WARNING - WORDPRESS.COM HAS JS REDIRECT VIRUS...UPDATE...NOT WORDPRESS

[ECS Dave]

One more thing, in the interest of easing folks' minds about
wordpress, and the security therein:

Hardening WordPress WordPress Codex

There you have it... (and that post is a very good read, for FREE!)

Be Well!
ECS Dave

[HeySal]

So the fact that I was cruising Wordpress when my alarm went off was a coincidence and not a wordpress file.

That is actually good to know - even if I have to admit I was wrong --
Now I have a very good question to ask that maybe a security expert can answer.
Why was the URL of the virus www.wordpress...../install/ if it was actually something on another website. I don't understand this at all.

Does this thing mimic any URL that you are on at the time when it hits and that is why it's so hard to tell the source? Or did my Avast think that it was that page because that is where I was browsing when the site was hit?

Anyone know? Even if this wasn't on Wordpress itself - there is still one hell of a mean and versatile virus out there and it'd be nice to know what's going on with it.

I think I'll go to Avast and see what they have to say. Maybe someone there knows.

[GarrieWilson]

It wasnt the other site unless avast checks by IP to.

[Jeremy Kelsall]

You very well could have just stumbled onto a site that was infected or even stuffing cookies...I know my avast goes nuts whenever I go to a site that is cookie stuffing

Also, when I am doing some automated blog commenting I get some alerts from avast too when doing the commenting strictly on wordpress blogs...

[rosetrees]

Amid all the mud slinging here, my previous post was ignored. Looks like I wasn't so far wrong.

(My computer was attacked by something a few weeks ago when I was on the website of a local boarding school. I don't blame the site, and returning to it on another computer produced nothing. Just coincidence.

As you probably realise, I don't have the technical knowledge of many on here. I just assume that some of these attacks happen via a server somehwere - either the ISP or another link in the chain.)

[Michael D Price]

Seriously, How much time are you going to waste arguing about this??

You could be right, but at the same time, you COULD be WRONG.

Who cares.

For someone who has had their site compromised, shouldn't you be spending the time to get your stuff straightened out, and prevent it from happening again, instead of trying to prove yourself right?

[ebuyer123]

Quote:

Originally Posted by Peter Bestel

There are two tools you'd be advised having on all your WP blogs.

Exploit Scanner and WP Security Scan

You can download the Exploit Scanner from Wordpress at WordPress › WordPress Exploit Scanner WordPress Plugins

or direct from the author:

WordPress Exploit Scanner

This will point out any suspect coding within your files and dodgy plugins and themes.

The WP Security Scan will assess and recommend changes to file permissions, database security, passwords etc. You can download that from WordPress › WP Security Scan WordPress Plugins Peter

Many thanks, Peter.

This wp virus stuff is both troublesome and time consuming especially for non-IT folks.

Regards,

[HeySal]

Quote:

Originally Posted by rosetrees

Amid all the mud slinging here, my previous post was ignored. Looks like I wasn't so far wrong.

(My computer was attacked by something a few weeks ago when I was on the website of a local boarding school. I don't blame the site, and returning to it on another computer produced nothing. Just coincidence.

As you probably realise, I don't have the technical knowledge of many on here. I just assume that some of these attacks happen via a server somehwere - either the ISP or another link in the chain.)

Yes - a coincidence - but an unsettling one at the very least. I have heard others talk about false positives - but this is really a whole new thing - not only did the alarm go off - the URL was related to the site I was on -- AND - I WAS hit by a virus so I actually wasn't being warned falsely. Had the Virus URL not been a wordpress look-alike I wouldn't have been so positive that it came from there.


Michael - The problem HAS been fixed on the server, by a very dilligent Host Admin. Dave chose a responsible host. I wish I had done the same when I put up my main website - they just told me it's my problem.

I don't think this is a waste of time - this is one nasty virus and its stealth is staggering. It appears that the codes that are used are encrypted. There are many questions about how it is getting in. This incidence was a "neighboring site on the host", on my main site it was a hacker that signed for membership - a live person. With the escalation of the infection I think its important that we find out just what is going on. Updated etc are good things, but from what I have seen in research, it isn't fool proof.
Also - what are the different hosts doing about it? I sure don't want to get stuck on a server that won't help fix such a virulent problem. Anything we can figure out here that helps prevent the spread or saves our sites is a good thing.

[Ut]

I just wanted to say thanks much for Sal & everyone contributed to this thread.

Quote:

Originally Posted by HeySal

I don't think this is a waste of time

No, its not. Everything happens for a reason and we learn from every situation we are placed in. Nothing wasted.

Thanks again everyone!

[stevenh512]

Quote:

Originally Posted by HeySal

Why was the URL of the virus www.wordpress...../install/ if it was actually something on another website. I don't understand this at all.

Does this thing mimic any URL that you are on at the time when it hits and that is why it's so hard to tell the source? Or did my Avast think that it was that page because that is where I was browsing when the site was hit?

I've been using Avast for a long time, and while I think it's the best of the "free" virus scanners, it's always had a problem with "false positives" (I have quite a few files on my hard drive that show as virus/trojan when I know for a fact they're clean and have the source code to prove it). In this case it doesn't seem like it's a "false positive" since ECS Dave has confirmed that the server was compromised, just that it gave you the wrong URL. The only reason I can think of for that, is maybe the wordpress.com url was the last request your browser sent out before Avast detected the virus. In that case, I can see how it might report that as the offending URL even if it really wasn't.

edit: This kind of thing, being a simple PHP "worm" and not a rootkit or anything like that, should never be able to spread from one hosting account to another on a server like that unless there was some kind of permissions problem (maybe it found something with 777 permissions and spread that way?). I'd recommend hosting on a server that uses PHPSuExec or SUPHP so you have no reason to ever leave any file permissions wide open like that. Now that I've been with HostGator for a couple months I couldn't imagine hosting with anyone that allowed or required 777 permissions.. lol

[ebuyer123]

Quote:

Originally Posted by stevenh512

I'd recommend hosting on a server that uses PHPSuExec or SUPHP so you have no reason to ever leave any file permissions wide open like that....I couldn't imagine hosting with anyone that allowed or required 777 permissions.. lol

Hi, Steven

Can you long story cut short and just give us a LIST of these secure hosting companies that are affordable and reliable for WP users inparticular?

Or you may want to put up a WSO for selling such a list.

Thanks?

[ebuyer123]

Quote:

Originally Posted by Peter Bestel

There are two tools you'd be advised having on all your WP blogs.

Exploit Scanner and WP Security Scan

WordPress › WordPress Exploit Scanner WordPress Plugins

This will point out any suspect coding within your files and dodgy plugins and themes.

The WP Security Scan will assess and recommend changes to file permissions, database security, passwords etc. WordPress › WP Security Scan WordPress Plugins

Hi,
Now I already have these two big boys installed on my wp site, but how I am going to use them? I mean how do I start a scan?

Is that mean if I have 10 wp sites, then I have to do 10 separate installations for all my sites?

Thanks.

[Peter Bestel]

Quote:

Originally Posted by ebuyer123

Hi,
Now I already have these two big boys installed on my wp site, but how I am going to use them? I mean how do I start a scan?

Is that mean if I have 10 wp sites, then I have to do 10 separate installations for all my sites?

Thanks.

As far as I know, yes, you have to perform the scans on each and every blog.

Running them is easy. After install, go to your WP dashboard. Expand the Dashboard menu and you'll notice "Exploit Scanner". Click this and then select 'Search Files and Database'. I can't help you with the results as I'm no expert, best to Google any results you're not sure of.

With The Security Scanner you should have an extra menu at the bottom of your WP Dashboard home menu labelled 'Security'. Click this to see its suggestions.

Once again, I'm no expert in how to interpret the results, but if you purchase Craig Desorcy's product, Blog Lock Down, he goes into detail - well worth the investment

Peter

[stevenh512]

I don't exactly have a "list" but I know kiosk.ws (the host Mike Filsaime recommends and uses) and HostGator both run PHP under a suexec environment (PHPSuExec or SUPHP) so the script actually runs as "you" and not as "apache" or "nobody" (or whatever apache's account name is on that particular server). In that environment, there's no need for 777 permissions, your scripts (Wordpress or whatever else) will be able to write to their files when they need to and nobody on any other account will have write access.. so short of a rootkit it would be impossible for this kind of worm to spread from one account to another on the same server. Of course the drawback is if your own account gets hit it'll spread through your account like wildfire, but at least you only have to worry about the security of the scripts on your own account and not everyone else's.

So, my "short list" would be Kiosk and HostGator, I'm sure there are plenty of others. Before buying hosting I'd contact their support and ask them about it. Aside from learning whether or not their server supports running PHP scripts in a suexec environment, you'll also get a good idea of how their support people respond to questions (which is reall good to know if you ever need them lol).

[Peggy Baron]

I had a weird thing happen today to one of my WP blogs. Well, maybe it wasn't today but I noticed it today.

Under the settings, membership was changed to yes "to anyone can register" and yes to "users must be logged in and registered to comment".

Also, the new user default mode was changed to "subscriber" rather than "administrator" as it should be. That meant anyone who registered could access my dashboard.

I just installed Peter's recommendations and will check everything. I would guess it's been hacked though.

Will changing the permissions from 777 screw anything up?

Thanks,
Peggy

[lakeview]

Peggy,

I have all folders at 755 and files at 644 and WP works fine. I'm no expert by any means, but I don't think you should have any folders at 777 so I would change that immediately. I also recommend Peter's suggestion with running the exploit scanner.

Angela

[MizzCindy]

Quote:

Originally Posted by Peggy Baron

...Also, the new user default mode was changed to "subscriber" rather than "administrator" as it should be. That meant anyone who registered could access my dashboard...

Wait, I think you want your new users to only be 'subscribers'. That's the lowest level of permissions provided in the codex. You definitely do not want them to be 'administrators'. Or am I misunderstanding?

Roles and Capabilities WordPress Codex

Cindy

[Wade Watson]

The proliferation of javascript and the other client side scripting used by web pages has really become of the great absurdities/plagues of the an otherwise great medium. The Internet will never become a stable form of communication until this stuff is dealt with-- but I'm not sure how. I'm constantly dismayed to see javascript used where server side scripting would have worked. But as long as there are lazy programmers, gullible clients and virus pervayors there will be problems like this.

[HeySal]

Quote:

Originally Posted by Peggy Baron

Will changing the permissions from 777 screw anything up?

Thanks,
Peggy

Peggy, I'm not a tech -but I know that you should NEVER have permissions set at 777 - post your blog url and I'll see if it sets my avast off to view it.

[ECS Dave]

The hosting provider that I have the account on has in place
something that limits the permissions to 755, but I am told that
if 777 is needed the machine "knows" to allow the calling script
to that level of access...

From the support team:

Quote:

- Late last year, we added suPHP – a much more secure PHP
foundation software that does not allow 777 permissions on any
file or folder.

It does allow you to set permissions at 755 and they will act as
777, but more securely. If that didn’t make sense, don’t worry
about it. Just know it’s important to protect your accounts from
hacks.

- Server-level security at our data center can’t get much
stronger without causing your scripts to no longer function. Our
data center is successfully repelling 1000s of attacks each day.

- The next step is to turn on Secure FTP. That’s a pretty big
change. And it may mean that you need to get an FTP program or
service that allows SFTP to access your accounts. (Think of it as
having an extra strong door between you and your servers.)

As previously mentioned:

Quote:

Originally Posted by stevenh512

This kind of thing, being a simple PHP "worm" and not a rootkit or anything like that, should never be able to spread from one hosting account to another on a server like that unless there was some kind of permissions problem (maybe it found something with 777 permissions and spread that way?). I'd recommend hosting on a server that uses PHPSuExec or SUPHP so you have no reason to ever leave any file permissions wide open like that. Now that I've been with HostGator for a couple months I couldn't imagine hosting with anyone that allowed or required 777 permissions.. lol

Before buying hosting I'd contact their support and ask them about it. Aside from learning whether or not their server supports running PHP scripts in a suexec environment, you'll also get a good idea of how their support people respond to questions (which is reall good to know if you ever need them lol).

asking "pre-sales" questions is an excellent idea, do NOT just rely on the "sales page" of the host...

Be Well!
ECS Dave

[ThomM]

Quote:

Originally Posted by Peggy Baron

I had a weird thing happen today to one of my WP blogs. Well, maybe it wasn't today but I noticed it today.

Under the settings, membership was changed to yes "to anyone can register" and yes to "users must be logged in and registered to comment".

Also, the new user default mode was changed to "subscriber" rather than "administrator" as it should be. That meant anyone who registered could access my dashboard.

I just installed Peter's recommendations and will check everything. I would guess it's been hacked though.

Will changing the permissions from 777 screw anything up?

Thanks,
Peggy

Peg 2 things.
First the default user mode should be subscriber like Cindy said.
As a subscriber about all they can do is comment they can't get into the admin area.
Second change your folder permissions to 755. 777 is so scripts can write to the folder. Also if you have any files with the permissions set to 666 change them to 644 for the same reason. Depending oon your hosting, you may need to change your theme files permission's to 666 to edit the theme files in WP. If you do change them back to 644.
Third those membership settings aren't bad really. All it means is if someone want's to comment on a post they must be a registered user. I don't think alot of spammers will take the time to register especially when you can simply delete them.
OK three things

[jlxsolutions]

Well after reading this i thought i might as well end the worries if anyone is wondering if their sites are insecure.
Send me a private message whit the site adress.
And i,ll do a security scan on it and give you a list if anything needs to be fixed.
and yes free it won't occupy my time much anyways.
I,m new here and might as well provide something positive for the community.
sincerly jan lukkarinen owner of jlxsolutions


p.s lol that sounded official

[Bamma]

Quote:

Originally Posted by HeySal

That's right Mark - this time I am talking about the wordpress site itself. I was browsing the themes available when I was hit.

On my other site - the WP was on my site's server - but it was actually the phpbb forum that they came in through.

Once more - if you have php scripts running, you are vulnerable. Anything with 777 permissions is vulnerable. I don't think it matters what system you are on and I think that some hosts are safer than others but not sure that any are completely safe. I'm not sure at this point if anything will ever be completely safe again.

I think I'm seeing that AVG is also able to detect the virus. Still probably have to remove it by hand, it really knows how to protect itself.

Whoever said their static scripts got hit too - that is just too scary to think about.

Wrong just plain wrong I can prove it and have. I can give ANY one a folder url that has 777 permissions and will place a php page there for them and they can do nothing with it. NOTHING.

This scaremongering needs to stop

This happens when someone visits an iframe exploited system and gets the pc trojaned,
Then they end up with a keylogger installed that passes off the ftp info.
It could be you or someone that has the ftp information on their computer.

The talk about 777 being the unsafe chmod is wrong also as 755 will suffice on popular hosts like hostgator etc.

That being said one small iframe exploit was done with the phpBB installs.

90% of what is happening today is due to trojaned computers passing off the ftp information.

You are busy redoing the pages and not changing the ftp access and the little bots are running wild and uploading new edits to the files.


I have spent hours and days with other hosts discussing this and in every case of widespread exploiting it has ended up the users fault.

Sure a shell script can be uploaded and maybe other accounts are exploited but in this most recent round it is due to ftp access being gained via trojans

Have cleaned this up and watched the ftp logins on a clients site and it ended up his computer was trojaned was almost amusing to watch 3 different ips log in at almost the same time and start downloading and uploading the index.php




PS

want to really nip it in the bud set all index.php and index.html main.php main.htm and config.php to 0444 chmod

even if they have the ftp information the bots are too stupid to realize it isnt overwriting the files anymore

[ebuyer123]

Quote:

Originally Posted by kanus

I'm still not clear on exactly how it affected you? It wiped out PHP on your server?

It will redirect or sent you to another webpage.

Example, when you click on yahoo.com and you ended up at CheapHottBabe4uuTonight.com

[Peter Bestel]

A sad post script to this story

I've got a friend who asked me to tell him about IM a few months ago and he was tentatively dipping his toe into having a web presence. We set him up with a blog, he joined WF and was enjoying Twitter. We were working on getting him a static site too to hopefully become his main source of income. He's got an offline business which could easily transfer to being online.

His PC and blog got attacked by this virus/trojan and he's been battling with it for about 3 weeks. Because he didn't have the skills to act quickly enough his blog address is now flagged up as an attack site by Google and even his Twitter account has been suspended for suspicious activity. (Presumably because of the link to his blog in his profile)

He spoke to me yesterday and has decided that, if this is what it's going to be like being an Internet Marketer he doesn't want the hassle. He's decided to cut his losses and forget all about making money online.

Before you go judging him, imagine for a moment you were learning to drive. Nervous about the whole experience you approach your first junction. You gingerly ease out and WHAM! You're hit by a juggernaut. You survive, but you're obviously shaken. You decide to repair everything and venture out once more, only to be hit again - by the same juggernaut.

When this happens more than three times you could forgive them for not wanting to drive again. His experience has only been negative.

Peter

[HeySal]

Quote:

Originally Posted by kanus

I'm still not clear on exactly how it affected you? It wiped out PHP on your server?

When my main site was attacked months back it was attacked via a member who was a hacker. There was a lot more going on with that than just having the virus loaded on there, so yeah, everything php is disabled and host files were yanked. We aren't using mysql at all and php is just toast. The virus was just the icing on the cake. The hacker was a nightmare, but that virus just got into everything and anything that wasn't html once it was let loose in there. Each page that was on a php program was infected. My tech could have fixed it in time, but he's no longer online.
It was over 1000 pages so it is just easier to start over from scratch.

The instance I just reported - was a normal instance of the virus and just hit us, coincidentally, when I was browsing the WP themes for a new blog, and avast showed a URL for the virus that said http://wordpress..../install/..... so I thought it CAME FROM the wp site. Dave's host told him that it came from a different site on that server and they were able to clean it all up. But It was caught right at the instant it hit my site and wasn't able to get far at all. We were on it too quick for it to do much but land.

I don't know what it will do if not detected quick (if you don't have a hacker in your site). It's a worm. I know that the one that hits personal computers eventually delievers a root kit if it's not dealt with quickly, but not sure if the one that hits websites is the same one.
I also know that a lot of anti-virus programs fail to detect it and that it also knows how to protect itself from detection - and that it can be a real bear to completely get rid of. Sites like Major Geeks are probably better places to go for info about it than I can give you.

When I said that it attacks 777 permission programs -- I meant it will infect programs that have the capability of 777 permissions. I'm not sure which of the actual permissions that you can set those programs to are safe and which aren't or if any are completely safe - I just know it's those programs which can be infected. I have always been told - in fact I think it was even said in this thread, that you shouldn't have permissions set at 777. So all I was saying - is that if you are infected, the programs that have those types of permissions at all are the ones you want to check for infection first, I wasn't saying anything about the particular settings. People seem to think this is just a WP virus, and it's not - it gets forums, etc, too.

I hope that clears up some confusion.

[SurviveUnemployment]

Everyone running any kind of website should be on guard against cross-site scripting (XSS) attacks. Once you fall for one of those, it doesn't matter if you're using top-secret ultra-secure Pentagon blogging software -- you're vulnerable.

Protect Against XSS Attacks | Charles Linart

The site hackers have been extremely active lately. All those guys gloating above about how secure their sites are will find out soon enough.

[HeySal]

Quote:

Originally Posted by SurviveUnemployment

Everyone running any kind of website should be on guard against cross-site scripting (XSS) attacks. Once you fall for one of those, it doesn't matter if you're using top-secret ultra-secure Pentagon blogging software -- you're vulnerable.

Protect Against XSS Attacks | Charles Linart

The site hackers have been extremely active lately. All those guys gloating above about how secure their sites are will find out soon enough.

Wow - you hit the nail on the head. That's what I have been trying to tell people - my first site was a freakin' fortress. My tech works contracts doing security on gov computers. Not only were those hacked (not just the one he was working) but his own computer was hit at the bios level, uh..hello. He said it took the member months to hack into us after he landed. That's why we're torn to crap right now. What I got the other day was just the average redirect, but those are still nasty as heck.

On RHS1 we did everything the guy in your article suggested.....and it wasn't enough.

I've seen some boasting going on about how secure they are and others must be stupid to get a virus..........and I think about how I was feeling about RHS1.....before the hacker got us. It wasn't that I knew how to secure it...but I know my tech is one of the best and in the long run it didn't matter a twat. I hadn't even had a spammer on the site in over 2 years. Was pretty cocky about it. Lesson learned to the tune of 4 years of work on a site.

[Peggy Baron]

Quote:

Originally Posted by HeySal

Peggy, post your blog url and I'll see if it sets my avast off to view it.

Thanks Sal, it's here.

Peggy

[Peggy Baron]

Quote:

Originally Posted by ThomM

Peg 2 things.
First the default user mode should be subscriber like Cindy said.
As a subscriber about all they can do is comment they can't get into the admin area.

When they were set as I posted above, it allowed a person to subscribe and then it allowed them into my dashboard. Definitely not what I want!
When I change it back to Administrator, then they can only comment and I can reply as admin.

I can't figure out how they were recently changed when I didn't do it.

Peggy

[HeySal]

Peggy - don't know anything about settings as I stressed a couple of posts ago, but -- your blog isn't setting off my avast alarms. I clicked about 4 or 5 pages and got nothing but website.

[k8spy8]

I have never fall into such situation really appreciate that you share with us. I wanna know if the similar things happens to me what should I do and how harmful this virus is can anyone tell me?

[Bamma]

Quote:

Originally Posted by SurviveUnemployment

Everyone running any kind of website should be on guard against cross-site scripting (XSS) attacks. Once you fall for one of those, it doesn't matter if you're using top-secret ultra-secure Pentagon blogging software -- you're vulnerable.

Protect Against XSS Attacks | Charles Linart

The site hackers have been extremely active lately. All those guys gloating above about how secure their sites are will find out soon enough.

I gloat for good reason.
I now how it works.
I know the precautions to take.

A few years ago I was on the other team and I know the exploits and how to do them and how to protect against them.

People running around like chicken little are the ones these guys bank on.

A good Av and real time scanner and common sense WILL protect you.

They cant get in unless you give them the keys in the form of weak AV,
5 year old scripts
weak passwords
running warez even "harmless nulled php scripts"

XSS has been around for years and is nothing new.

Someone will not spend months hacking a blasted blog there is no money in it for them.

and bios problems ... well not even going to go there sounds like someone from a random IRC convo


anyway I am going to bow out and if someone does get the problem and wants the site cleaned up contact me have plenty of experience with NO recurrences.

[jlxsolutions]

Well as i gathered so far this is not a virus.
Basically what i can tell from this is that a hacker exploited a security hole inserted a XSS attack on the website and redirected the webpage to a malicius one.
And what ever comes from there is still unknown.

[marcus passey]

Interesting stuff

Marcus

[jlxsolutions]

Intresting indeed. Well due to the fact i do security checks daily and make sure ppls websites and computers are safe from the bad guys i have come to the conclusion that even mostly the user gets blamed the reason most often lies whit the host not the user.
Like un updated server software for example.
If anyone is willing to give me permission to scan their website.
i can show some exampels.

[jlxsolutions]

To the person who PM'ed me sure i do the scan
i,ll post the results here and as you wanted to be anonymous i,ll leave the webpage in question unmentioned. P.S cant reply to your PM until i have 15 posts lol

[jlxsolutions]

Well due to the fact you wanted to be anonymous i think i wont post report at all in here
would be to much work to edit the results.
but one thing was for sure the hostgator had some issues wich needed urgent attention.

[kindsvater]

Peter,

Thanks for the exploit recommendations. Just what I needed and you've pointed out some potential security holes I hadn't thought of.

I periodically look at my server data and it is just incredible the number of attacks that are attempted.