1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

wordpress virus

Discussion in 'BlackHat Lounge' started by davids355, Dec 5, 2011.

  1. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,804
    Likes Received:
    6,372
    Home Page:
    Discovered this morning that 4 of my wordpress sites had a virus on them - some sort of JS iframe virus or something.
    Sorted them out by replacing the index.php file at root of install.

    Just wondering how they got compromised - 2 of them were slightly out of date versions (fair enough) but the other two were fully up to date, file permissions look OK, just wondering how they got done..?? grrrr!
     
  2. webwhizz

    webwhizz Power Member

    Joined:
    Apr 3, 2011
    Messages:
    696
    Likes Received:
    656
    Occupation:
    P-R-0
    Location:
    scotland
    Hi, i had 3 blogs done a few weeks ago, think it came from a plugin i downloaded on here from user M0g0l, i done the same replaced index.php, but also check you adsense if you have, because mine had been changed.
     
    • Thanks Thanks x 1
  3. RMX

    RMX Power Member

    Joined:
    Nov 16, 2009
    Messages:
    726
    Likes Received:
    389
    Occupation:
    Network Security Admin
    Location:
    London, UK
    Home Page:
    • Thanks Thanks x 1
  4. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,804
    Likes Received:
    6,372
    Home Page:
    Aughhhrr! Just checked back on one of the sites and the code is back on there (and I had changed password!).

    I have now deleted all plugins that I dont definitely trust, changed password again and removed code.

    What else can I do?
     
  5. Virus1

    Virus1 Supreme Member

    Joined:
    Dec 13, 2010
    Messages:
    1,326
    Likes Received:
    1,409
    Occupation:
    destroyer of worlds...
    Location:
    Welcome to Black Hat World........................
    Home Page:
    • Thanks Thanks x 1
  6. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,804
    Likes Received:
    6,372
    Home Page:
    Deleted ALL files from wordpress install. Downloaded fresh copy, re-uploaded, reinstalled few plugins:
    all in one SEO
    Statcounter
    thats it.

    Changed password, checked there were NO OTHER USERS.
    Two hours later, the malware is back!!!!!!!!
     
  7. laowai

    laowai Power Member

    Joined:
    Feb 27, 2011
    Messages:
    522
    Likes Received:
    184
    This might be stupid question, but did you also delete and re-install your MySQL DB and setup new credentials?
     
  8. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,804
    Likes Received:
    6,372
    Home Page:
    No. Then I would lose all my posts wouldnt I?

     
  9. laowai

    laowai Power Member

    Joined:
    Feb 27, 2011
    Messages:
    522
    Likes Received:
    184
    There should be WP plugins to export and import your posts which you should of course do before deleting DB. I'm quite sure that the virus is lurking in your database. You could also check if there are some tools to scan the db for viruses.

    And of course if you know how to use PhPMyAdmin you can export all the relevant tables like wp_comments, wp_links, wp_posts, wp_posts_meta but of course the risk is that virus gets exported along the other data.
     
    Last edited: Dec 6, 2011
  10. procam

    procam Senior Member

    Joined:
    Jan 5, 2010
    Messages:
    879
    Likes Received:
    325
    Occupation:
    Webmaster, Big Data Scrappin
    Location:
    'lynx -listonly -dump url.yourcrappysite.com'
    I don't know how to get malware out off wordpress but I never download any plugins for WP at BHW unless I've paid for them.

    Nothing is really free, someone is getting paid somehow with those free plugins you download.
     
  11. Corrupt

    Corrupt BANNED BANNED

    Joined:
    Sep 15, 2011
    Messages:
    805
    Likes Received:
    412
    Did you check your hosting password?
     
  12. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,804
    Likes Received:
    6,372
    Home Page:
    Thanks I might try that. At moment have hardened all security and so far JS has not returned. Will check again tomorrow.