WordPress.org

Ready to get started?Download WordPress

Forums

Trojan.Anserin (11 posts)

  1. MrMarco
    Member
    Posted 8 years ago #

    I hope someone here can help me on this one.

    I was told my blog was sending out Trojan.Anserin (a trojan horse downloader). I contact my hosting company and they did in fact confirm the code and removed it. In their words:

    "First step would be to update your WordPress install. This is a common exploit in unpatched versions of WP."

    I have the latest version (I think) 2.0.3. Is there some kind of patch I need? If so where do I find it so I don't infect the world.

    Thanks for your time and help.

  2. MrMarco
    Member
    Posted 8 years ago #

    An email I just received from my hosting company said this about the problem:

    "It's an exploit in the wordpress code. When the php dynamically generates your index page it is getting that javascript inserted."

    Hopefully one of you guys understands what that means. I kind of understand it but I have no idea what to do about it but come here and ask.

    Thanks again,
    Marco

  3. spencerp
    Member
    Posted 8 years ago #

    Just curious, but..what are your WordPress files chmodded by default, by the host? If they are not Chmodded 644, "they/the host" are WRONG..

    I believe it's supposed to be:
    Folders => 755
    Files => 644

    spencerp

    I just can't see how javascript is being added to the WP index.php file, if it's NOT WRITABLE.. Unless, I'm too sober, and not thinking right.. this tends to happen too lmao!!

  4. MrMarco
    Member
    Posted 8 years ago #

    Spencer - Thanx for the reply. All my folders, including index.php, are in fact 755 but the files are 666. The exceptions are, photos folder and uploads folder both at 777. I know this is not great.

    I also have zipped downloads. Would they be the possible culprit? If I remember correctly the chmod needed to be changed for those 2 folders to get the feeds.

    I have changed the photos folder back to 755. I cannot change the uploads folder to 755. I get the following error:

    FTP error: SITE CHMOD command failed. (uploads)

    I need a drink!

  5. spencerp
    Member
    Posted 8 years ago #

    files are 666

    This is *still* Writable.. go through, and make sure *all* the files are 644. .htaccess file, if you have one.. 555, I think it is..

    For the image folders..I think some hosts would almost need them to be 777 so you can upload the images properly or whatever.. =/

    As for them saying, "This is a common exploit in unpatched versions of WP."

    They *are* FULL of SHIT.. excuse the "french" please lol!

    spencerp

    Some times I *feel* like having a drink, but then I remember.. I'd screw up my 5 1/2 months of being clean and sober.. LOL! Not sure if that's what you meant by "drink" of course haha [cough] hmm

  6. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Copy this to your host, then watch them go all quiet:

    "If your host genuinely believes that WordPress has a vulnerability that they have discovered they owe it to the wider community to submit that information - without delay - to security@wordpress.org. Until then, it’s entirely their problem."

  7. buraak
    Member
    Posted 8 years ago #

    Just curious, but..what are your WordPress files chmodded by default, by the host? If they are not Chmodded 644, "they/the host" are WRONG..

    I believe it's supposed to be:
    Folders => 755
    Files => 644

    spencerp

    I just can't see how javascript is being added to the WP index.php file, if it's NOT WRITABLE.. Unless, I'm too sober, and not thinking right.. this tends to happen too lmao!!

    Posted: 2006-07-11 05:20:34 #

  8. MrMarco
    Member
    Posted 8 years ago #

    Spencer - First, Congratulations on 5 1/2 months bro! Second I did send them an email with Podz quote, I'll let you know their response.

    Here are a couple of quotes from their emails:

    [i]"I noticed you also have a link to zipped content. You may want to try cleaning up your templates to determine where the exploit is in the template."[/i]

    [i]"WordPress dynamically generates your page when your page loads. All your index.php has on it is:

    <?php
    /* Short and sweet */
    define('WP_USE_THEMES', true);
    require('./wp-blog-header.php');
    ?>

    From the above code your page is generated each time a surfer hits it. Somewhere during the page generation process that javascript is being inserted in with the html. Try using a new template with the minimal features to see if you can determine where the actual exploit is. Try just a basic page with some text on it and then view the source to see if the javascript was inserted."[/i]

  9. MrMarco
    Member
    Posted 8 years ago #

    lol - I guess that's not the way to italicize the text here.

  10. MrMarco
    Member
    Posted 8 years ago #

    *UPDATE*

    It seems more and more that the culprit is the template itself. Seems it has a counter attached and the trojan is part of it. I'm going to trash the template... contact the dude who made it... and try to find another one I like.

    ...Oh the drama! LMAO

  11. spencerp
    Member
    Posted 8 years ago #

    What "theme" are you talking about lol? It should not matter of the "theme" you are using, it boils down to CHMODDING the files 644..

    Even if you want to "edit" the theme files, via the blog's control panel, you should use the 666, but then when done.. go back and chmod them all 644..

    Ask your host, by default.. if they can have files chmod 644..INSTEAD of 666. My host changed it all up for me, when I asked them..

    I just think your host likes playing the "blame game" and likes throwing the "blame" at WordPress for their fluck ups..

    spencerp

    You most likely should start over, basically do a "fresh" upgrade to the blog.. remove all the WP files that you'd normally remove during an upgrade. EXCEPT these three things: wp-config.php, wp-config-sample.php and the wp-content/ directory.. (Or, special plugin files..maybe even remove them too.. hard to say..)

    Reupload a "Fresh" copy of WordPress.. then, scrap that "theme" that you used while it was attacked or whatever.. Reupload a "FRESH" copy of it again..chmod them files 644.. and all other normal WordPress files 644.

Topic Closed

This topic has been closed to new replies.

About this Topic