Viewing 15 replies - 46 through 60 (of 61 total)
  • Deactivate this plugin: GD Star Rating

    Solved…

    Found it!

    Gosh dang it! That hack of a “designer” used a nulled plugin on our site. The plugin is called “Coming Soon Pro” and sure enough, at the very bottom of the file, I found this:

    <?php include (‘images/social.png’); ?>

    And sure enough, social.png is a PHP file full of a confusing array of function names and Base64-obfuscated code.

    Now I don’t trust anything this designer did, and I’m going to do a more intense search.

    I don’t know what’s worse. A professional coder who knowingly installs nulled scripts, or a clueless amateur design hack who has no clue about server security and the respect of copyright!

    Props to @mreee and @delraycomputers . And everyone else who chipped in. Thanks much!!

    @deniz87: that plugin no longer exists. Go to that page you linked to, and click on “Description”. It was probably removed for having that vulnerability injected into it.

    As I said, some obfuscated code in image format.

    Remove the false social.png image and the code for inclusion in the theme functions.php file apparently solved the problem.

    Thank you to the friend, mreee by locating where.

    This just shows that even using grep, the code was obfuscated so we would not find it. What I may do (when I’m back from my travels in a couple of weeks) is write a regular expression that would find the words “include” or “require” referencing popular non-text files such as .png, .jpg, .pdf, etc. in the same statement, and use that with grep as a security tool. With this theme and plugins the designer installed, I cannot trust anything, and I find he sourced our theme from a nulled script source as well.

    Anyone who uses nulled scripts deserves this, in my opinion. But when a third party, supposedly a professional, installs this in an otherwise legitimate setting such as ours, it opens us up to both severe server vulnerabilities and legal liabilities for running stolen software.

    Hi! to all

    I have also solved this problem in my site today. Thanx for all you guys who have posted their answers here.

    I was having the same problem, I have tried out so many thing in past week. I have disabled all plugins changed theme but problem do continues.

    At last I have decided to deactive all plugins and active them one by one and check for the script. I have found one plugin causes the problem, So I have debug the plugin. At the very end of the sript it includes a “Social.png” file and found that it not used at all anywhere in my site. So I have simply deleted that image.

    And then checked and guess what the problem is solved. So much relief this time.

    I hope it may help you to you guys.

    Dear all,

    I ran into the same issue and I am wondering if you guys have already figured out which plugins have caused this issue. I don’t seem to have installed any suspicious ones..

    We have solved the issue by removing the social.png file and the reference from the functions.php file. It now is gone, but as far as we can see this is a pretty serious exploit.

    It is probable that all admin passwords and db user passwords have been compromised as well as visitor data, so this is quite serious.

    Yes, it is a serious exploit.

    I would say that based on this discussion, two things are in common:

    1) The exploit has showed up in different plugins and/or themes, not any single one;

    2) Many of these were from illegally obtained “nulled” scripts, for which I have to say, if you steal software, you deserve what you get. As a former coder myself, I think those who use pirated, stolen software are as low on the food chain as those who null and distribute them to begin with. Sorry. Theft of intellectual property totally rubs me the wrong way.

    There are ways the exploit can be injected into plugins or themes that come through official channels, as I found one plugin listed above which is now removed from the WP plugin repository (the support thread remains, but the plugin is no longer listed). It is rare, but it can happen. I always try to download either through the WP system, or directly from the publisher’s site. And yes, my clients pay if a license is needed for the product. That’s non-negotiable with me.

    In my case, it was a nulled script. Someone had recommended we use this designer, who I think did this as a freebie favor for our site owner. The exploit turned up when the site quit loading (waiting for the non-responsive genericstts.com site to load). That was my clue something was wrong, but I didn’t see how wrong it was until investigating further. Turns out this designer not only used at least one nulled plugin (Coming Soon Pro), he also used a nulled version of the Bolid theme by ThemeForest. Both were obtained from a directory that links to nulled WordPress themes and plugins.

    So, in our case, this was put on our server without our knowledge, thinking we could trust this hack. He had no clue: he did not know his way around a typical WP installation. He bitched about our multisite setup being “some strange way you have this set up”, and the only way he knew to get a theme and plugins up was to upload the complete directory from his computer. Needless to say, he’s persona non grata.

    I posted this simply as a warning to be careful when subcontracting or accepting the unknown work of others. Pirated (nulled) software is illegal, which opens the site owner up for all sorts of legal liabilities. And the exploit could have compromised our server and data integrity. Using this nulled garbage is a recipe for trouble.

    That’s What Happens when you mess up with nulled themes xD

    I understand. The strange thing though is that we have bought the theme from SwiftIdeas on Themeforest. They are premium template designers, I cannot image them using nulled scripts.

    I only installed plugins from the official WordPress website and still we got affected by this exploit.

    We have now shut down out complete server and are in the progress of deploying WordPress on another one. We will try to figure out by trial and error which plugin installed this malware.

    Do you have any clues on what the malware caused on your servers? It looks like all user accounts were compromised and a backdoor onto our server was made. Any idea of this what they were after?

    @jeroenverhoef, our theme was from ThemeForest also, but the problem we had is that the designer we supposedly trusted had downloaded the theme and the bad plugin from a site that distributes nulled scripts, rather than doing the professional thing and paying for them. (I do not want to post that URL publicly.)

    Personally I don’t like this theme (or anything from ThemeForest for that matter), but the site owner liked the layout of it and the features.

    If you do find the plugin or theme is infected with this, please report it. If the plugin came through www.remarpro.com, there must be a way to report it so others do not get affected.

    Our site was not yet live, and security is very strict (we protect the wp-admin directory with both password and IP restrictions), so we were not compromised. Still, I have reset everyone’s password to be safe, and I can easily restore from an old backup since we only have half a dozen posts ready for the preview.

    Hi guys. I didn’t read all the answers you gave.

    I found the solution here
    https://siteber.com/how-to-remove-genericstts-cominit-min-js-malware-script/

    Take a look.

    This is a malware because i install a nulled plugin.

    I took my lesson now. Only original plugins guys.

    I don’t think this so-called “designer” we used has any idea how much extra work he has created for me.

    I thought I had scanned everything, yet I had to keep this theme in place since the designer directly modified the files in the theme, vs. doing it the proper way by putting modifications into a child theme.

    Today I found another issue. I clicked one of the links in the menu bar, and I got redirected to a totally unrelated video on YouTube (Justin Beiber tripping while playing basketball–a video title that attracts viewers in other words). This video, of course, is “monetized” and plagued with ads. Now I don’t know if this is in the theme, or in yet another plugin which is tainted! (This menu link normally points to a “glossary” which is populated by a plugin.) Yet a second time I click the link, it goes to the proper destination. This behavior reminds me of how clever our “genericstts” exploit was–it would only appear when logged out.

    Needless to say, I am at the point of scrapping the entire project and starting over. The only thing usable is the logo this guy made. I can redesign it similarly.

    I personally know better than to installed nulled scripts, but ended up having this mess made by a third party dumped in my lap anyways…

    I think you have a Mal-ware into your Plugin or your Theme.
    If you can Log-in to your cPanel,
    go to File Manager and search for social.png,
    if found go to its locations and right click then edit,
    if the image shows a code its a Mal-ware, if not it`s fine…
    case of php code: first delete social.png file then i suggest you download your theme or plugin that you found the social.png into it
    and use a free software like “seek” or “FileSeek“for search into all files including *.php of the code that calling the socail.png, after find the code delete it, you are done.
    BTW change all your login information including DB…

Viewing 15 replies - 46 through 60 (of 61 total)
  • The topic ‘problem with https://genericstts.com/init.min.js’ is closed to new replies.