1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone been stung by this WP virus?

Discussion in 'Black Hat SEO' started by theindiaphile, Jan 13, 2011.

  1. theindiaphile

    theindiaphile Senior Member

    Joined:
    Jul 26, 2010
    Messages:
    830
    Likes Received:
    245
    Now for the second time I've been stung by a very annoying Wordpress Virus which posts 'automatically related posts' at the end of each posting. Last time I had to pay someone to get rid of it but I'd rather know how to do it myself and also how to keep it out! This is incredibly annoying particularly on blogs using WP robot as it can infect scores of articles.. Would really appreciate some feedback on this and what the heck to do about it.
     
  2. oxonbeef

    oxonbeef BANNED BANNED

    Joined:
    Jan 4, 2009
    Messages:
    2,242
    Likes Received:
    7,872
    A virus wouldn't do that, a virus self propagates.
    And it is very important to distinguish between a virus and a script.
    Being a wordpress installation which is database driven you can pretty much
    be sure you have a bad script somewhere in your php.
    Are you using any shared premium templates or plugings?
    They are your usual entry points.
    You should check the code in your footer and plugins for any abnormalities.
     
  3. popcrdom29

    popcrdom29 Jr. VIP Jr. VIP Premium Member

    Joined:
    May 20, 2008
    Messages:
    807
    Likes Received:
    518
    I agree with oxonbeef, this is not a virus and I've seen this before. It's probably a plugin you downloaded and installed. I made a brief post about this before but in a nutshell someone will share premium or paid plugins for free. The code is altered in a way that makes automatic posts like you described.

    If I were you I'd uninstall anything you downloaded recently. Who knows what else this may be doing to your system.

    With that said, WPRobot was one of the plugins being shared that made automatic posts as you described. If you didn't pay for it then I would uninstall it immediately. Also note that it's on the do not share list.

    Keep us updated, I'm curious to know the outcome.
     
  4. sfidirectory

    sfidirectory Senior Member

    Joined:
    Mar 29, 2010
    Messages:
    899
    Likes Received:
    483
    Occupation:
    Web developer/BTC enthusiast
    Location:
    php artisan make:migration
    Home Page:
    I have a virus scan for my wp blog and it says there is something wrong with my blog, although I can't find any scripts, code, files etc that would suggest it. I've done a re-install of wp, so I think it may be something to do with one of my templates (although I already rigorously checked them over with VirusTotal, McAfee et al).

    Anyway sorry for rambling on... Have you signed up to one of those sites that you give your details to and they post articles for you? I done that several years ago...
     
  5. axedbydax

    axedbydax Power Member

    Joined:
    Sep 16, 2008
    Messages:
    730
    Likes Received:
    171
    Home Page:
    have you installed WPRP plugin? or any plugin of that sort? There are many of them that automatically post related items after each post so that is probably the problem.
     
  6. xpleet

    xpleet Regular Member

    Joined:
    Jan 18, 2010
    Messages:
    377
    Likes Received:
    327
    Location:
    Morocco
    Download all your infected blog file to your computer using FTP client (especialy php, html and js files).
    After that use a tool like Notpad++ to search in all files for "eval" and "base64_decode" and all php functions used in encoding/decoding.
    Look closer beside the functions and you will probably see the infected script part code.
    Remove the bad code and then search and fix the source of how you get infected (infected template, plugin, bug in the script or in a plugin, bug in the webhosting server, ...).
    Good luck.
     
    • Thanks Thanks x 1
  7. NoWhErE

    NoWhErE BANNED BANNED

    Joined:
    Feb 21, 2007
    Messages:
    208
    Likes Received:
    50
    Try installing the "Theme Authenticator Checker" plugin. It'll check for any malicious code and static links that you would want to get rid of.

    Here is the link :
    Code:
    http://wordpress.org/extend/plugins/tac/