After updating the theme of the compromised site, removing TimThumb completely and [intlink id=”2372″ type=”post”]following clean up procedures[/intlink] the site I look after still had issues. I hadn’t noticed but other users were getting warnings in Chrome and being redirected to various affiliate sites. The worst was that the site seemed to have been removed from Google so the hits dropped rapidly.
I spotted the redirect going to counter-wordpress.com and then did some internet searching, which brought me to a great thread about cleaning it up. Using Sucuri SiteCheck I was directed to the source of the redirects, /wp-includes/js/l10n.js, a Java script that was planted through the TimThumb vulnerability. I deleted the file and re-ran Sucuri SiteCheck and this time nothing was found. Sigh of relief.
A little more digging on the Sucuri website lead me to a custom WordPress PHP file that can be uploaded and ran to test your WordPress site out. All in all a very helpful resource.