Wp-Content/1/ Trojan Malware Virus for Wordpress Bloggers

March 24, 2008

Wp-Content/1/ Trojan Malware Virus for Wordpress Bloggers

Category: Blog Tips Tricks — BONTB @ 8:04 pm —

Enjoy reading this post and subscribe to Bontb RSS Feeds

My site got exploited by virus - Trojan that creates html pages in wp-content/1/ folder . I haven’t notice it until I opened that folder and scanned with my web scanner.

Who is safe?

Everyone that does not use “wordpress”
How to clean Unknown Virus - Trojan

For now all you can do is see if you have folder wp-content/1 deleted folder 1 because it contains only html pages that you did not create them.

Is that all? Yes for now , I am still doing research how it got there at first place!

I have special web software that scans for vulnerabilities on all pages.

What do I think…

I think it must of been one of the plugins I installed, or some file that I did not look for.

How many people are infected:

about 3,780 says google (See here its safe)

What happened to me:

Friend of mine and I have this blog hawaiib.com (please don’t click on it or search for it “YET”) and we both noticed that few weeks ago our traffic dropped by 90% !!! So with little research, when people searched for hawaiian blog and clicked on our blog they got message “This site may harm your computer” and I was like wtf?

Then I first thought it must be the new theme we put, and yes it was partial because it included script that calls that folder. But that’s not all! It’s one of the plugins that work together with that theme.

What to do after clean up:

Go to google type your website name bontb.com for example and then see if you get that same message as friend and I did.

If you don’t see anything like it and your site is normally accessible via google click you are safe. If you do see “this website may harm your pc” go to google webmaster tools, login and submit your site to be re-considered . Tell them you deleted files and think that website is now safe…

I will update this post if I find more information so if you are so kind subscribe to my RSS FEEDS to get updated
UPDATE( 03/25/2008):

The problem was with the previous code of wordpress 2.3.2 vulnerability so if you are effected by this

CHANGE YOUR PASSWORD FOR YOUR ADMIN ACCOUNT!!!!!

Attacker can still login to your account and do the same thing even though you updated to 2.3.2

I will update this little bit more but for now you have enough information to start with…

UPDATE:

Go to your Admin Dashboard click on Manage in search type in:
noscript ( this one uses many of other sites so be carefull deleting it if it’s pointing to something like .html) that is malware

iframe

wp-stats-php

if you see something like

<!– Traffic Statistics –>

MALWARE TEXT INCLUDING IFRAME OR SOME IP ADDRESS STARTING WITH 69.132.X.X

<!– End
Traffic Statistics –>

Also go to Admin Dashboard click on Users , delete all users you don’t know or look suspicious.

Here is an example:
comment_author = ‘Lierthearne‘
OR
comment_author_email = ‘preotononsomi@mytop-in.net

� Breaking News:Advertise for $4 on 125×125 Banner

Reason You Should Write Guest Post - Articles �

Horaayy..there are 20 comment(s) for me so far ;)

One of my blogs have got exploited too. I know it when I check my blog stat

Finance Software wrote on March 25, 2008 - 7:09 am

This is why I droppe WordPress as a blogging platform. Is just too dangerous these days.

Kosten Treppenlift wrote on March 25, 2008 - 7:27 am

with wp, responsibility comes across… but still i can take wordpress over anything

Melvin wrote on March 25, 2008 - 9:45 am

I used wordpress too, but this article makes fear for me.

Ostsee News wrote on March 25, 2008 - 10:14 am

Here’s a little tidbit of info:

I googled all the websites that have this directory just out of curiosity.
Being the super-humanely wonderful person I am, I decided to leave comments on as many of the websites as I could to let them know that they had been hit with this.

I made it throught 10 domains before I figured this out:

EVERY SINGLE ONE OF THOSE WEBSITES REQUIRE ME TO REGISTER TO COMMENT.

Coincedence? Maybe.

unTECHy wrote on March 25, 2008 - 5:35 pm

[...] See: http://smackdown.blogsblogsblogs.com and http://www.bontb.com for more information and discussion about the WordPress 2.3.3 expoit. I hope none of you are [...]

HUGE hacking exploit in WordPress 2.3.3 wrote on March 25, 2008 - 6:06 pm

Thanks for the pointer to this, I had already found out my site had been hacked into, but it was useful to read a little more about it!

Mike Foston wrote on March 26, 2008 - 5:37 am

[...] anklicken) einen entsprechenden Warnhinweis ausgibt. Sollte dies der Fall sein, kann über das Google Webmaster Center entsprechender Antrag auf Änderung gestellt werden (Antrag auf erneute [...]

WordPress Hacks, Cracks, Security (1) » cracker, hacker, sicherheit, Software, wordpress, wp » Frank Helmschrott wrote on March 27, 2008 - 8:20 am

[...] I found this excellent blog article that explained the whole thing. It’s critical that all bloggers who use Wordpress check if their host has been infected with [...]

Wordpress Blogging wp-content/1/ Trojan Malware Virus | NETucation Online Blog wrote on April 6, 2008 - 11:41 pm

#10

[...] lassen sich die Spam-Injektionen an unterschiedlichen Merkmalen. Bei einer Ende März gestarteten Injektions-Welle landeten zusätzliche Spam-Seiten in einem neu angelegten Unterverzeichnis wp-content/1. Google [...]

Spam-Epidemie unter veralteten Wordpress-Blogs — Pretzlaff.info wrote on April 9, 2008 - 3:06 pm

#11

[...] Blog or not to Blog (Englisch) [...]

Wordpress Sicherheitslücken (Iframe) schließen « Semager wrote on April 10, 2008 - 1:36 am

#12

[...] corrected about WordPress 2.3.3 being secure thanks to unTECHy, and a number of other blogs he has linked to on his [...]

WP Thoughts » Blog Archive » WordPress NOT Coming Here Soon wrote on April 12, 2008 - 4:07 pm

#13

WordPress Hacks, Cracks, Security (1) » cracker, hacker, sicherheit, Software, wordpress, wp » Frank Helmschrott wrote on April 14, 2008 - 4:17 am

#14

Oh man, this is really strong stuff!! I have 3 blogs running WP 2.32, i will check them instantly. Thanks for warning! Steve

Gesund abnehmen wrote on April 17, 2008 - 6:16 am

#15

@Gesund abnehmen: You are very welcome, btw I wonder how you found me?…Ich spreche deutsch as well

BONTB wrote on April 17, 2008 - 6:26 am

#16

I found the directory wp-content/1 deleted folder 1, but ESET NOD32 is still saying that wp-stats is infected. I don’t even use any plugins. I did, however, change my admin password.

Anything else I might do, or should I just remove wp?

Anthony wrote on May 7, 2008 - 1:07 am

#17

@Anthony: Yes look at the last part I wrote on here, search for iframe within your posts .. go to Manage/Pages and search…

BONTB wrote on May 7, 2008 - 8:37 am

#18

Removed it! From the instructions I was not aware it was written into the html, once I looked at the raw code, I saw the bad stuff…now how to figure out how to resubmit to google..geesh 15 years on the net with no problem..grrrr.

Thanks for the info, I could not find anything until I stumbled upon this place, great job.

Anthony wrote on May 7, 2008 - 9:11 am

#19

@Anthony: What do you mean by “resubmit to google” ? Google will crawl your pages again anyways. BUT in my opinion those few I would remove totally from blog and maybe re-write them also update your WP to 2.5

BONTB wrote on May 7, 2008 - 9:38 am

#20

I have already updated, and changed the password. With respect to this situation I (in all my years on the net, even before a web interface) have not had to deal with things like this, so I am/was understandably confused.

Thanks again for your help and information.

anthony wrote on May 7, 2008 - 11:02 am

You can leave a response, or trackback from your own site.