Spiderpass virus found

  • Resolved digistep

    (@digistep)


    12 years, 2 months ago

    I was asked to look at an infected wp install where the logon page was something other than a wp thing.

    After further investigation I found that the /wp-admin/includes/file.php was totally rewritten. It looks to be a highly complex file containing 1953 lines of pure evil. For lack of a better name, I will call it “spiderpass” because this is name value for the password element of the form that was presented on the bogus logon page.

    Does anyone want to see it? I don’t know how to ship it to you because my virus checker immediately flags it.

    Anyways, I was able to fix wp by simply removing this file and replacing it with a proper one and the site was back in business.

    I hope others find this useful and if people want to see it, let me know.

Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Spiderpass virus found’ is closed to new replies.