Author Topic: Wordpress with Mal:URL (Read 11788 times)

krypinaturen · « **Reply #15 on:** August 30, 2011, 03:27:09 PM »

ok that sounds good, but something is wrong. I have change theme and avast did not warn but in the admin panel it warns, so I found in wp-includes/js/jquary.js?ver=1.6.1 and I took away jquary.js but now it warns again both in the admin panel and on the blog. :'(

polonus · « **Reply #16 on:** August 30, 2011, 05:26:34 PM »

Sucuri still finds the issues here: Web application version:
Wordpress version: WordPress 3.2.1
Wordpress Version 3.2 based on: -http://krypinaturen.se//wp-includes/js/autosave.js
Wordpress theme: -http://krypinaturen.se/wp-content/themes/palnila/
Wordpress internal path: -/home/web34138/domains/krypinaturen.se/public_html/wp-content/themes/palnila/index.php

Malware found on javascript file:
-http://krypinaturen.se/wp-includes/js/l10n.js?ver=20101110
Known javascript malware, the fil l10n.jsver=20101110 is detected as HTML/Crypted.Gen
also known as counter Wordpress hack,

polonus

krypinaturen · « **Reply #17 on:** August 30, 2011, 06:47:51 PM »

Have got some help from my webhotell and they say many files is infected, but has not get in to the deepest database and they help me to clean it for me.

many thanks for your help and answers here, they have been worth gold for me.

DavidR · « **Reply #18 on:** August 30, 2011, 07:28:09 PM »

You're welcome, good luck with the cleaning.

Pondus · « **Reply #19 on:** August 30, 2011, 10:21:33 PM »

Sucuri scanner is now working again....see attached screen shot (click to enlarge)

Malware entry: MW:JS:2368 http://sucuri.net/malware/malware-entry-mwjs2368

PlayingKarrde · « **Reply #20 on:** August 31, 2011, 07:42:28 AM »

Hi I arrived here since I have the same problem and know the entry point but was looking for a solution to fix it.

Anyway, I thought I'd save you some time so you can at least know where it all started. Apparently there was a security hole in timthumb (which is used by many people running wordpress) which allows a file be uploaded and then copied elsewhere on the server where it then spreads. It's best to take your site offline first and try and clear it.

More specifics can be found here http://code.google.com/p/timthumb/wiki/GoogleMaliciousSite

Good luck.

Pondus · « **Reply #21 on:** August 31, 2011, 11:34:03 AM »

Quote

Apparently there was a security hole in timthumb (which is used by many people running wordpress) which allows a file be uploaded and then copied elsewhere on the server where it then spreads

TimThumb.php Vulnerability Not Only Affecting Themes – Plugins too
http://blog.sucuri.net/2011/08/timthumb-php-vulnerability-not-only-affecting-themes-plugins-too-vslider.html

Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned
http://blog.sucuri.net/2011/08/attacks-against-timthumb-php-in-the-wild-list-of-themes-and-plugins-being-scanned.html

Mass Infection of WordPress Sites Due to TimThumb ( counter-wordpress dot com )
http://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html

TimThumb.php attacks – Now using googlesafebrowsing dot com
http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-using-googlesafebrowsing-com.html

TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site
http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-being-used-for-blackhat-spam-seo-and-maybe-break-your-site.html

Author Topic: Wordpress with Mal:URL (Read 11788 times)

krypinaturen

Re: Wordpress with Mal:URL

polonus

Re: Wordpress with Mal:URL

krypinaturen

Re: Wordpress with Mal:URL

DavidR

Re: Wordpress with Mal:URL

Pondus

Re: Wordpress with Mal:URL

PlayingKarrde

Re: Wordpress with Mal:URL

Pondus

Re: Wordpress with Mal:URL