WARNING - WORDPRESS.COM HAS JS REDIRECT VIRUS...UPDATE...NOT WORDPRESS

[RobinX]

does this effect if someone has hosted wordpress 2.7 on their shared hosting ? I did not upgraded to 2.8 yet ..

[HeySal]

Quote:

Originally Posted by RobinX

does this effect if someone has hosted wordpress 2.7 on their shared hosting ? I did not upgraded to 2.8 yet ..

Yes. Upgrading will not keep you from the virus - mine was just updated to 2.8 about an hour before it was whacked.

Once again - have php, 777 permissions running? You can get hit. Can't get much clearer than that.

[HeySal]

Quote:

Originally Posted by lakeview

HeySal,

It's Stress Free Wedding Planning

Thanks so very much!!! I'm in a bit of a panic here.

Angela

So far so good for you Angela - might wanna download some free anti-virus ware that will detect it and just click around it everyday - Avast works, I've heard AGV does, too - not sure what else might but I know many don't.

And if anyone posts codes that you don't understand on your site, just delete them. Not worth the risk and if they are doing so it's probably just spam at the very least anway.

[Leon McKee]

Sal, I wanted to clarify what you had been doing when this all started for this specific occurrence. You indicated it was wordpress.com so did this happen on the wordpress.com site or "your" hosted site while browsing themes in WP 2.8? I'm wondering if you had been actually accessing the wordpress.org site via the "add new themes" option?

Leon McKee

[ECS Dave]

I hope the below helps...

Quote:

Originally Posted by Leon McKee

Sal, I wanted to clarify what you had been doing when this all started for this specific occurrence. You indicated it was wordpress.com so did this happen on the wordpress.com site or "your" hosted site while browsing themes in WP 2.8? I'm wondering if you had been actually accessing the wordpress.org site via the "add new themes" option?

Leon McKee

Quote:

Originally Posted by ECS Dave

Actually Mark, Sal's talking about a self-hosted wordpress installation.
She was using the "Add New Themes" interface, built into the WP
dashboard, which links to the wp-themes.com site. Being the brave
soul that I am, I browsed the pages myself, but (thankfully) was unable
to recreate the error/problem/issue.

Be Well!
ECS Dave

Further news...

I have notified the server company of this issue...
Am awaiting their reply...

Be Well!
ECS Dave

[lakeview]

Thank you so much for checking HeySal!!

I'm using AVG and nothing was detected. I know practically noting about WP, but my issue looks to be possible attempted (unsuccessful) attacks. It also started shortly after I upgraded to WP 2.8.

Angela

[Ken Strong]

Quote:

Originally Posted by apc01

I always suggest people run an anti-trojan program every day. The best in my view is:

A-Squared

Not aff link.

Is this program different from what Spybot does?

[HeySal]

Dave - I had previewed two themes - went to do a new search, I didn't check anything on the form but clicked to search. I had page 6 almost loaded when Avast went off so as far as I can tell it was page 6 of a general search with no parimeters selected.

Ken - this isn't spyware - other than eventually it will deliver a rootkit (keylogger). It's a malicious worm that creates security holes, deposits false JS codes that redirect people from your site, then if unstopped lets in a rootkit to collect ALL data. Loads of fun. Toy compliments of Russia.

[Leon McKee]

Thanks Dave! I'm starting to get the big picture now and the 777 clarification from Sal helps a lot. I'll check back later to see how this thread is coming along.

Leon McKee

[Harry Behrens]

Quote:

Originally Posted by HeySal

Once again - have php, 777 permissions running? You can get hit. Can't get much clearer than that.

Whoa whoa whoa... 777 permissions?

You don't need a virus to be going around to be hit if you're running 777 permissions. That's a huge security hole in and of itself. Anybody with some scripting knowledge and a bit of spare time can hit you like that.

Always keep 644 permissions on your files and 755 permissions on your directories. Only change that if you specifically need to for a good reason (which, for me, after 5 years of web designing and IM'ing, has never happened).

If in doubt, ask your hosting customer support what are the default file permissions on your server and how to change them. A lot of the big, good hosting servers that focus on security (eg HostGator etc) automatically apply tight permissions to every file behind the scenes. You really want to go with one of these if you're not comfortable with setting everything up on your own.

[Peter Bestel]

Quote:

Originally Posted by KenStrong

Is this program different from what Spybot does?

Ken,

A-Squared seems to catch a LOT more than Spybot. I've been running Spybot, followed by A-Squared, followed by Malwarebytes, all in safe mode, after switching off System restore. It takes a few hours but it's worth it.

Remember to switch System Restore back on once you're done.

Peter

PS Be aware that these progs can throw up 'false positives' ie harmless files that it 'thinks' are bad guys. Confusing eh?

[HeySal]

hmbehrens - that is correct. But some people need to know that. That is only one of its targets - it's the programs that you can run 777 on themselves that are targeted no matter what permissions you have set.

Peter - that is why I use Avast -never had a false positive yet.

I just was reading and I saw that if you turn off your JS in your browser you can see these codes. Might be worth a try.

[Harry Behrens]

Quote:

Originally Posted by HeySal

hmbehrens - that is correct. But some people need to know that. That is only one of its targets - it's the programs that you can run 777 on themselves that are targeted no matter what permissions you have set.

Yep I agree, I didn't mean to sound like I was dismissing your warning or anything like that, I was just noting it for anyone who might not know

In general one should always have Avast or some other good and up-to-date antivirus with web-detect and blocking capabilities running. And keep alert for anything weird.

[Peter Bestel]

Sal,

I was running an up-to-date version of Avast when I got infected - 'something' disabled it and I couldn't switch it back on!!!

I downloaded AVG and uninstalled Avast.

I hear the new version of Norton is actually very good (horror of horrors) but it's true. May consider that.

Peter

[awesometbn]

Quote:

Originally Posted by Leon McKee

Mark, what I'm asking for are specific links that show the Mac OS is or has been infected. A lot of marketers do have Macs sitting on their desktops so it's a good idea to stay abreast of these types of issues to say the least.

True, the Mac has less marketshare than other operating systems such as Windows. But Apple still gets attacked like everyone else. Need specific references? Take a look at one of the latest SANS newsletters. Here's the one from June 11, 2009.

Source: SANS Institute - @RISK: The Consensus Security Vulnerability Alert

Below is an excerpt about Safari, but there are other software vulnerabilities to worry about such as Microsoft Office for Mac, and others. What this means is you must take a proactive approach to protect yourself and your data if it is important to you.

Quote:

Apple's Safari web browser, installed by default on all recent versions of Mac OS X, contains multiple vulnerabilities. The first issue is a memory corruption vulnerability caused due to improper garbage collection of JavaScript set elements in WebCore. The second is an uninitialized pointer issue caused due to calling a method for an object that doesn't exist. The third issue is a memory corruption vulnerability caused to improper handling of attr() function in a CSS content object. The fourth issue is an error in CFNetwork caused due to misidentification of certain image files as HTML, leading to JavaScript execution. The fifth issue is information disclosure vulnerability due to errors in CFNetwork. The sixth issue is caused due to memory corruption errors in CoreGraphics while processing arguments. The seventh issue is also caused to memory corruption errors in CoreGraphics but while handling TrueType fonts. The eighth issue is in FreeType v2.3.8, which has multiple integer overflows. The ninth issue is in CoreGraphics handling malicious PDF files which might lead to memory corruption. The tenth issue exists while handling PNG files caused due to uninitialized pointers. The eleventh issue is caused due to improper handling of certain character encodings by ICU. The twelfth issue is multiple vulnerabilities in libxml2 version 2.6.16. The thirteenth issue is bypass of revocation checking caused due to improper handling of EV certificates. The fourteenth issue is that the Reset button in Reset Safari may not remove website passwords from memory immediately. The fifteenth issue is an error in Private Browsing feature. The sixteenth issue is an error in open-help-anchor URL handler which may lead to disclosure of local file content. The Seventeenth issue is an error in Safari Windows Installer which might lead to Safari being run with elevated privileges for its initial launch. There are some more cross-site scripting, Website spoofing, memory corruption, type conversion errors in Apple Webkit which might lead to remote code execution for the attackers. Some technical details for some of these vulnerabilities are publicly available.

[John Henderson]

Quote:

Originally Posted by awesometbn

Below is an excerpt about Safari...

You missed a line out: "Affected: Apple Safari versions prior to 4.0"

[awesometbn]

Quote:

Originally Posted by John Henderson

You missed a line out: "Affected: Apple Safari versions prior to 4.0"

Right, I was just displaying an excerpt from the newsletter. For more info about Mac OS vulnerabilities, get it directly from the source, the software manufacturer itself Apple - Support - Product Security

[Nightengale]

Ok, this is scaring me.

My site is done all in WP 2.7. I'm not at all techie and I know zilch about the technical side of WP. I barely know what plugins are and I've never installed one myself. I had someone else design my WP site and a second person handled the technical issues of it for me when I needed it customized.

I have no idea how to tell if my site's infected or how to protect it. I don't have Avast and I think I recently deleted AVG, I'll have to download it again.

In the meantime, could someone help me by checking it out for me? I'd greatly appreciate it. If it's infected, I need to get it fixed. If not, I need instructions on how to reset the permissions (if that's what will protect me).

I'd greatly appreciate any help!

Sincerely,
Michelle

[oregoncountry]

I can't even find my post. What should I do? I just did a WP blog today I worked so hard and now Im hearing theres a virus there? I just had my ISP Satellite fried by lightning, as well as my antenna. I was out of commission(literally)for 8 days Can someone help me? Denise

I have AVG and Avast is now installing so I can run it.

[Kay King]

Quote:

You don't need a virus to be going around to be hit if you're running 777 permissions.

Thanks for asking that and getting it answered. I've been sitting here, too, thinking "why would anyone be running 777 permissions". Seems its the ability to set 777 that leaves the hole for this one.

kay

[MizzCindy]

OK, I'm a bit confused, so please bear with me...

You are running wordpress version 2.7.1. Correct?

You were viewing available themes from wordpress.com and became infected via that route. Still correct?

You arrived at the themes gallery (browsed to page 6) by clicking the 'Wordpress Theme Directory' link under 'Get More Themes' at the bottom of the 'Manage Themes' page under 'Appearance'. Am I still with the program?

Now here's where my confusion comes in. I'm not understanding how you ended up at wordpress.com. When I mouse over the 'Get More Themes' link, it points to wordpress.org/extend/themes. So what am I missing? Does that link redirect to wordpress.com?

I definitely want to understand this, since I have several wp blogs and I'm not too keen on having them go down in hacker-induced flames. Sorry if my post comes off as grilling you, I just want to make sure I'm clear on what happened...especially since I was just at wordpress.org earlier today browsing the themes. So far, no sign of any infestation, but now I'm a bit panicked!

Thanks!
Cindy

[HeySal]

Cindy - if mouse over says .org then it was .org. I'm not going back in to check that fact. I tried both .com and .org without logging in later, but from those pages it looked like .com had the theme directory. SO if I am wrong on that one, so be it - but I am not wrong about being in the theme directory and part of the url my avast gave me was:
wordpress.com or net /????/install/ and at that point I was out of there so don't know the exact URL and didn't feel like sticking around to find out.

[Ken Strong]

Quote:

Originally Posted by MizzCindy

Now here's where my confusion comes in. I'm not understanding how you ended up at wordpress.com. When I mouse over the 'Get More Themes' link, it points to wordpress.org/extend/themes. So what am I missing? Does that link redirect to wordpress.com?

Here's what they have to say at the .com version about that:

Quote:

Something that has confused many people is the distinction between WordPress.org and WordPress.com. Let’s clear it up. WordPress.com is brought to you by some of the same folks who work on WordPress, the open source blogging software. In addition, WordPress.com utilizes the same WordPress software which you can download at WordPress.org. With WordPress.com the hosting and managing of the software is taken care of by the team here at Automattic. With WordPress.org you need to install the software on your own server or with a 3rd party provider.

So apparently two totally separate websites. So if one is infected, the other one isn't necessarily.

[MizzCindy]

Thanks, Sal!

So at that time were you actually attempting to download a theme or were you just browsing?

I was browsing themes earlier today but didnt' download any. I also didn't get to the wordpress themes gallery through my admin page. I went there just by typing the url into my browser.

It doesn't sound like you've had very much fun today! I'm sorry you've had deal with this.

Cindy

[MizzCindy]

Thanks, to you, too, Ken! That's what I was thinking. Good to know I'm on the right track.

So I wonder...if Sal saw a path that wasn't correct, could something hinky be going on with her computer or her site rather than the wordpress site?

Or perhaps it was the .org path and Sal just didn't have time to see it fully while trying to get the heck out of there! I know that would be my first priority, too!

Understanding where the infection came from is a pretty big deal, since that will have much to do with how high the risk is for everyone else and what behaviors we need to avoid.

I'll say it again, Sal, I'm sorry you're having to deal with this mess. Not the most fun way to spend a Friday night.

Cindy

[HeySal]

I had previewed 2, Cindy - but couldn't find what I wanted, so I had not attempted to install anything - but that's how these redirects work. You are right - when my Avast went off I cut the connection as fast as possible, but I truly thought that the theme menu was on .com. So that is wrong - people still know that they are at risk going in and browsing for themes at the least - for all I know the plugins and the Widgets have been hit, too. I'm sure not going to check them out for awhile.
I figured .org and .com were the same owners - so sent the support ticket to .org which actually accepts support tickets. The tech that is doing that site sent more info to them and probably much more acurate. Now we just have to hope that they know what they are doing at wordpress to get rid of it.

I'm out of here - if I haven't already said it, I don't know what else to add, there are people online that can probably explain this all with much more techinical intelligence than I possess - I just thought people better know that wordpress itself was infected.

[MizzCindy]

Sal, thanks for taking the time to put out a warning.

Cindy

[Nightengale]

Ok, I downloaded the free version of Avast (v. 4.8) and ran it while browsing my WP site. I'm not at all familiar with Avast so it took some clicking around before I figured it out.

I clicked on "Web Shield" in the Avast utility and then browsed my site. According to Avast, I have no infections. (Whew!)

Does this sound right? Did I do it right?

If so, how do I now protect myself from this virus. Like most people here, I've invested A LOT of time and money into my site. I DO NOT need the headaches. (Like anyone else does! :P)

"An ounce of prevention...." as they say. How do I now protect myself?

Thanks,
Michelle

[Peter Bestel]

WARNING!! (Now not needed because post deleted, thanks guys)

Until it is deleted, do not attempt to check website in above post by John_Cross

It links to pornographic site!!

Never click a link from someone with such few posts - there's more than one reason why new members can't post links.

Peter

[ebuyer123]

Hi,
Is it safe to use any WP site from now on?

What about Log in to WP site admin for making new posts?

[MizzCindy]

One thing I strongly suggest is to check out Craig Desorcy's ebook on securing your wordpress blog: Blog Lockdown (I think that's the name)!

It's easy to follow and straight-forward, but provides some very powerful information on what you need to do to greatly decrease many of the security threats out there.

Cindy

[zulfnore]

There seem to be a little bit of confusion here!
For clarification purposes and to what i understand of the virus and its effect is that it attacks anything running on PHP that has JS attached to it. It is not correct to single out WP as the culprit or the only affected software.

Most of the issues that are being report around WP are because of the environment it uses (i.e PHP and JS). to minimise the chances of being infected 1) Ask your hosting company to upgrade you to the latest version of PHP and 2) Deactivate all plug-ins that relay on JS to function till the security has been beefed up on your server.

As an added precaution: Only install themes from trusted vendors and if you can then try not to add new themes to your site untill the threat has subsided.

Once again the vulnerability is with PHP and JS not WP.

[HeySal]

With all due respect back at you -- I know where I was when I was alerted to the virus and I was in the themes on wordpress. That's just the way it is and I don't care who has never had a virus and who has, that's where I got the alert and when the problem started.

If you think this is a minor problem or limited to just a few hosts, go ahead and think it. I'm not going to argue with you. I am giving this warning based on the experience I had at the wordpress site - not on second hand information.

ALL I can say to your comments is that this is the first virus to ever hit my tech as well and I KNOW HIS credentials.......so good luck with this one.

[rosetrees]

Thanks for the warning Sal. I backed up all my WP databases last night. I just wonder if, perhaps, you think the problem could have been an attack via your ISP?

I ask because a couple of years ago I saw several computers infected with a worm that redirected to a p*** site. The common factor was the ISP.

[ExRat]

Hi Sal,

Quote:

the wordpress community is SO LARGE worldwide that if this were a huge problem (with a base of hundreds of millions of blogs installed on web hosts), it would be all over google and social media

jtpratt does have a point there.

Quote:

I know where I was when I was alerted to the virus and I was in the themes on wordpress

With respect, that doesn't really prove anything in relation to wordpress.com having a virus or not.

[ebuyer123]

Thanks for ALL those good advice and valuable information.

Now...how do I know if my WP or any other PHP based websites have been infected by this JS SOB malware?

Simply do a virus scan or what? (or spyware scan...which one??)

Regards,

[ECS Dave]

Hello Warriors,

As I stated in a previous reply (and as HeySal stated), this issue appeared to
occur when Sal was browsing themes, using the Add New Themes interface,
on a self-hosted, self-installed, wordpress blog. At the time she was browsing
the themes, the blog was 2.7, as provided by the fantastico utility.

Further investigation, by me, showed that the host got "hacked", "injected",
whatever you wish to term it, across multiple sites on "my" account. My host's
tech support team is still investigating this issue.

Now whether or not the "hack" did, or did not come from Sal's theme browsing
is certainly something that needs investigating as well. With the HUGE number
of themes that can be seen from "browsing", it's quite possible that one, or more
could be, or had/have been compromised.

I am not here to point fingers, make accusations, or the like. We are all human,
and are not perfect. The software is written by humans, the themes, etc...

The sub-humans that derive such joy from f'ing things up are there, doing
what they do, and we try to do our best to shield ourselves, and our sites
from them. Discoveries, such as Sal's, are what help us combat this scourge.

Be Well!
ECS Dave

[ECS Dave]

Quote:

Originally Posted by jtpratt

My word on this matter doesn't have to be believed, just start googling...the day that there are thousands+ relevant results for the keywords "wordpress js redirect virus" you will be right. I am betting my reputation that today, tomorrow, next week, next month, the rest of the year, and future forward there will NEVER be any results for this.

The day it's a widespread problem is the day you can find it easily all over the web, and not in just this forum thread.

If you don't limit the search with "quotes",
wordpress js redirect virus - Google Search
there are ~41,000 results on google...

If you think about this, when a new exploit is found, exactly how
many results are you going to find? How many updates to wordpress
have there been? Other php softwares? Other softwares? Hardwares?

Be Well!
ECS Dave

[ebuyer123]

Quote:

Originally Posted by jtpratt

You cannot virus or spyware scan wordpress on your host or php pages, etc. If your site was hacked it will show signs of it, odd content, redirection of pages, spam comments, or it will just go down.

Thanks for the information, JTPratt.

So it is my hosting company has to take care of the problem when my WP sites are infected or hacked?

[ECS Dave]

Quote:

Originally Posted by jtpratt

You cannot virus or spyware scan wordpress on your host or php pages, etc. If your site was hacked it will show signs of it, odd content, redirection of pages, spam comments, or it will just go down.

If your Windows based computer was infected from browsing or installing a rogue theme your antivirus should go off and alert you.

Just a thought...

You might want to rephrase...

Quote:

If your site was hacked it MAY show signs of it, odd content, redirection of pages, spam comments, or it will just go down.

From my reading/research, a good many exploits, script injections, what-have-you,
also work quite silently in the background, doing their damage...

Quote:

If your Windows based computer was infected from browsing or installing a rogue theme your antivirus should go off and alert you.

There's also a great many not-so-tech-savvy computer owners/users who
have a FALSE sense of security, running an old or outdated virus protection utility,
or one that has not been updated with the latest "definitions".
And, not all VDU's are created equal...

Be Well!
ECS Dave

[ECS Dave]

Quote:

Originally Posted by ebuyer123

Thanks for the information, JTPratt.

So it is my hosting company has to take care of the problem when my WP sites are infected or hacked?

Or you can go through how ever many files you have, and delete the code by hand... Not a fun task...

Be Well!
ECS Dave

[stevenh512]

Quote:

Originally Posted by ECS Dave

At the time she was browsing the themes, the blog was 2.7, as provided by the fantastico utility.

In my experience (not just with Wordpress, this goes for any script) installing the latest version by hand is almost always a better option than using Fantastico. Once you get the hang of it, you can install a script by hand almost as fast as Fantastico can (or I can anyway, especially on hosts like HostGator where you don't have to fool with permissions). If you look at the changelogs and fixed tickets for the 2.7.1 and 2.8 release you'll see quite a few security problems that were fixed in that time along with all the "eye candy" and API improvements they've given us.

Quote:

Now whether or not the "hack" did, or did not come from Sal's theme browsing is certainly something that needs investigating as well. With the HUGE number of themes that can be seen from "browsing", it's quite possible that one, or more could be, or had/have been compromised.

I'm not sure that simply browsing themes would open you up to a vulnerability like this (installing a theme, on the other hand, could). I'm curious, were there older versions of any other scripts that have recently had widely exploited code injection vulerabilities? For example, SMF up to and including version 1.8 was being hacked like crazy and the hacker usually planted a "php virus" that would infect a whole hosting account like this with javascript iframes and redirects. There was a similar exploit in a few gallery scripts recently, and I've heard of people being hacked through PHPBB but in that case I'm not sure if the exploit (or the usual result) is the same.

edit: to clarify above and add this..

Speaking of HostGator, some of their PHP settings are "bad" out of the box. PHP register_globals is on (opens up quite a few scripts to code injection, SQL injection, cross-site scripting and other exploits), magic_quotes_gpc is off (opens up SQL injection exploits in scripts that don't properly "sanitize" form input.. I know of two widely-used IM scripts that have this problem). Personaly I don't like allow_url_fopen (I'd rather use curl for that lol) but a lot of PayPal IPN scripts use it so I went ahead and left that one on. You can get to these settings (on HostGator anyway) by scrolling down to "Software / Services" in your cpanel and clicking "php.ini QuickConfig".

[ebuyer123]

Thanks for all the critical advices and vital info, mates.

By the way where to get a legitimate wordpress exploit checker? What this tool can do is to find 777 file permission, or anything else?

Regards,

[HeySal]

DAVE --- UH...I was searching AFTER you already updated the script.

Here's more information about these infections for those of you who are worried and those of you who feel you know too much to be concerned about this crap. Most of what I am googling is still individual users asking for help when they are hit with this - being that the search turned up results in the millions, this might not be as negligible as some would like you to believe. Anyway - some interesting links below.

If you think you can't get it - remember this - you might be safe from drive by sites - but it was delivered to MY main site by a live hacker who signed on as a member. It wasn't just a drive by bot locating us.

From what I have read, these redirects have been around for awhile .......but they are now more virulient because they are now using encryption.

I'm not going to apologize for my report that I got this from wordpress itself. Who knows if some of their themes are infected when they accept them - who knows what else might have happened or what hacker might find their way in.
I was browsing their themes and the address of the damned virus was www.wordpress..../install/
For my money that means ON their site and they have gotten 2 reports about it now so let them sort it out. I have reported this event just as it happened to me. Let THEM tell me I didn't get it there. I haven't heard that yet. I am sure waiting to.



a bit of an explanation
Virus Bulletin : News - Hundreds of legitimate websites being hacked into

Quote:

In fact, there are actually hundreds of compromised domains across the internet which we’ve seen over the last few days that have been infected. It seems some obfuscated javascript is being injected into these sites, which attempts to redirect the user to another domain hosting a malicious payload.

From Sophos - Anti-virus, anti-spam and encryption software for businesses blogs Uncategorized | SophosLabs blog
There are a few articles on that page about the redirect viruses.

Seems wikipedia was hit, too. I wonder how many posts he will make before
he can say wiki is clean?
The Wikipedia Review > Sorry about that

USAToday.com hit with redirect: Does this qualify as "not in the news?" lol.
USAToday.com says:
May 21, 2009 at 2:38 pm

USATODAY.com was notified about a potential problem with one of our advertisements. We investigated the situation and disabled the ad at 1:25 PM EST on May 7, 2009. It appears that advertisements, which ran between 9-10 AM EST on May 7, 2009, may have contained malicious advertising (“malware”). Upon learning of the unwanted activity on USATODAY.com, we promptly took down the advertisements and will continue our investigation as to the source of the problem. We apologize for any inconvenience the situation may have caused. You may wish to update your anti-virus software to help protect against and block malware and other viruses. - The USATODAY.com Team


Wow - this has been around longer than I thought. No wonder it is becoming so
prevalent.
'Link hack' redirects MySpace visitors to phishing site > Web > Vulnerabilities & Exploits > News > SC Magazine Australia/NZ

Here's a quote from the Vermont Information Security website that has a 6 figure infection report on it -- as early as last year.
Nope - nothing to see here folks....move along.

Quote:

In April 2008 Panda Labs, a computer security and anti-virus publisher, announced that more than 280,000 web sites had been altered to redirect computers to malicious websites which would attack them in a variety of different ways. The SANS Institute, a computer security research and training organization, recently declared browser attacks to be “Top Cyber Security Menace” for 2008.

ISn't this all just a lot of fun?

And don't count on your hosts to be helpful. I am using HostExcellence which has won awards for its hosting. When I contacted them about this I got a very unexpected "Your problem not ours" answer from them. My tech actually had to contact them to tell them to pull a few of THEIR files off our account. They didn't put fresh ones back on. I suppose they want us to TELL them to do so. Instead I am getting ready to move to a more security minded and savvy server. Screw that attitude.

[Peter Bestel]

Quote:

Originally Posted by ebuyer123

Thanks for all the critical advices and vital info, mates.

By the way where to get a legitimate wordpress exploit checker? What this tool can do is to find 777 file permission, or anything else?

Regards,

There are two tools you'd be advised having on all your WP blogs.

Exploit Scanner and WP Security Scan

You can download the Exploit Scanner from Wordpress at WordPress › WordPress Exploit Scanner WordPress Plugins

or direct from the author:

WordPress Exploit Scanner

This will point out any suspect coding within your files and dodgy plugins and themes.

The WP Security Scan will assess and recommend changes to file permissions, database security, passwords etc. You can download that from WordPress › WP Security Scan WordPress Plugins

Hope that helps.

I appear to have had the same trouble with my blogs as HeySal, more than likely originating from my compromised PC subsequently attacking my server. Personally, I've not witnessed any malicious activity direct from the Wordpress sites. Yes, while I was cleaning everything up I got an Avast warning whilst within my dashboard but this was caused by 'hacked' files within my own WP installation.

Peter

[HeySal]

Peter - actually I think it was an infected theme they have listed rather than the whole site - but you have personally experienced how the thing spreads. Let me reiterate - this isn't a WP thing - it's a PHP thing. Just so much WP and so many rss feeds attached that these are getting more attention.

Dump off your ftp until you are clean and install a new one - it uses the FTP as one means to get in and out once it's there as far as Fin saw. As I also said earlier - the worm builds holes before it dumps codes. Shuts down abilities to find it, too. Some of it's encrypted. It's getting real quick, too. It's gotten worse just since my main site was hacked. The one that you get on your own pc will actually knock out your ability to find websites that have scripts to kill it. Misspelling the file just slightly will help in a websearch to kill it.

This thing is just invasive and evil.

[Peter Bestel]

Sal,

I'm reasonably confident that my PC is now clean as I was able to download all necessary fixing progs via another clean PC.

I've already dumped my FTP prog (Filezilla) and I've switched to Secure FTP using WinSCP. Every login for every site has been changed, every name and every password for my databases have been changed. It's all been done using Roboform to avoid keylogging and I will go through the same process on a monthly basis.


Peter

[HeySal]

Oh for Christ sakes, Pratt - My MAIN site was hacked --- this one is a different site that was just in the process of being built - not even active yet......please read what I said before you get all irate at me.

I HAVE contacted wordpress themselves (thought I already said that, too) and I am WAITING for a response -- from them.
I will report back on what wordpress themselves has to say about it when they answer my report to them. If you have a problem with that, too - then you have a problem with it. But THEY are the ones who are going to tell me different. Not anyone else. This is ridiculous.

As far as anyone else having problems -- if they don't have the right anti-virus, they'll never even know they have it, let alone where they picked it up.

Linux/Max - don't know if they can or can't be ---- but now you are talking about personal computers -- and in here we are talking WEBSITES. Both get hit, though.

I have already STATED I am NOT a tech - I reported here what happened, and what I was doing at the time-- if I turn out to be wrong, that is a good thing, but I sure wanted to save anyone else the problem because it is HELL to fix it.

IF YOU are impervious, then you are in a terrific position. Right now I am getting ready to move my main site to another server who has 24/7 monitoring and I am hoping that will be it for that site.
I am also greatly considering getting off MS and going to Linux and just putting up with what I assume will be a learning curb that will slow down my production right when I need the speed.

I breezed some links so you could see what is going on since you seem to think there isn't much problem with this virus. USAToday - was a redirect. I forgot to post the link. I also thought the wiki report was talking about WIKI itself, not just his site. I was just trying to deliver more info and was in too much of a hurry to do it well.

Now I don't really have time to argue with you. I posted what happened in hopes of saving someone else from this thing. When wordpress answers either Dave or my contact, I will let people know what THEY say. As for now, Dave's host and he are working on his account to clean it off - it's being a pain for them - just as Peter found it to be on his. Until WORDPRESS explains to me that the fact that I was working on an unpublished site inside of an admin interface with their site yet didn't get the virus on their site -- I am going to believe my Avast and it told me that page was infected-- No matter whos names or what links we can pass back and forth or whatever questions can be examined.

I don't have any more time for this. Will post whatever Wordpress has to say about it when either Dave or I hear back from them.

[ECS Dave]

Another update here, from your friendly,
and right neighborly, ECS Dave!

Just got another update from the folks over to the hosting company,
where this appears to have all started...

From what I can tell, it was NOT Sal's browsing of the wordpress themes...
In fact, it had little or nothing to do with wordpress at all...

It appears that this ATTACK happened at approximately the same time
that Sal was browsing the themes, and understandably became concerned
that it may have been related...

The support guys tell me that a server "neighbor" had a script installed
on their account that had some "vulnerabilities", and as of my latest
communication with support, that account has been disabled.

I was also told, that it was NOT anything on my accounts, that was
the culprit. In fact I was informed that it was quite widespread on
the "shared" server, and that the technical support staff had engaged
a security expert to track down the errant script, and that this same
staff were working feverishly to clean the machine of all traces of the
ATTACK.

More details, as I get them...

Be Well!
ECS Dave

P.S. Here's the reply I received, when I asked if it was something on, or within "my" account...
No - it wasn't you. You were affected unfortunately.
The neighbor account was deleted. We'll let you know more as we know more.

[ECS Dave]

One more thing, in the interest of easing folks' minds about
wordpress, and the security therein:

Hardening WordPress WordPress Codex

There you have it... (and that post is a very good read, for FREE!)

Be Well!
ECS Dave