Posted 2 years ago #
I have started to get a "XML parsing error" from my website http://www.glamourgrannytravels.com
W3C Validator says that it is coming from line 195:
<img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=6744753">
This is directly after the </rss> line.
I have no idea how to clear the problem!! Could somebody please explain the problem, how this line got there after the site is over 4 months old and most importantly how to solve it.
Thank you in advance.
Have you tried:
- checking through Troubleshooting WordPress 3.1 - Master List
- deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).
- switching to the Twenty Ten theme to rule out any theme-specific problems.
- resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.
Posted 2 years ago #
Thank you for your response. I have tried all of these suggestions but none of them worked.
Please suggest another way of solving this problem.
Try looking in your theme's footer.php template file. You've got a whole load of code outside of the </body></html> tags.
Posted 2 years ago #
You or someone who also uses your FTP data had got a trojan --> win32/kryptik
This trojan sents all your FTP data and passwords to someone who than uses it to change all index.html and index.php files on your server and adds to the end a string like <img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=6744753">
the number at the end changes on every file...
I had it today for a few customers on Joomla sites
John Bekker
SJL Creations
Posted 2 years ago #
Anyone know how to fully remove this trojan? In my web site hosting i saw this line end of file: <img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=6744753">. Also in my hosting was IP: 46.252.134.6. Help.
Posted 2 years ago #
Sorry, 'emsi', I'm not newbie and this not helps, I'm not using WordPress. It's was on no CMS website.
Then why are you posting on a WordPress support forum?
Posted 2 years ago #
Thank you John. You was right. I removed the code from the index.php and it sorted it out. Unfortunately I have now found it on some of my other sites I look after :-(
So it looks like virus scans all night and then checking the other sites.
Thanks again John.
Posted 2 years ago #
"So it looks like virus scans all night and then checking the other sites."
REMEMBER: its NOT wordpress that got hacked but YOUR PC
//find all string imgaaa.net in all subdirs
grep -lr imgaaa.net . > bad.txt
Posted 2 years ago #
@emsi - it makes sense to post here. Be it only to make clear it is not a WP epxloit (what one might think at first) - We have also Joomla, and custom coded websites affected by this.
Important Note: the attack comes in two stages. In stage one you see the html code injected as above.
About a day later I see uploads of files that have names like "23.php" or "56.php" - allways a two digit number.
Those files are start with something like:
<? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ...UQ=='))); ?>
I haven't yet decoded the binary to see what it does.
You also see an upload of a .htaccess file wit this content:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /wp-admin/26.php?q=$1 [L]
</IfModule>Where the binary code is being uncompressed and executed.
From what I can see on my behalf I suspect the involvement of the TR/Crypt.XPACK.Gen Trojan - but I can not yet 100% confirm it.
Sven
Posted 2 years ago #
Sven, you're right its not a WP bug of hole but the initial attack comes from a Trojan on your PC...
After getting you FTP data it changes the index.php and index.html files on the FTP servers...
Did not know about the second step. Fortunately i changed all FTP passwords..
Posted 2 years ago #
Yes it starts with a Trojan - what bothers me is the 2 step approach. I don't quite understand what the motivation is. If the Trojan sends out the passwords - why do they need the HTML injection to report the URL back? The Trojan could tell them...
Posted 2 years ago #
maby they use the injection to check if the site is monitored and only infect sites that call back for a while...
Posted 2 years ago #
@jbekker - yes I thought about this. Or maybe to clean the incoming passwords from outdated login data, that doesn't work anymore and have only passwords that still work.
But the "price" for this would be an extreme high detection rate. If you look around the internet - almost all discussion start because a website didn't work anymore. Just appending a html code will brake many Scripts even such popular like WP and Joomla.
So why provoke such a high attention/detection rate?
What comes to my mind is: to divert our attention from what they are really doing. I have seen this once before: A very obvious attack, easy to detect and easy to clean up. At the same time a very smart hidden backdoor was installed, which you might not notice because you clean up the easy, obvious stuff.
Sven
Posted 2 years ago #
Posted 2 years ago #
so far ther's another two topics dealing with the same issue:
malicious 96.php in wordpress
RSS feed won't validate, junk after document element
The big question is: how this trojans got our "secured" ftp passwords? I'm using FileZilla as a client, what about you?
Hi,
Can anyone send me this 96.php (or whatever it is called on your server) file? I believe, there may be some more files involved. You can contact me here.
http://www.UnmaskParasites.com/contact/
@jbekker: How do you know about the "win32/kryptik"? (I agree that passwords stealling malware may be involved. I just want to know how you figured out it was "win32/kryptik". Did you find it on computer of webmasters?)
Posted 2 years ago #
here's the content of this nasty thing:
[Code moderated as per the Forum Rules. Please use the pastebin]
it writes also to index.php and htaccess and leaves some html pages in the logs folder of the website.
Posted 2 years ago #
@UseShots I blamed the Kryptik because the outbreak occurred after the virus warning popped up on the laptop.
Posted 2 years ago #
Sorry moderator forposting the file directly on the thread, I put it now on http://pastebin.com/0JRY8GcX
Thanks @jbekker and @Abdessamad Idrissi.
Did you notice the .log/ directory or some other directory whose name begins with the "."?
Posted 2 years ago #
@UseShots I looked for .(dot) directories but did not found any.
I Changed all FTP passwords right after discovery of the breach...
So this might have helped preventing the next step in the attack
I checked the FTP logs and all index.php and index.html files where uploade using FTP from IP 46.252.130.109
Hi,
I checked hundreds of infected sites (with nn.php scripts) and almost every one of them contained the ".log/<domain_name>" directory next to that script. The directory contains cached spammy pages and attack maintenance files (e.g. malicious scripts).
Can anyone who found such nn.php files on their site please contact me?
http://www.UnmaskParasites.com/contact/ (even if you've already removed them). I need some additional information.
Thanks for your help!
Posted 2 years ago #
I checked my ftp logs and found the bad guys who put this files come from from this IP 91.200.240.10 which leads to Ukrain
Another bad thing is the fact that google says in his search results that my website is pirated! just next to the result title!
fortunately I used google webmaster tool to report this and was corrected the next day.
Again, change all your ftp passwords; I forget one password and the virus hit me again. it planted a file in the wordpress/wp-admin/41.php
Posted 2 years ago #
Please everybody, tell us what ftp client do you use?
I would like to know how did this a** h**** (sorry for my bad language!) got my passwords?
I use the latest version of FileZilla ftp client for windows.
(and a big security hole: i saved all my pases in a word document with a strong password)
what about you?
Posted 2 years ago #
I was also using Filezilla. And filezilla save your passwords in clear text.
So after changing all passwords i did not save them anymore in Filzilla
Posted 2 years ago #
Hello everybody and thanks for all the comments and questions.
I started this thread about a month a go because I had the problem on one of my websites. After reading the replies I soon discovered that I had the same problem on all of the websites I look after (around 20 of them!!) What a weekend I had deleting and changing passwords. It also created problems with the feeds on the wordpress sites with one site being banned because of this problem.
I have noticed that there is a little bit of a reacurring theme in a lot of the replies, that is - that FileZilla is used by people with the problem. I to use the program for file transfers and have done for a number of years. I am going to post on FileZilla forum today to see what response I get from them.
Anyway, after a month I have just discovered that it is back on one of my sites (and I haven't checked the others yet due to having to delete over 15,000 files added to the site!!!). My question is this - as anybody got a definitive answer in how to remove this problrm for good? And how did it start? I have AVG antivirus and adaware with automatic virus checks setup for 4 times a week. Yes, I have had viruses on my computer but I have not worked on some of the sites that got infected for months but they still got infected - How?
This is the most frustrating time for me because I have people relying on me to look after there sites.
This topic has been closed to new replies.
