|Enjoy reading this post and subscribe to Bontb RSS Feeds|
My site got exploited by virus – Trojan that creates html pages in wp-content/1/ folder . I haven’t notice it until I opened that folder and scanned with my web scanner.
Who is safe?
Everyone that does not use “wordpress”
How to clean Unknown Virus – Trojan
For now all you can do is see if you have folder wp-content/1 deleted folder 1 because it contains only html pages that you did not create them.
Is that all? Yes for now , I am still doing research how it got there at first place!
I have special web software that scans for vulnerabilities on all pages.
What do I think…
I think it must of been one of the plugins I installed, or some file that I did not look for.
How many people are infected:
about 3,780 says google (See here its safe)
What happened to me:
Friend of mine and I have this blog hawaiib.com (please don’t click on it or search for it “YET”) and we both noticed that few weeks ago our traffic dropped by 90% !!! So with little research, when people searched for hawaiian blog and clicked on our blog they got message “This site may harm your computer” and I was like wtf?
Then I first thought it must be the new theme we put, and yes it was partial because it included script that calls that folder. But that’s not all! It’s one of the plugins that work together with that theme.
What to do after clean up:
Go to google type your website name bontb.com for example and then see if you get that same message as friend and I did.
If you don’t see anything like it and your site is normally accessible via google click you are safe. If you do see “this website may harm your pc” go to google webmaster tools, login and submit your site to be re-considered . Tell them you deleted files and think that website is now safe…
I will update this post if I find more information so if you are so kind subscribe to my RSS FEEDS to get updated
The problem was with the previous code of wordpress 2.3.2 vulnerability so if you are effected by this
CHANGE YOUR PASSWORD FOR YOUR ADMIN ACCOUNT!!!!!
Attacker can still login to your account and do the same thing even though you updated to 2.3.2
I will update this little bit more but for now you have enough information to start with…
Go to your Admin Dashboard click on Manage in search type in:
noscript ( this one uses many of other sites so be carefull deleting it if it’s pointing to something like .html) that is malware
if you see something like
<!– Traffic Statistics –>
MALWARE TEXT INCLUDING IFRAME OR SOME IP ADDRESS STARTING WITH 69.132.X.X
Traffic Statistics –>
Also go to Admin Dashboard click on Users , delete all users you don’t know or look suspicious.
Here is an example:
comment_author = ‘Lierthearne‘
comment_author_email = ‘firstname.lastname@example.org