked for you and everybody in this forum no matter what changes was done today, the hole via this config file will remain open, good-luck everyone. Thank you Eric.