Viewing 27 posts - 1 through 27 (of 27 total)
  • Author
    Posts
  • #318433

    Hi,

    this morning google pointed me to potential malware on http://www.musikzentrale.net, in webmaster tools it says malware is located in http://www.musikzentrale.net/wp-content/themes/enfold/js/html5shiv.js. I have no idea how to solve this so your help is higly appreciated.

    thansk, sebastian

    #318442

    I’ve got the same.

    I removed this file for a while and I sent malware message removal request.

    I hope another enfold update would fix this.

    thanks.

    #318470

    Hey!

    The html5shiv.js script is required to view modern html5 websites with older browsers like IE7 or IE8. It’s a common script which is also used by the Genesis or WooThemes and it’s not a malware. Everything I can say is that it’s required and that Google webmaster reports a false positive in this case. If you need more information you can study the project page here: https://github.com/aFarkas/html5shiv

    Regards,
    Peter

    #318809

    Hi,
    using Antivirus, the programm found the following files suspicious:

    – /themes/enfold/config-layerslider/config.php
    $sample_slider = json_decode(base64_decode(file_get_contents(dirname(__FILE__).”/Layer …
    sample_slider = json_decode(base64_decode(file_get_contents(dirname(__FILE__).”/LayerSlider/{$path}{$ …
    //print_r(base64_encode(str_replace(‘avia-samples’,’sampleslider’, …
    … (str_replace(‘avia-samples’,’sampleslider’, base64_decode(file_get_contents(dirname(__FILE__).’/Layer …
    … ia-samples’,’sampleslider’, base64_decode(file_get_contents(dirname(__FILE__).’/LayerSlider/samplesli …

    – /themes/enfold/config-woocommerce/admin-import.php:
    if(isset($id)) $file = get_attached_file( $id );

    – /themes/enfold/functions-enfold.php:
    if(strpos($html, ‘<iframe’) !== false)
    $created = avia_backend_create_file($stylesheet, $styles, true);

    Here is what Google Safebrowsing reports:

    Wie wird musikzentrale.net momentan eingestuft?

    Diese Website ist momentan als verdächtig eingestuft und kann Ihren Computer beschädigen.

    Ein Teil dieser Website wurde aufgrund verdächtiger Aktivitäten in den letzten 90 Tagen 8 mal auf die Liste gesetzt.

    Was ist passiert, als Google diese Website aufgerufen hat?

    In den letzen 90 Tagen haben wir 27 Seiten der Website überprüft. Dabei haben wir auf 10 Seite(n) festgestellt, dass Malware (schädliche Software) ohne Einwilligung des Nutzers heruntergeladen und installiert wurde. Der letzte Besuch von Google war am 2014-09-13. Verdächtiger Content wurde auf dieser Website zuletzt am 2014-09-13 gefunden.

    Die Malware umfasst 127 scripting exploit(s).

    Malware wird auf 3 Domain(s) gehostet (z. B. tyy48.com/, limitlessnewworlds.com/, vertcoin.com.br/).

    Diese Website wurde über 2 Netzwerk(e) gehostet (z. B. AS24940 (HETZNER-AS), AS15169 (GOOGLE)).

    Hat diese Website als Überträger zur Weiterverbreitung von Malware fungiert?

    In den letzten 90 Tagen hat musikzentrale.net scheinbar als Überträger für die Infizierung von 1 Website(s) fungiert, darunter muze1.de/.

    Hat diese Website Malware gehostet?

    Ja. Diese Website hat in den letzten 90 Tagen Malware gehostet. Sie hat 1 Domain(s) infiziert (z. B. muze1.de/).

    Wie ist es zu dieser Einstufung gekommen?

    Gelegentlich wird von Dritten bösartiger Code in legitime Websites eingefügt. In diesem Fall wird unsere Warnmeldung angezeigt.

    Falls Sie der Inhaber dieser Website sind, können Sie eine Überprüfung Ihrer Website hinsichtlich Malware beantragen. Benutzen Sie hierzu die Google Webmaster-Tools. Weitere Informationen über den Prüfprozess erhalten Sie in der Webmaster-Tools-Hilfe.

    I am really helpless facing this problem – since i am not using layer slider – can i delete the config? I was planning to use Woocommerce again …

    Your help is highly appreciated.
    Sebastian

    #318812

    Sebastian, which antivirus software did you use?

    #318818

    Antivirus by Sergej Müller.

    #318828

    Hi!

    Yes you can deactivate LayerSlider and delete the folder. Open up enfold/functions.php and delete:

    
    
    if(!current_theme_supports('deactivate_layerslider')) require_once( 'config-layerslider/config.php' );//layerslider plugin
    

    and then delete the enfold/config-layerslider folder. You can also use a child theme and add this code to the child theme functions.php:

    
    add_theme_support('deactivate_layerslider');
    

    to prevent Enfold from loading the layerslider files.

    Regards,
    Peter

    #318834

    but Sucuri does not report any malware….

    #318896

    Hi,

    so i was able to remove most of the marked files, but do not know what to do with this one:

    /themes/enfold/functions-enfold.php
    if(strpos($html, ‘<iframe’) !== false)

    (as marked by Sergej Müllers Antivirus)

    Thanks for your advice,
    Sebastian.

    #318909

    Next Step: due To wp antivirus Protection guard following suspicious files remain:

    Heuristic Logic Report
    Heuristic algorithm has the capability of detecting malware that was previously unknown. It doesn’t give 100% guarantee that the file is the virus and requires manual review. If these files are not a part of plugins, extentions or website, delete or block them.
    If some of the files are listed above in Antivirus Scanner Report, it’s 100% file with malware inside.
    If you are not sure, you always can contact our support and we will analyze the files.

    Total Scanned Files: 7871
    Total Unsafe Files: 9

    File
    /wp-content/plugins/iphorm-form-builder/includes/common.php
    /wp-content/plugins/redirection/ouq.php
    /wp-content/plugins/w3-total-cache/lvp.php
    /wp-content/plugins/eventON/admin/includes/addon_details.php
    /wp-content/plugins/wysija-newsletters/controllers/ajax/config.php
    /wp-content/plugins/wysija-newsletters/controllers/back/config.php
    /wp-content/muell/w3-total-cache/lib/CSSTidy/data.inc.php
    /wp-content/plugins/w3-total-cache/lib/CSSTidy/data.inc.php
    /wp-content/themes/enfold/includes/admin/dummy.php
    These files are not 100% malicious code/scripts, but contain code elements and commands those have been used in different malicious scripts. Review is required.Each file in the report might contain malicious code. If you decided to send us the files for inspection it might take us up to 24 hours to analyze them and provide you with detailed report (The service is available for paid members only).

    I already managed To remove 12 malware files, so far, so good. Let’s See what google thinks about these steps.

    Regards, Sebastian.

    #319035

    Hey!

    Those files are coming for third party plugins. Removing the files might give you plugin errors. I guess you need to contact the plugin authors to confirm. Anyway, I’m sure they will give you exact same answer as Dude posted. A lot of users are using those plugins and it is safe to say that they are not malware.

    Cheers!
    Ismael

    #319066

    Hi Ismail,
    Thanks for coming back on my issues.
    How do unhandlich the Virus alert, saying

    /themes/enfold/functions-enfold.php
    if(strpos($html, ‘<iframe’) !== false)
    $created = avia_backend_create_file($stylesheet, $styles, true);

    Thanks for your assistance.

    Regards, Sebastian.

    • This reply was modified 10 years, 3 months ago by mirzepapa.
    #319497

    Hey!

    Looks like a false positive. Without some kind of reason behind why its flagged its hard to say why it was flagged by whatever you are using.

    Best regards,
    Devin

    #319639

    Update: the siteguarding.com Team Managed To remove the two remaining malware files from the Plugin directory. They works pretty fast and obviously it works, Since our Site can be visited again without red Warning page ahead.

    Now let uns see how Long it Takes google To remove the Warning from the serps.

    Regards, Sebastian.

    #320553

    is anyone else having these issue??

    I completely had to remove ENFOLD to get Google to NOT black list my website

    Each time Google would black list our website (clients site) and point to different ENFOLD files as being hacked even though theENDOLD version I was using is verion 2.9.2 (latest version)

    Last time Google point’s to /wp-content/themes/enfold/js/toucheffects.js as being infected

    This might be part of a much wider issue with this theme?

    Please advise? I can’t use ENFOLD for anything until this has been resolved

    #320589

    yes, it is pretty annoying. Our website was hacked on friday and after removing some of the malware by hand, using antivirus, sucuri net and wp antivirus protection guard, still some files were infected. since switching theme is not an option for us, we now had to engage professional service of protection guard to have our site cleaned and de-blacklisted. I do not want to think about the loss we are facing.

    here is the list of infected enfold files:

    /wp-content/themes/enfold/framework/js/avia_advanced_form_elements.js
    ./wp-content/themes/enfold/framework/js/avia_colorpicker.js
    ./wp-content/themes/enfold/framework/js/avia_dynamic_templates.js
    ./wp-content/themes/enfold/framework/js/avia_edit_dynamic_templtes.js
    ./wp-content/themes/enfold/framework/js/avia_media.js
    ./wp-content/themes/enfold/framework/js/avia_media_advanced.js
    ./wp-content/themes/enfold/framework/js/avia_media_wp35.js
    ./wp-content/themes/enfold/framework/js/avia_mega_menu.js
    ./wp-content/themes/enfold/framework/js/avia_option_pages.js
    ./wp-content/themes/enfold/framework/js/avia_sidebar.js
    ./wp-content/themes/enfold/framework/js/conditional_load/avia_conditional_mega_menu.js
    ./wp-content/themes/enfold/framework/js/conditional_load/avia_google_maps_widget.js
    ./wp-content/themes/enfold/js/avia-compat.js
    ./wp-content/themes/enfold/js/avia.js
    ./wp-content/themes/enfold/js/aviapopup/jquery.magnific-popup.js
    ./wp-content/themes/enfold/js/aviapopup/jquery.magnific-popup.min.js
    ./wp-content/themes/enfold/js/mediaelement/jquery.js
    ./wp-content/themes/enfold/js/mediaelement/mediaelement-and-player.js
    ./wp-content/themes/enfold/js/mediaelement/mediaelement-and-player.min.js
    ./wp-content/themes/enfold/js/mediaelement/mediaelement.js
    ./wp-content/themes/enfold/js/mediaelement/mediaelement.min.js
    ./wp-content/themes/enfold/js/mediaelement/mediaelementplayer.js
    ./wp-content/themes/enfold/js/mediaelement/mediaelementplayer.min.js
    ./wp-content/themes/enfold/js/shortcodes.js

    #320610

    Hey!

    The nature of what happens when a site is compromised has nothing to do with the theme. If the files are infected, they are infected.

    Delete the theme from the server and re-upload it fresh like you did when first installing is all that is required to get the theme files alone back to a clean slate there.

    Plugin files, newly created files or server side infections are completely separate and not something we have any ability to effect.


    @bjornwallman
    – That file is not part of the theme files. You should delete it.

    Best regards,
    Devin

    #320621

    I actually installed a brand new download of ENFOLD and I still got black listed… why is this happening? Is it b/c I use the same DB? Why are these files inside ENFOLD , I didn’t add any 3rd party plug ins

    We really need to figure this out or I won’t be able to use ENFOLD again (the client would fire me).

    #320648

    @devin: my entry was not meant to blame anyone. i am very much aware of the fact, that i was ignorant as far as security is concerned, just because i had luck – until now.

    Since this attack was something new to me, i wanted to inform you @kriesis, which files had been infected, maybe this is of some help for anyone.

    Cheers, Sebastian

    #320728

    @bjornwallman – Even if you installed a fresh copy of the theme on top of itself that file (/wp-content/themes/enfold/js/toucheffects.js) could be write protected so that it doesn’t get deleted.

    If you aren’t checking errors when writing over things then it could have thrown an error that the file wasn’t able to removed or if you were only uploading the theme again it wouldn’t have been deleted.

    So once again, the file toucheffects.js is not part of Enfold and ThemeForest wouldn’t let a theme with malware be uploaded for re-distribution anyway. They scan all files and must approve all updates before they can be rolled out.

    #320744

    delete all WP core installation files (except .htaccess and wp-config.php) and upload all core files again. I hope it helps.

    #320760

    Thanks guys! I appreciate it…

    #321421

    Hope you are able to get it sorted out, I know it can be a massive pain when a site gets compromised but from out end we would never ever let the theme itself stay out the wild with any security issues.

    #324966

    Hello.

    Security Issues

    Malware and unwanted software
    Google has detected harmful code either on your domain, or a domain that your site is referencing. We recommend you clean up the harmful code as soon as possible. Read up on cross-site malware warnings in our Help Center.

    Undetermined malware
    These pages directed users to a site that serves malware or unwanted software. Unfortunately, the malicious code within the page could not be isolated.
    Show details
    Sample URLs Last detected
    http://www.studioblitz.ro/?wpmp_switcher=mobile 9/19/14the

    It’s very anoying because they block my website. If i put an old theme they don’t detect any mallware. If i put the lates update of the theme i have this problem. Please Help!!!!!!!!!!!!!!!!!

    #325109

    Hey @sorinlati!

    This is not coming from the theme itself. Ask your hosting provider to scan your account for malware, delete the theme folder completely and then re-install it from a fresh download just like you did the first install of the theme.

    You will need to have google re-scan your site after you’ve cleaned up the server otherwise you will keep getting flagged. Unfortunately in these situations we don’t have any way of helping other than this general advice.

    Regards,
    Devin

    #325730

    Hello Team!

    Please help me, my website is on the google blacklist!!!
    arollapine.com
    But I checked it (as far as possible with my skills) but couldn’t find anything!
    Can you please delete the malware?
    Thank you!

    #325743

    Unfortunately we can not assist with removing infected files from any users server. Your best resource is your hosting provider or a freelance developer from somewhere like Envato Studio.

    I’m closing off this topic since the original topic has been answered and dealt with but it keeps getting added on to.

Viewing 27 posts - 1 through 27 (of 27 total)
  • The topic ‘Google reports malware in enfold file’ is closed to new replies.