Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Virus warnings on my wordpress blog (17 posts)

  1. sustainorder
    Member
    Posted 2 years ago #

    Suddenly my blog's visitors started reporting virus warnings, and today I got one as well.
    I have no idea what might be causing this. I clicked on the link the message gave and it said that the site was infected with suspicious malware, and was flagged.
    I have no idea where this came from.

    Could a piece of javascript (+add this) be causing an alarm? I've included it in the main index template around the time the virus was being reported, but I doubt this would be the cause. Other than that, I don't suspect any plugins.
    Could it be wordpress, the newest version?

  2. EMG
    Member
    Posted 2 years ago #

    Not WordPress itself I don't think as all of us who have recently upgraded would have this problem. I upgraded recently and have not experienced such problems.

    Must be either a plugin, scripting code, or someone plain hacked your WordPress.

    What exactly was the message?

    Does disabling all your added scripts and plugins get rid of this problem? Do you have any added posts or pages you're not aware of? Any links added that you don't know of?

  3. ClaytonJames
    Member
    Posted 2 years ago #

    How about a link to your site. It doesn't have to be "clickable" of course... Perhaps some brave soul with nothing left to loose but time, will brave the solitary trek of reckless abandon across the post-apocalyptic wasteland of your site, and take a look.

    (Sorry. I'm watching "Mad Max" ...Again!)

    :P

  4. sustainorder
    Member
    Posted 2 years ago #

    Lol u guys.. ha ha!
    Well ok, let's go for it: knutisweekly.com (i do the actual tech support on the magazine), and write articles for the Green Corner.

    I started by going to the host to let them do checks. I'll start combing the site later, and if you want you can help me. Thnx!

  5. ClaytonJames
    Member
    Posted 2 years ago #

    one hit on a suspicious "obfuscated" inline script;. Not necessarily a problem, but suspicious.

    var ecov = "pa-v";
document.write(unescape("%3Cscript src='http://eco-safe.com/js/eco.js' type='tex...

    ring any bells? If that is your recent script, perhaps it might be triggering something in some anti-virus products. May not have anything to do with it all at all.

    'Kay. quick update to that. I got AVG to hit in IE8. Here is the warning:

    file name cqodezuz.cn/vvd

    Video streaming microsoft ActiveX Exploit. (type704) Ya'll got something goin' on! Time to do some research.

    http://www.google.com/#hl=en&q=cqodezuz.cn%2Fvvd&btnG=Google+Search&aq=f&oq=&aqi=&fp=-Pw1cEIpNGU

    Good luck to you!

    Me and Mad Max are going to go hose down my IE cache now. ..yikes...

  6. ClaytonJames
    Member
    Posted 2 years ago #

    Interesting. Maybe nothing, but interesting.

    http://wepawet.iseclab.org/view.php?type=js&hash=532e55848797f545db967a15ce88066f&t=1248814478

  7. sustainorder
    Member
    Posted 2 years ago #

    YES! this is it:
    cqodezuz.cn/vvd
    This is the link I received in the alert.
    What is it???

    The previous one is a badge javascript code that has been there forever.

  8. ClaytonJames
    Member
    Posted 2 years ago #

    I found that script in your sidebar "Meta" widget. The script is for downloading or emailing a page of your site in .pdf format. Considering the Adobe Reader references in the above link, I would think that might be a good place to start looking.

  9. sustainorder
    Member
    Posted 2 years ago #

    That widget has been there forever too without problems.
    I didn't add anything new to the sidebar since the problem started.

    Where and how did you get the cqodezuz.cn alert?

  10. sustainorder
    Member
    Posted 2 years ago #

    What is also weird is that the alert sometimes happens when I am in the admin panel on the blog, not on the home page.
    And it doesn't always happen, and not to everybody, so maybe this is a browser/firewall issue.

  11. ClaytonJames
    Member
    Posted 2 years ago #

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927

    The "Adobe Acrobat getIcon() Stack Overflow Vulnerability", really made me suspicious of the integrity of the source for the .pdf print script. It's on someone elses' server, so who knows what could happen. I don't think the firewall has anything to do with it. Post back if you get to the source of the problem.

    Best of Luck.

  12. EMG
    Member
    Posted 2 years ago #

    Different people run different antivirus software and so depending, they might or might not run into the issue or if they do, they might not even realize it?

  13. sustainorder
    Member
    Posted 2 years ago #

    Clayton, I have no idea what that stuff means, from the link you gave me.
    Like I said before, the eco-safe badge has been there for half a year and caused no problems.
    The host ran a scan and found no virus infection, and nothing that would trigger any alerts of any sort.
    Would reinstalling everything help?

  14. ClaytonJames
    Member
    Posted 2 years ago #

    Sounds a bit like overkill, and probably very premature. The actual code on your site may be completely benign. But, it could be caused be someone you link to that has the actual source of infection/hack (such as a remote javascript, iframe, media files, etc...) perhaps seeking experienced third party assistance for reviewing your files and database would be the most productive and prudent at this time. Check with your IT guys and see who they have in the their contacts list. I'm afraid beyond that, I'm out of rational ideas.

  15. sustainorder
    Member
    Posted 2 years ago #

    I just got the alert AGAIN.
    The link goes to:
    http://google.com/safebrowsing/diagnostic?tpl=safari&site=cqodezuz.cn&hl=en-us
    and from that to:
    http://google.com/safebrowsing/diagnostic?site=AS:49093&hl=en-us

    Maybe we've brought a foreign code by pasting a video source code from another site. It could be a number of things.
    So reinstalling everything wouldn't make a difference in that case, you're right.
    I don't like such situations like this one. I feel completely helpless.

  16. sustainorder
    Member
    Posted 2 years ago #

    Just wanted to update, sadly I still haven't been able to get rid of the annoying alert after reloading everything.
    Now it won't let me do anything within wordpress, and keeps alerting me with every single click. Not on the WP blog surface- there the alerts have disappeared but they continue on the Dashboard.

    It doesn't seem to be a regular google alert.

  17. sustainorder
    Member
    Posted 2 years ago #

    Update: issue fixed. I found that simply blocking new registration to the blog fixes the problem, alongside reinstalling wordpress using the automatic feature wordpress now provides, gets rid of altered files and prevents the hackers from accessing the admin area.
    These weren't virus infections at all, just a way for hackers to advertise an anti-virus program.
    Case closed, for now.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags