Category: Blog Tips Tricks — BONTB @ 8:04 pm — Comments (35)
Enjoy reading this post and subscribe to Bontb RSS Feeds

My site got exploited by virus – Trojan that creates html pages in wp-content/1/ folder . I haven’t notice it until I opened that folder and scanned with my web scanner.

Who is safe?

Everyone that does not use “wordpress”
How to clean Unknown Virus – Trojan

For now all you can do is see if you have folder wp-content/1 deleted folder 1 because it contains only html pages that you did not create them.

Is that all? Yes for now , I am still doing research how it got there at first place!

I have special web software that scans for vulnerabilities on all pages.

What do I think…

I think it must of been one of the plugins I installed, or some file that I did not look for.

How many people are infected:

about 3,780 says google (See here its safe)

What happened to me:

Friend of mine and I have this blog hawaiib.com (please don’t click on it or search for it “YET”) and we both noticed that few weeks ago our traffic dropped by 90% !!! So with little research, when people searched for hawaiian blog and clicked on our blog they got message “This site may harm your computer” and I was like wtf?

Then I first thought it must be the new theme we put, and yes it was partial because it included script that calls that folder. But that’s not all! It’s one of the plugins that work together with that theme.

What to do after clean up:

Go to google type your website name bontb.com for example and then see if you get that same message as friend and I did.

If you don’t see anything like it and your site is normally accessible via google click you are safe. If you do see “this website may harm your pc” go to google webmaster tools, login and submit your site to be re-considered . Tell them you deleted files and think that website is now safe…

I will update this post if I find more information so if you are so kind subscribe to my RSS FEEDS to get updated
UPDATE( 03/25/2008):

The problem was with the previous code of wordpress 2.3.2 vulnerability so if you are effected by this

CHANGE YOUR PASSWORD FOR YOUR ADMIN ACCOUNT!!!!!

Attacker can still login to your account and do the same thing even though you updated to 2.3.2

I will update this little bit more but for now you have enough information to start with…

UPDATE:

Go to your Admin Dashboard click on Manage in search type in:
noscript ( this one uses many of other sites so be carefull deleting it if it’s pointing to something like .html) that is malware

iframe

wp-stats-php

if you see something like

<!– Traffic Statistics –>

MALWARE TEXT INCLUDING IFRAME OR SOME IP ADDRESS STARTING WITH 69.132.X.X

<!– End
Traffic Statistics –>

Also go to Admin Dashboard click on Users , delete all users you don’t know or look suspicious.

Here is an example:
comment_author = ‘Lierthearne
OR
comment_author_email = ‘preotononsomi@mytop-in.net



Horaayy..there are 35 comment(s) for me so far ;)

#1

One of my blogs have got exploited too. I know it when I check my blog stat

Finance Software wrote on March 25, 2008 - 7:09 am
#2

This is why I droppe WordPress as a blogging platform. Is just too dangerous these days.

Kosten Treppenlift wrote on March 25, 2008 - 7:27 am
#3

with wp, responsibility comes across… but still i can take wordpress over anything

Melvin wrote on March 25, 2008 - 9:45 am
#4

I used wordpress too, but this article makes fear for me.

Ostsee News wrote on March 25, 2008 - 10:14 am
#5

Here’s a little tidbit of info:

I googled all the websites that have this directory just out of curiosity.
Being the super-humanely wonderful person I am, I decided to leave comments on as many of the websites as I could to let them know that they had been hit with this.

I made it throught 10 domains before I figured this out:

EVERY SINGLE ONE OF THOSE WEBSITES REQUIRE ME TO REGISTER TO COMMENT.

Coincedence? Maybe.

unTECHy wrote on March 25, 2008 - 5:35 pm
#6

[...] See: http://smackdown.blogsblogsblogs.com and http://www.bontb.com for more information and discussion about the WordPress 2.3.3 expoit. I hope none of you are [...]

HUGE hacking exploit in WordPress 2.3.3 wrote on March 25, 2008 - 6:06 pm
#7

Thanks for the pointer to this, I had already found out my site had been hacked into, but it was useful to read a little more about it!

Mike Foston wrote on March 26, 2008 - 5:37 am
#8

[...] anklicken) einen entsprechenden Warnhinweis ausgibt. Sollte dies der Fall sein, kann über das Google Webmaster Center entsprechender Antrag auf Änderung gestellt werden (Antrag auf erneute [...]

#9

[...] I found this excellent blog article that explained the whole thing. It’s critical that all bloggers who use WordPress check if their host has been infected with [...]

#10

[...] lassen sich die Spam-Injektionen an unterschiedlichen Merkmalen. Bei einer Ende März gestarteten Injektions-Welle landeten zusätzliche Spam-Seiten in einem neu angelegten Unterverzeichnis wp-content/1. Google [...]

#11

[...] Blog or not to Blog (Englisch) [...]

#12

[...] corrected about WordPress 2.3.3 being secure thanks to unTECHy, and a number of other blogs he has linked to on his [...]

#13

[...] anklicken) einen entsprechenden Warnhinweis ausgibt. Sollte dies der Fall sein, kann über das Google Webmaster Center entsprechender Antrag auf Änderung gestellt werden (Antrag auf erneute [...]

#14

Oh man, this is really strong stuff!! I have 3 blogs running WP 2.32, i will check them instantly. Thanks for warning! Steve

Gesund abnehmen wrote on April 17, 2008 - 6:16 am
#15

@Gesund abnehmen: You are very welcome, btw I wonder how you found me?…Ich spreche deutsch as well :)

BONTB wrote on April 17, 2008 - 6:26 am
#16

I found the directory wp-content/1 deleted folder 1, but ESET NOD32 is still saying that wp-stats is infected. I don’t even use any plugins. I did, however, change my admin password.

Anything else I might do, or should I just remove wp?

Anthony wrote on May 7, 2008 - 1:07 am
#17

@Anthony: Yes look at the last part I wrote on here, search for iframe within your posts .. go to Manage/Pages and search…

BONTB wrote on May 7, 2008 - 8:37 am
#18

Removed it! From the instructions I was not aware it was written into the html, once I looked at the raw code, I saw the bad stuff…now how to figure out how to resubmit to google..geesh 15 years on the net with no problem..grrrr. :D

Thanks for the info, I could not find anything until I stumbled upon this place, great job.

Anthony wrote on May 7, 2008 - 9:11 am
#19

@Anthony: What do you mean by “resubmit to google” ? Google will crawl your pages again anyways. BUT in my opinion those few I would remove totally from blog and maybe re-write them :) also update your WP to 2.5

BONTB wrote on May 7, 2008 - 9:38 am
#20

I have already updated, and changed the password. With respect to this situation I (in all my years on the net, even before a web interface) have not had to deal with things like this, so I am/was understandably confused.

Thanks again for your help and information.

anthony wrote on May 7, 2008 - 11:02 am
#21

[...] themes folders. Luckily there are easy ways to remove said inconvenience and I found them on the bontb website. Bontb, for those who don’t know or are just darn curious (like me!), stands for Blog [...]

Hackers – part deux | Tess Barnes wrote on May 15, 2008 - 6:50 pm
#22

[...] lassen sich die Spam-Injektionen an unterschiedlichen Merkmalen. Bei einer Ende März gestarteten Injektions-Welle landeten zusätzliche Spam-Seiten in einem neu angelegten Unterverzeichnis wp-content/1. Google [...]

Spam-Epidemie : Infoportal wrote on June 1, 2008 - 1:09 pm
#23

[...] JasonMorrison Bontb TipsTricksToolsTechniques Tags: WP-Stats This entry was posted on Wednesday, June 4th, 2008 at 9:23 pm and is filed under Tips & Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. [...]

#24

Can anyone tell me specifically what Trojan is the result?

Cimmeron Studios wrote on July 29, 2008 - 4:48 pm
#25

aha, figured it out. It’s DOWNLOADER. thanks for the useful information.

Cimmeron Studios wrote on July 29, 2008 - 5:08 pm
#26

[...] out how to get rid of whatever was contaminating my website. I did a few searches and found a blog post that helped solve my problem. Go to your Admin Dashboard click on Manage in search type in: noscript ( this one uses many of [...]

Malicious code found on your blog? | JonesPC wrote on August 27, 2008 - 11:53 am
#27

You are so right on target. I found your post only because I have been infected with the big T virus on one of our sites. I will follow the excellent instructions I found here. Still a die hard with wordpress fan and looking at this as a learning process to take away the pain.
any othe insights? what permissions should the htaccess be set for?
thanks again

blogcoach wrote on September 5, 2008 - 12:51 pm
#28

Cool! Peshi ischo

Isabella wrote on November 5, 2008 - 10:40 pm
#29

its really cool here!!! :)

Ficken wrote on November 23, 2008 - 8:37 am
#30

Thanks for help!

Franky wrote on December 5, 2008 - 5:12 am
#31

Very usefull informations on your blog website. Thanks for your work and have good day.

Charms wrote on January 19, 2009 - 9:25 am
#32

Thanks for the info. I just noticed today that I had a wp-content/1 folder in two of my blogs.

Grrr.

GreatGrey wrote on February 20, 2009 - 3:38 am
#33

Oh man, thanks for that. Very helpful Blog!

Selbstvertrauen wrote on March 30, 2009 - 4:36 pm
#34

Yeah, that was really helpful, thank you so much!

lesen texte wrote on April 29, 2009 - 6:25 am
#35

Thanks. This is news to me. a wordpress virus?! This is scary. How to find out if your site is infected and is there some good anti-virus plugins for wp2.7?

SlimQuick wrote on June 2, 2009 - 11:35 am
You can leave a response, or trackback from your own site.

Write Your Comment

Comment Guidelines: Basic XHTML is allowed (a href, strong, em, code). All line breaks and paragraphs will be generated automatically.

You should have a name, right? 
Your email address, I promised I won't tell it to anyone. 
If you have a web site or blog, you can type the URL right here. 
This is where you type your comments. 
Remember my information for the next time I visit.