There are many variations to the Counter.php malware floating around the interwebs. This is a malicious redirect that sends your readers to a known bad site, that site houses a payload that responds based on the incoming user-agent.
- Malicious Site: natbushing.com
- Payload: counter.php
Check out Sucuri Labs for more variations of Counter.php
If you use our free SiteCheck Scanner you might see a display like this:
We often recommend using a number of terminal commands to identify and remove the infection, here is a scenario where you can’t do that. The reason is because the redirect is actually encoded and what you’re seeing above is the display on the browser, not how it’s encased in the files.
If you look on your server it actually looks something like this:
What we can tell you is that when you scan your site you might see every page is infected with this issue. In those cases, that’s a good sign that its likely embedded within one of your core PHP files. Files that are more commonly impacted are within all theme directories on the server:
If you have any questions or would prefer we get this taken care of for you simple let us know email@example.com.