My website redirects to a malwaresite

748252
15 years, 9 months ago

Hi, Im using the latest WordPress and thought I was safe from hackers and script-exploits but apperently I was wrong.

My website, http://wazzap.se, redirect to http://winantivirus2008.org/freescan/?id=68 which perfomes a fake virusscan. I cant find any changes in my files, and I cant figure out how this happend or how I remove it and make sure it doesnt happend again.
Im really stunned, have anyone else experienced something similiar?
I do not got virus or spyware in my computer, and the servers havnt been hacked (servage-server).

I found this in the sourcecode (ctrl+u) but cant find it in the actual files: <meta http-equiv=”Refresh” content=”0; url=http://winantivirus2008.org/freescan/?id=68″>

Any help is appreciated!

Viewing 15 replies - 1 through 15 (of 15 total)

whooami
(@whooami)

15 years, 9 months ago

I found this in the sourcecode (ctrl+u) but cant find it in the actual files: <meta http-equiv=”Refresh” content=”0; url=http://winantivirus2008.org/freescan/?id=68″>

then you havent looked hard enough. 😛 since its at the bottom of the page — check your theme’s footer.php

Thread Starter 748252

15 years, 9 months ago

I found the code in wp-blog-header.php

whooami
(@whooami)

15 years, 9 months ago

good job, that would have been my second suggestion. 🙂 did you happen to notice what the date stamp on that file was before you edited it? And what are it’s permissions?

Thread Starter 748252

15 years, 9 months ago

2008-07-10 17:51 (timezon +1)

Thread Starter 748252

15 years, 9 months ago

The permissions is -rw-r–r–

Could it be a plug-in that is vulnerable, got the following:

Akismet 2.0.2
Audio player 1.2.3
Kimili Flash Embed 1.4
myGallery 1.4b10
PHP Exec 1.7
QuickTime Embed 0.1

whooami
(@whooami)

15 years, 9 months ago

there is an exploit for mygallery on milw0rm

WordPress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability

Thread Starter 748252

15 years, 9 months ago

It says that the expolit is fixed in 1.4b7, so 1.4b10 should be fine I think. If its not a new unfound exploit.

http://blogsecurity.net/wordpress/blogwatch/blogwatch/

UseShots
(@useshots)

15 years, 9 months ago

Did you try the WordPress Exploit Scanner? It can find more traces of the exploit. It also scans the database.

Let us know if you find something interesting.
Thread Starter 748252

15 years, 9 months ago
Didnt know about the exploit scanner, thank you. It finds this two files suspicious, highlighted words in bold:

/…/wazzap.se/wordpress/wp-content/plugins/mygallery/myfunctions/mygallinfo.php
```
le="text-align:center;display:none" id="phpinfo"><<strong>iframe src</strong>="<?php echo myGalleryURL;?>myfunctions/serversettings.php" width="90%" height="400" name="system info">
    </iframe></div>
    </div>
    <?php

    ?>
```
/…/wazzap.se/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php

` rror(“PSpell support was not found.”);

$data = shell_exec($cmd);
@unlink($this->_tmpfile);

$returnData = array();
$dataArr = preg_split(“/[\r\n]/”, $data, -1, PREG_SPLIT_NO_EMPTY);

foreach ($dataArr as $dstr) {
$matches = array();

// Skip this line.
if (strpos($dstr, “@”) ===

throwError(“Error opening tmp file.”);

$data = shell_exec($cmd);
@unlink($this->_tmpfile);

$returnData = array();
$dataArr = preg_split(“/\n/”, $data, -1, PREG_SPLIT_NO_EMPTY);

foreach($dataArr as $dstr) {
$matches = array();

// Skip this line.
if (strpos($dstr, “@”) === 0)`

What do you read from that?
Thread Starter 748252

15 years, 9 months ago

That looks like a mess =P

Shortly the searchresult are “iframe scr” in mygallinfo.php and
“shell_exec(” in PSpellShell.php

whooami
(@whooami)

15 years, 9 months ago

I understood it, mess or no :).. Suffice to say that your mygallery plugin installation was exploited. The other is a php root shell.. they had the run of your site once that had been uploaded.

Change ALL of your passwords, especially the one for MySQL thats inside your wp-config.php. You will obviously need to change the password in that file to accommodate the change.

If your host uses cpanel, AND you are using your cpanel login name for your mysql username, you can change that password in cpanel very easily. It will, however, affect ALL of your connections using that username though — ftp, cpanel login, mysql, etc..

In this case though, thats good, since if you are using cpanel, and someone read your wp-config.php, they also have your ftp password.

Your username was gotten the day they uploaded the PHP root shell.

You might also consider making sure that you were running that particular version of that plugin that was newer than the one listed on milw0rm.com.. and if so, I would be contacting the plugin author and letting him know.

Obviously, if one hole was fixed, another still exists.

UseShots
(@useshots)

15 years, 9 months ago

To me, the highlighted code looks legitimate.

The original mygallinfo.php (from authors website) file looks the same. The iframe displays phpinfo(). I just wonder why it is hidden.

The PSpellShell.php file is also the same as in the original WordPress package.

The exploit scanner just notifies that the code looks suspicious. (Similar code may be used for malicious purpose)

whooami
(@whooami)

15 years, 9 months ago

yeh youre right — I didnt even look at the files.

Nevermind.

Time for me to not try to look at stuff after having worked all night.

Thread Starter 748252

15 years, 9 months ago

Ok, so the mystery remains I guess, how could they sneak in their code in my wp-blog-header.php?

UseShots
(@useshots)

15 years, 9 months ago

If you know the time stamp of the infected file, you might want to check server logs for that time. Maybe you’ll be abe to locate some suspicious request.

Anyway, change your passwords and regularly check your site.

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘My website redirects to a malwaresite’ is closed to new replies.

My website redirects to a malwaresite

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics