1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

JS/Kryptik.RW trojan in Wordpress Site

Discussion in 'BlackHat Lounge' started by safaristyle, Jul 17, 2012.

  1. safaristyle

    safaristyle Regular Member

    Joined:
    May 4, 2008
    Messages:
    449
    Likes Received:
    82
    Location:
    Blocked
    Did anyone face this JS/Kryptik.RW trojan while visiting wordpress site. My sites are currrently affected with this trojan. Every single time I am getting notification (i am using eset smartsecuity)
     
  2. Falian

    Falian Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    127
    Likes Received:
    91
    Sounds like you had an outdated Wordpress install, bummer dude :/.
     
  3. safaristyle

    safaristyle Regular Member

    Joined:
    May 4, 2008
    Messages:
    449
    Likes Received:
    82
    Location:
    Blocked
    No my wordpress installs are up to date
     
  4. sapo

    sapo Power Member

    Joined:
    Feb 25, 2008
    Messages:
    510
    Likes Received:
    281
    check your plugins, or anything new you installed on the server. also change all defulat ftp users and passwords
     
  5. portalweb

    portalweb Supreme Member Premium Member

    Joined:
    Jan 7, 2010
    Messages:
    1,415
    Likes Received:
    547
    Occupation:
    Hard Core Engineer
    Location:
    New York
    2 possible reasons:
    1) Bad/infected "free" theme with encrypted php code in footer
    2) Scrupulous plugin that inject trojans/malware on client's side.

    Solution: Fix your site by replacing "free" themes with "premium" from reputable sites, as well as the plugins too. If you are not sure, please PM or IM me - I'll be able to help, as I did for others. :)
     
  6. Meads

    Meads Junior Member

    Joined:
    Jan 27, 2009
    Messages:
    138
    Likes Received:
    46
    Probably an SQL Injection, you need to make sure your WP installation is up to date and your not using any plugins that have recently been addressed as vulnerable to an SQL injection attack. You can actually check which of the latest scripts and plugins are vulnerable over at http://1337day.com/webapps. Never thought of actually using SQL injection as a method of getting back links, takes blackhat to a whole new level then doesn't it lol. There must be hundreds of high PR sites out there that are vulnerable, easy pickings or down and out shady tactics??? hmm
     
  7. safaristyle

    safaristyle Regular Member

    Joined:
    May 4, 2008
    Messages:
    449
    Likes Received:
    82
    Location:
    Blocked
    Guys All my sites got hacked with "eval(base64_decode" please tell me what to do
     
  8. Meads

    Meads Junior Member

    Joined:
    Jan 27, 2009
    Messages:
    138
    Likes Received:
    46
    You have been told here already. You need to secure your installation by upgrading to the current, latest stable version of wordpress. Then it will just be a case of removing the base64 encoded links from the footer. You may also want to check that there isn't any web shells left behind by who ever did this to you. Id run a rootkit scanner too if it's a dedicated server, if it's shared hosting, speak to you hosting company and make them aware of that has happened.
     
  9. williamk

    williamk BANNED BANNED

    Joined:
    Oct 29, 2009
    Messages:
    1,030
    Likes Received:
    184
    Try running some other tools like VT for your site. That might help. And yeah, update it regularly.