JS:Small-C in WP blogs... NEED HELP!

[malcolm12]

Hi,

I get Avast warnings about JS:Small-C on two Wordpress blogs I set up for someone else, and which, of course, they've not updated WP versions in almost a year. I am trying to help them solve the issue.

In a previous thread on this topic, Mentalist suggested a way to delete the malicious code, but I could not make it work.

I went into the header.php folders both via C-Panel/File Manager AND with my FTP client (I use Core FTP Lite)..

I found the following code, as suggested by mentalist:
<?php wp_head(); ?></head>

However, I cannot find ANY indication of the malicious code  whether I access via either FTP or C-panel:
<script language=javascript>document.write(unescape('%3C%7 --- and etc

Help!

FYI, both blogs use a custom template created with Artiseer, if that is relevant. The blog sites are at:

hxxp://drpeelittle.com
hxxp://dancingfrogranch.com

Any suggestions MUCH appreciated!

Malcolm

[Jtaylor83]

Disable the links in your post by replacing http with hxxp.

[DavidR]

This would appear to be a hacked site as a result of an exploit of a vulnerability in old versions of wordpress. Ensure that you have the latest version of any content management software. It also looks like the favicon.ico file and possibly any custom 404 error page may also have been hacked.

The obfuscated script you mention is almost certainly what is being alerted on.

avast isn't alone in finding the index page of drpeelittle.com infected, http://www.virustotal.com/analisis/51035db5916e6d01f696de63b88f9d5a2f27edb6f1e63f71304cc7d7cc30f255-1270436225.

[psw]

In both your cases obfuscated script in the HTML page transferred to end user is located immediately between tags </head> and <body>. So it is worth to check both code generating <head> and <body> sections.

[polonus]

Hi malcolm12,

The second site has this:
File information   
Report date:   2010-04-05 20:25:17 (GMT 1)
File name:   index
File size:   26536 bytes
MD5 hash:   9bc9899b462a9d1520269784b33289dd
SHA1 hash:   d0c4ab5b9adf07e9f7c2b328ab679f6660244286
Detection rate:   10 on 21 (48%)
Status:   INFECTED
Antivirus   Database      Engine              Result
a-squared   05/04/2010      4.5.0.8              Trojan-Clicker.JS.Agent!IK
Avast   100331-1              4.8.1368              JS:Small-C [Trj]
AVG   271.1.1/2792      9.0.0.725              JS/Downloader.Agent
Avira AntiVir   7.10.6.24   7.6.0.59      JS/Crypt.o
BitDefender   05/04/2010       7.0.0.2555      Trojan.JS.Iframe.AED
ClamAV   28/03/2010       0.95.3   -
Comodo   3468               3.13.579   -
Dr.Web   05/04/2010       5.0              VBS.Psyme.377
Ewido   05/04/2010   -   -
F-PROT6   20100405   6.3.3.4884   -
G-Data   19.9309   2.0.7309.847     JS:Small-C [Trj] B
Ikarus T3   05/04/2010      1001074             Trojan-Clicker.JS.Agent
Kaspersky   05/04/2010      9.0.0.736             Trojan-Clicker.JS.Agent.ma
McAfee   31/03/2010      5.1.0.0              JS/Wonka trojan
NOD32   5002              4.0.474   -
Panda   05/04/2010      9.5.2   -
Solo   05/04/2010   8.0   -
TrendMicro   939              9.120-1004   -
VBA32   05/04/2010      3.12.12.2   -
VirusBuster   12.23.14.0      1.5.5.0   -
Zoner   05/04/2010   0.2

The obfuscated inline script found is attached on the screendump pic of the XSS exploit
because of weak PHP,

polonus