-
AuthorPosts
-
September 13, 2014 at 8:22 am #318433
Hi,
this morning google pointed me to potential malware on http://www.musikzentrale.net, in webmaster tools it says malware is located in http://www.musikzentrale.net/wp-content/themes/enfold/js/html5shiv.js. I have no idea how to solve this so your help is higly appreciated.
thansk, sebastian
September 13, 2014 at 10:12 am #318442I’ve got the same.
I removed this file for a while and I sent malware message removal request.
I hope another enfold update would fix this.
thanks.
September 13, 2014 at 11:39 am #318470Hey!
The html5shiv.js script is required to view modern html5 websites with older browsers like IE7 or IE8. It’s a common script which is also used by the Genesis or WooThemes and it’s not a malware. Everything I can say is that it’s required and that Google webmaster reports a false positive in this case. If you need more information you can study the project page here: https://github.com/aFarkas/html5shiv
Regards,
PeterSeptember 14, 2014 at 8:16 am #318809Hi,
using Antivirus, the programm found the following files suspicious:– /themes/enfold/config-layerslider/config.php
$sample_slider = json_decode(base64_decode(file_get_contents(dirname(__FILE__).”/Layer …
sample_slider = json_decode(base64_decode(file_get_contents(dirname(__FILE__).”/LayerSlider/{$path}{$ …
//print_r(base64_encode(str_replace(‘avia-samples’,’sampleslider’, …
… (str_replace(‘avia-samples’,’sampleslider’, base64_decode(file_get_contents(dirname(__FILE__).’/Layer …
… ia-samples’,’sampleslider’, base64_decode(file_get_contents(dirname(__FILE__).’/LayerSlider/samplesli …– /themes/enfold/config-woocommerce/admin-import.php:
if(isset($id)) $file = get_attached_file( $id );– /themes/enfold/functions-enfold.php:
if(strpos($html, ‘<iframe’) !== false)
$created = avia_backend_create_file($stylesheet, $styles, true);Here is what Google Safebrowsing reports:
Wie wird musikzentrale.net momentan eingestuft?
Diese Website ist momentan als verdächtig eingestuft und kann Ihren Computer beschädigen.
Ein Teil dieser Website wurde aufgrund verdächtiger Aktivitäten in den letzten 90 Tagen 8 mal auf die Liste gesetzt.
Was ist passiert, als Google diese Website aufgerufen hat?
In den letzen 90 Tagen haben wir 27 Seiten der Website überprüft. Dabei haben wir auf 10 Seite(n) festgestellt, dass Malware (schädliche Software) ohne Einwilligung des Nutzers heruntergeladen und installiert wurde. Der letzte Besuch von Google war am 2014-09-13. Verdächtiger Content wurde auf dieser Website zuletzt am 2014-09-13 gefunden.
Die Malware umfasst 127 scripting exploit(s).
Malware wird auf 3 Domain(s) gehostet (z. B. tyy48.com/, limitlessnewworlds.com/, vertcoin.com.br/).
Diese Website wurde über 2 Netzwerk(e) gehostet (z. B. AS24940 (HETZNER-AS), AS15169 (GOOGLE)).
Hat diese Website als Überträger zur Weiterverbreitung von Malware fungiert?
In den letzten 90 Tagen hat musikzentrale.net scheinbar als Überträger für die Infizierung von 1 Website(s) fungiert, darunter muze1.de/.
Hat diese Website Malware gehostet?
Ja. Diese Website hat in den letzten 90 Tagen Malware gehostet. Sie hat 1 Domain(s) infiziert (z. B. muze1.de/).
Wie ist es zu dieser Einstufung gekommen?
Gelegentlich wird von Dritten bösartiger Code in legitime Websites eingefügt. In diesem Fall wird unsere Warnmeldung angezeigt.
Falls Sie der Inhaber dieser Website sind, können Sie eine Überprüfung Ihrer Website hinsichtlich Malware beantragen. Benutzen Sie hierzu die Google Webmaster-Tools. Weitere Informationen über den Prüfprozess erhalten Sie in der Webmaster-Tools-Hilfe.
I am really helpless facing this problem – since i am not using layer slider – can i delete the config? I was planning to use Woocommerce again …
Your help is highly appreciated.
SebastianSeptember 14, 2014 at 8:29 am #318812Sebastian, which antivirus software did you use?
September 14, 2014 at 9:19 am #318818Antivirus by Sergej Müller.
September 14, 2014 at 10:45 am #318828Hi!
Yes you can deactivate LayerSlider and delete the folder. Open up enfold/functions.php and delete:
if(!current_theme_supports('deactivate_layerslider')) require_once( 'config-layerslider/config.php' );//layerslider plugin
and then delete the enfold/config-layerslider folder. You can also use a child theme and add this code to the child theme functions.php:
add_theme_support('deactivate_layerslider');
to prevent Enfold from loading the layerslider files.
Regards,
PeterSeptember 14, 2014 at 11:13 am #318834but Sucuri does not report any malware….
September 14, 2014 at 6:39 pm #318896Hi,
so i was able to remove most of the marked files, but do not know what to do with this one:
/themes/enfold/functions-enfold.php
if(strpos($html, ‘<iframe’) !== false)(as marked by Sergej Müllers Antivirus)
Thanks for your advice,
Sebastian.September 14, 2014 at 8:08 pm #318909Next Step: due To wp antivirus Protection guard following suspicious files remain:
Heuristic Logic Report
Heuristic algorithm has the capability of detecting malware that was previously unknown. It doesn’t give 100% guarantee that the file is the virus and requires manual review. If these files are not a part of plugins, extentions or website, delete or block them.
If some of the files are listed above in Antivirus Scanner Report, it’s 100% file with malware inside.
If you are not sure, you always can contact our support and we will analyze the files.Total Scanned Files: 7871
Total Unsafe Files: 9File
/wp-content/plugins/iphorm-form-builder/includes/common.php
/wp-content/plugins/redirection/ouq.php
/wp-content/plugins/w3-total-cache/lvp.php
/wp-content/plugins/eventON/admin/includes/addon_details.php
/wp-content/plugins/wysija-newsletters/controllers/ajax/config.php
/wp-content/plugins/wysija-newsletters/controllers/back/config.php
/wp-content/muell/w3-total-cache/lib/CSSTidy/data.inc.php
/wp-content/plugins/w3-total-cache/lib/CSSTidy/data.inc.php
/wp-content/themes/enfold/includes/admin/dummy.php
These files are not 100% malicious code/scripts, but contain code elements and commands those have been used in different malicious scripts. Review is required.Each file in the report might contain malicious code. If you decided to send us the files for inspection it might take us up to 24 hours to analyze them and provide you with detailed report (The service is available for paid members only).I already managed To remove 12 malware files, so far, so good. Let’s See what google thinks about these steps.
Regards, Sebastian.
September 15, 2014 at 6:45 am #319035Hey!
Those files are coming for third party plugins. Removing the files might give you plugin errors. I guess you need to contact the plugin authors to confirm. Anyway, I’m sure they will give you exact same answer as Dude posted. A lot of users are using those plugins and it is safe to say that they are not malware.
Cheers!
IsmaelSeptember 15, 2014 at 8:41 am #319066Hi Ismail,
Thanks for coming back on my issues.
How do unhandlich the Virus alert, saying/themes/enfold/functions-enfold.php
if(strpos($html, ‘<iframe’) !== false)
$created = avia_backend_create_file($stylesheet, $styles, true);Thanks for your assistance.
Regards, Sebastian.
- This reply was modified 10 years, 3 months ago by mirzepapa.
September 16, 2014 at 12:09 am #319497Hey!
Looks like a false positive. Without some kind of reason behind why its flagged its hard to say why it was flagged by whatever you are using.
Best regards,
DevinSeptember 16, 2014 at 8:09 am #319639Update: the siteguarding.com Team Managed To remove the two remaining malware files from the Plugin directory. They works pretty fast and obviously it works, Since our Site can be visited again without red Warning page ahead.
Now let uns see how Long it Takes google To remove the Warning from the serps.
Regards, Sebastian.
September 17, 2014 at 3:44 pm #320553is anyone else having these issue??
I completely had to remove ENFOLD to get Google to NOT black list my website
Each time Google would black list our website (clients site) and point to different ENFOLD files as being hacked even though theENDOLD version I was using is verion 2.9.2 (latest version)
Last time Google point’s to /wp-content/themes/enfold/js/toucheffects.js as being infected
This might be part of a much wider issue with this theme?
Please advise? I can’t use ENFOLD for anything until this has been resolved
September 17, 2014 at 4:52 pm #320589yes, it is pretty annoying. Our website was hacked on friday and after removing some of the malware by hand, using antivirus, sucuri net and wp antivirus protection guard, still some files were infected. since switching theme is not an option for us, we now had to engage professional service of protection guard to have our site cleaned and de-blacklisted. I do not want to think about the loss we are facing.
here is the list of infected enfold files:
/wp-content/themes/enfold/framework/js/avia_advanced_form_elements.js
./wp-content/themes/enfold/framework/js/avia_colorpicker.js
./wp-content/themes/enfold/framework/js/avia_dynamic_templates.js
./wp-content/themes/enfold/framework/js/avia_edit_dynamic_templtes.js
./wp-content/themes/enfold/framework/js/avia_media.js
./wp-content/themes/enfold/framework/js/avia_media_advanced.js
./wp-content/themes/enfold/framework/js/avia_media_wp35.js
./wp-content/themes/enfold/framework/js/avia_mega_menu.js
./wp-content/themes/enfold/framework/js/avia_option_pages.js
./wp-content/themes/enfold/framework/js/avia_sidebar.js
./wp-content/themes/enfold/framework/js/conditional_load/avia_conditional_mega_menu.js
./wp-content/themes/enfold/framework/js/conditional_load/avia_google_maps_widget.js
./wp-content/themes/enfold/js/avia-compat.js
./wp-content/themes/enfold/js/avia.js
./wp-content/themes/enfold/js/aviapopup/jquery.magnific-popup.js
./wp-content/themes/enfold/js/aviapopup/jquery.magnific-popup.min.js
./wp-content/themes/enfold/js/mediaelement/jquery.js
./wp-content/themes/enfold/js/mediaelement/mediaelement-and-player.js
./wp-content/themes/enfold/js/mediaelement/mediaelement-and-player.min.js
./wp-content/themes/enfold/js/mediaelement/mediaelement.js
./wp-content/themes/enfold/js/mediaelement/mediaelement.min.js
./wp-content/themes/enfold/js/mediaelement/mediaelementplayer.js
./wp-content/themes/enfold/js/mediaelement/mediaelementplayer.min.js
./wp-content/themes/enfold/js/shortcodes.jsSeptember 17, 2014 at 5:21 pm #320610Hey!
The nature of what happens when a site is compromised has nothing to do with the theme. If the files are infected, they are infected.
Delete the theme from the server and re-upload it fresh like you did when first installing is all that is required to get the theme files alone back to a clean slate there.
Plugin files, newly created files or server side infections are completely separate and not something we have any ability to effect.
@bjornwallman – That file is not part of the theme files. You should delete it.Best regards,
DevinSeptember 17, 2014 at 5:33 pm #320621I actually installed a brand new download of ENFOLD and I still got black listed… why is this happening? Is it b/c I use the same DB? Why are these files inside ENFOLD , I didn’t add any 3rd party plug ins
We really need to figure this out or I won’t be able to use ENFOLD again (the client would fire me).
September 17, 2014 at 6:06 pm #320648@devin: my entry was not meant to blame anyone. i am very much aware of the fact, that i was ignorant as far as security is concerned, just because i had luck – until now.
Since this attack was something new to me, i wanted to inform you @kriesis, which files had been infected, maybe this is of some help for anyone.
Cheers, Sebastian
September 17, 2014 at 9:02 pm #320728@bjornwallman – Even if you installed a fresh copy of the theme on top of itself that file (/wp-content/themes/enfold/js/toucheffects.js) could be write protected so that it doesn’t get deleted.
If you aren’t checking errors when writing over things then it could have thrown an error that the file wasn’t able to removed or if you were only uploading the theme again it wouldn’t have been deleted.
So once again, the file toucheffects.js is not part of Enfold and ThemeForest wouldn’t let a theme with malware be uploaded for re-distribution anyway. They scan all files and must approve all updates before they can be rolled out.
September 17, 2014 at 9:48 pm #320744delete all WP core installation files (except .htaccess and wp-config.php) and upload all core files again. I hope it helps.
September 17, 2014 at 10:04 pm #320760Thanks guys! I appreciate it…
September 18, 2014 at 7:24 pm #321421Hope you are able to get it sorted out, I know it can be a massive pain when a site gets compromised but from out end we would never ever let the theme itself stay out the wild with any security issues.
September 25, 2014 at 1:55 pm #324966Hello.
Security Issues
Malware and unwanted software
Google has detected harmful code either on your domain, or a domain that your site is referencing. We recommend you clean up the harmful code as soon as possible. Read up on cross-site malware warnings in our Help Center.Undetermined malware
These pages directed users to a site that serves malware or unwanted software. Unfortunately, the malicious code within the page could not be isolated.
Show details
Sample URLs Last detected
http://www.studioblitz.ro/?wpmp_switcher=mobile 9/19/14theIt’s very anoying because they block my website. If i put an old theme they don’t detect any mallware. If i put the lates update of the theme i have this problem. Please Help!!!!!!!!!!!!!!!!!
September 25, 2014 at 5:20 pm #325109Hey @sorinlati!
This is not coming from the theme itself. Ask your hosting provider to scan your account for malware, delete the theme folder completely and then re-install it from a fresh download just like you did the first install of the theme.
You will need to have google re-scan your site after you’ve cleaned up the server otherwise you will keep getting flagged. Unfortunately in these situations we don’t have any way of helping other than this general advice.
Regards,
DevinSeptember 26, 2014 at 6:56 pm #325730Hello Team!
Please help me, my website is on the google blacklist!!!
arollapine.com
But I checked it (as far as possible with my skills) but couldn’t find anything!
Can you please delete the malware?
Thank you!September 26, 2014 at 8:06 pm #325743Unfortunately we can not assist with removing infected files from any users server. Your best resource is your hosting provider or a freelance developer from somewhere like Envato Studio.
I’m closing off this topic since the original topic has been answered and dealt with but it keeps getting added on to.
-
AuthorPosts
- The topic ‘Google reports malware in enfold file’ is closed to new replies.