Does anybody know what this is???

[lovboa]

Recently, I was seeing some weird things on my website that made me to believe that my site had been hacked.

I noticed that my site takes an extra 3-4 seconds to load. It will load the page and then at the bottom it will say...

waiting for s1.wpstats.net....here it takes about 3-4 seconds and then it finally finishes loading.

Does anybody know what this site is?
It looks like a spam/hack site but I could be wrong.

I tried to go to the website - s1,wpstats,net ...and this page shows up
FeverAds Rock!

What is going on? What is that???

[djduncan]

The exact same thing happened to one of my blogs, I just noticed today. I found 2 files in the public_html part of the blog, wpstats.php and wpstats.js. The footer of the blog tries to load wpstats.js, which after that loads something from s1.wpstats.net.

Does anybody know what this is? I've deleted the 2 files, but in the source of the page/post I still see this line, in the footer:

<script type="text/javascript" src="hxxp://mywebsite.com/wpstats.js"></script>

Do you have any idea how I can find out which plugin, or what, triggers this line to load? Cause I cannot see it anywhere in the theme's code.

[Matt Braun]

you aren't using wordpress are you?

[djduncan]

Quote:

Originally Posted by Matt Braun

you aren't using wordpress are you?

Yes, it's a self-hosted Wordpress blog.

[lovboa]

djduncan,

Contact your hosting company. I contacted my hosting company and told them about the issue. After checking my account they told me that there were malicious files uploaded to my account and they did a cleanup for me and got rid of them. Everything is cleaned now and i am not seeing wpstats.js in my source file anymore. Goodluck

[milapetersburg]

If that piece of script line was inserted before or after the php opening and closing tags <?php ?>, then it is positively a virus. I have had a self-hosted wordpress blog that was identified by google webmaster tool as having malicious malware - and the browser is showing a malware attack page with red background when the site is visited (having the the code (script) live on usually the index.php page. )

What I did to excuse from this malware attack was, I removed the script code before <? and any white spaces after ?>. After the cleaning, I also deleted the referenced files in the script, changed the files affected to 644 file permission (usually the code is automatically inserted on files with 777 file permission on the server) and, lastly, updated my FTP credentials. It didn't happen again after than. Hope this will help everybody here experiencing the same problem.

[lovboa]

The wierd thing is, i dont even know if the s1.wpstats.net is a malicious file. The first time i saw it, i tried to go to s1.wpfiles.net and it took me to a blank screen with nothing but a login popup. Now it is redirecting to wordpress.org.

[djduncan]

Well there's definitely something malicious going on, those wpstats.php and wpstats.js files didn't just show up there from thin air. I've contacted the hosting company, let see what files they find as being infected.

[milapetersburg]

Quote:

Originally Posted by lovboa

The wierd thing is, i dont even know if the s1.wpstats.net is a malicious file. The first time i saw it, i tried to go to s1.wpfiles.net and it took me to a blank screen with nothing but a login popup. Now it is redirecting to wordpress.org.

If it was inserted to your page without your knowledge, then I presume you already know what it is or what exactly is going on. If this is a traffic counter that you have configured previously, then it is safe to assume that it is not an attack. But reading your original post, it appears that you have not inserted it yourself, and so it could be inserted by some sorta server level attack.

[djduncan]

I think it's an infected theme of plugin...

lovboa, what theme were you using?

[akyyyy]

hey sorry dont want to hijack ur thread but im having a similar issue with one of my websites.

my site is also taking a few extra seconds to load. in the status bar is says "connected to wpstats.org" and my site eventually loads

i have disabled all plugins, same issue. I then changed back to the original theme twenty eleven and everything is fine. what does that mean?

OP, are you using flexsqueeze by any chance? I havent made any edits to the theme so im not sure why it has all of a sudden happening.

OP, if you are using flexsqueeze PM me.

[Illuminations]

There are lots of hackers lingering in the Internet. One of my website was hacked by a hacker named s1a41. My website changed into a white screen with Arabic encryption. I nearly freaked out when I first saw my site.

[akyyyy]

yea, but this seems to be limited to flexsqueeze theme.

if i change themes this doesnt happen

[lovboa]

Anyone experiencing this...don't panic and just contact your hosting company. I use HostGator and i was honestly amazed at their support.

Don't delete any files that you believe to be the malicious files. The hosting company will look through your files, find the malicious files, and clean up.

[PeckhamPirate]

Alternatively, simple go to your File manager, search out the file, minus the .net and you'll find the nasty little critter sitting there all on it's own.
Simply delete the offending file and bingo.

I discovered this after my host - FatCow in this case - refused to help.
Note to the cautious, or anyone searching a new hosting co.

[nt10000]

I changed my WP theme yesterday and noticed the same thing happening. I found the two files wpstats.js and wpstats.php in the site root directory. I deleted both of those and the problem went away...