Worm in WP Responder Email Newsletter and Autoresponder Plugin???
-
Avira Antivir allerts an infection with JS/Zhelatin ZB worm in viewbroadcast.php
In that file I find a <script>-tag:
<script> function base64Decode(data){data=data.replace(/[^a-z0-9\+\/=]/ig,'');if(typeof(atob)=='function')return atob(data);var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var byte1,byte2,byte3;var ch1,ch2,ch3,ch4;var result=new Array();var j=0;while((data.length%4)!=0){data+='=';} for(var i=0;i<data.length;i+=4){ch1=b64_map.indexOf(data.charAt(i));ch2=b64_map.indexOf(data.charAt(i+1));ch3=b64_map.indexOf(data.charAt(i+2));ch4=b64_map.indexOf(data.charAt(i+3));byte1=(ch1<<2)|(ch2>>4);byte2=((ch2&15)<<4)|(ch3>>2);byte3=((ch3&3)<<6)|ch4;result[j++]=String.fromCharCode(byte1);if(ch3!=64)result[j++]=String.fromCharCode(byte2);if(ch4!=64)result[j++]=String.fromCharCode(byte3);} return result.join('');} var theFrame = document.getElementById('htmlbodyframe'); var thecontent = '<?php echo base64_encode($output['HTML Body']) ?>'; theFrame.contentDocument.write(base64Decode(thecontent)); </script></td>
Whats up there? This is the only plugin I downloaded today with such an infection.
Edit: plugin page: http://wordpress.org/extend/plugins/wp-responder-email-autoresponder-and-newsletter-plugin/
Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
- The topic ‘Worm in WP Responder Email Newsletter and Autoresponder Plugin???’ is closed to new replies.