WARNING if you have a WP blog

11 replies
If you have a wordpress blog that hasn't the latest version (2.9.1) then you should have a look at it.

I noticed I had a problem with one of my blogs that was Number3 in google and was getting good traffic and then suddenly got 4 positions down. I thought it was weird because it has been there for a long time so I typed the url in my navigation tab and when the blog was supposed to appear, I got a warning (I was using google chrome).

It was something like: The website xyz.com appears to contain elements from the website estguard.com that apparently hosts malware....

So I went back to my blog and had a look at the source code. And here come the surprise:
There was a code at the bottom of every page after the </html> tag.

This is the code:
I deleted the code for security purposes.

It looks like it's a java script that tries to install something using an iframe. It was causing google not to trust my blog anymore and thus the drop in the search engine results.

So I went ahead and had a look all my other blogs. Guess what? All of them were infected except the ones with wp 2.9.1.

So this seemed to be the solution. So I upgraded all my blogs and the problem was solved.

So if you encounter the same prolem, you know what to do.

Please share, if you had a similar experience/ if you know what is the real problem (maybe it's the server that got infected infected ).
#blog #trojan js/exploit #warning #wp blog infected
  • Profile picture of the author Heidi White
    none of my sites have that problem, and none are 2.9.1- but thanks for the heads up.
    {{ DiscussionBoard.errors[1688635].message }}
  • Profile picture of the author Leto
    I wonder if you are using any footer plugin?

    Or are you suggesting someone hacked your blogas and inected malicious code ?
    {{ DiscussionBoard.errors[1688663].message }}
  • Profile picture of the author Houcem Rihane
    I am not suggesting, I am sure.
    I didn't mean to say that if you don't have wp 2.9.1 then you will be hacked.
    Just be sure to have a look at your blogs if they are older than that.


    {{ DiscussionBoard.errors[1688712].message }}
  • Profile picture of the author Istvan Horvath
    If it really was a malicious code injected... just upgrading WP will NOT solve the issue.

    As far as I know in most of the cases the "bad stuff" is either in your database (also known as MySQL injection) or somewhere hidden deep in a subfolder in the wp-content folder.

    Hackers know exactly that during an upgrade we don't really touch the wp-content folder, where all our themes and plugins and uploads (images, movies etc.) are stored!

    I would search for that code you posted (or at least relevant part of it):
    - in the database
    - in the wp-content folder
    - the root index.php

    Good luck!

    {{ DiscussionBoard.errors[1688733].message }}
  • {{ DiscussionBoard.errors[1689005].message }}
  • Profile picture of the author Gene Pimentel
    There is definitely something there that resembles a trojan. As soon as I clicked on the forum link to enter this thread, I got a warning from my antivirus software (avast) alerting me that there was a trojan embedded in an iframe in here.
    {{ DiscussionBoard.errors[1689103].message }}
  • Profile picture of the author Houcem Rihane
    I will delete the code.
    I can't believe it works even if I paste in like this.


    {{ DiscussionBoard.errors[1689418].message }}
    • Profile picture of the author Jeff Henshaw
      If you have some sort of 'malware' infection and you host your blogs, websites or whatever on third party hosting, it's hell on earth to clean everything up, from my experience.

      I had my Hosting Account suspended due to some sort of infection, which I can only assume got in via an installed script. Fortunately I always use at least three different hosting providers, so that I can function in an emergency - so not too much damage to the business - apart from the "Account Suspended" notice which appeared when using the domain names pointing to that account, until I redirected them!

      I have only had this problem once, thank goodness and as I am no hosting or server techie, it took me about three working days to go through every folder and file capable of holding 'malware' code, in order to clean up my server space. I got there in the end, but it was an eye opener to see how the rogue code embeds and tries to hide itself anywhere that it can.

      I only wish that the plonkers who create and distribute this stuff, would turn their attention to helping people instead of trying to bring people down.

      Anyway - I wish you the best of luck in cleaning up your situation and do remember to check your pc for malware and key loggers and once you are clean, change your admin passwords to your sites.

      {{ DiscussionBoard.errors[1689489].message }}
  • once you get things cleaned up you need to put the site in google webmaster tools and request a review

    My site's been hacked - Webmaster Tools Help
    {{ DiscussionBoard.errors[1689450].message }}
  • Profile picture of the author franclin
    I just had it happen to me. I was lucky enough to take a screen grab but that was all. To see my screen grab go to three w's .epton.com/mallware/mall_ware_image.gif

    The site was being redirected to estguard.com (google will stop you from going there and throw up the warning (the same one you will see in my screen grab.

    PS: I tried to post the image but the forum said "To be able to post links or images your post count must be 15 or greater. You currently have 0 posts."

    If anyone with 15 post would like to post the image in a comment please feel free to do so... and thanks.
    {{ DiscussionBoard.errors[1705620].message }}

Trending Topics