WordPress.org

Forums

My website redirects to a malwaresite (16 posts)

  1. Anonymous
    Unregistered
    Posted 6 years ago #

    Hi, Im using the latest WordPress and thought I was safe from hackers and script-exploits but apperently I was wrong.

    My website, http://wazzap.se, redirect to http://winantivirus2008.org/freescan/?id=68 which perfomes a fake virusscan. I cant find any changes in my files, and I cant figure out how this happend or how I remove it and make sure it doesnt happend again.
    Im really stunned, have anyone else experienced something similiar?
    I do not got virus or spyware in my computer, and the servers havnt been hacked (servage-server).

    I found this in the sourcecode (ctrl+u) but cant find it in the actual files: <meta http-equiv="Refresh" content="0; url=http://winantivirus2008.org/freescan/?id=68">

    Any help is appreciated!

  2. whooami
    Member
    Posted 6 years ago #

    I found this in the sourcecode (ctrl+u) but cant find it in the actual files: <meta http-equiv="Refresh" content="0; url=http://winantivirus2008.org/freescan/?id=68">

    then you havent looked hard enough. :P since its at the bottom of the page -- check your theme's footer.php

  3. Anonymous
    Unregistered
    Posted 6 years ago #

    I found the code in wp-blog-header.php

  4. whooami
    Member
    Posted 6 years ago #

    good job, that would have been my second suggestion. :) did you happen to notice what the date stamp on that file was before you edited it? And what are it's permissions?

  5. Anonymous
    Unregistered
    Posted 6 years ago #

    2008-07-10 17:51 (timezon +1)

  6. Anonymous
    Unregistered
    Posted 6 years ago #

    The permissions is -rw-r--r--

    Could it be a plug-in that is vulnerable, got the following:

    Akismet 2.0.2
    Audio player 1.2.3
    Kimili Flash Embed 1.4
    myGallery 1.4b10
    PHP Exec 1.7
    QuickTime Embed 0.1

  7. whooami
    Member
    Posted 6 years ago #

    there is an exploit for mygallery on milw0rm

    WordPress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability

  8. Anonymous
    Unregistered
    Posted 6 years ago #

    It says that the expolit is fixed in 1.4b7, so 1.4b10 should be fine I think. If its not a new unfound exploit.

    http://blogsecurity.net/wordpress/blogwatch/blogwatch/

  9. UseShots
    Member
    Posted 6 years ago #

    Did you try the WordPress Exploit Scanner? It can find more traces of the exploit. It also scans the database.

    Let us know if you find something interesting.

  10. Anonymous
    Unregistered
    Posted 6 years ago #

    Didnt know about the exploit scanner, thank you. It finds this two files suspicious, highlighted words in bold:

    /.../wazzap.se/wordpress/wp-content/plugins/mygallery/myfunctions/mygallinfo.php

    le="text-align:center;display:none" id="phpinfo"><<strong>iframe src</strong>="<?php echo myGalleryURL;?>myfunctions/serversettings.php" width="90%" height="400" name="system info">
        </iframe></div>
        </div>
        <?php
    
        ?>

    /.../wazzap.se/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php

    ` rror("PSpell support was not found.");

    $data = shell_exec($cmd);
    @unlink($this->_tmpfile);

    $returnData = array();
    $dataArr = preg_split("/[\r\n]/", $data, -1, PREG_SPLIT_NO_EMPTY);

    foreach ($dataArr as $dstr) {
    $matches = array();

    // Skip this line.
    if (strpos($dstr, "@") ===

    throwError("Error opening tmp file.");

    $data = shell_exec($cmd);
    @unlink($this->_tmpfile);

    $returnData = array();
    $dataArr = preg_split("/\n/", $data, -1, PREG_SPLIT_NO_EMPTY);

    foreach($dataArr as $dstr) {
    $matches = array();

    // Skip this line.
    if (strpos($dstr, "@") === 0)`

    What do you read from that?

  11. Anonymous
    Unregistered
    Posted 6 years ago #

    That looks like a mess =P

    Shortly the searchresult are "iframe scr" in mygallinfo.php and
    "shell_exec(" in PSpellShell.php

  12. whooami
    Member
    Posted 6 years ago #

    I understood it, mess or no :).. Suffice to say that your mygallery plugin installation was exploited. The other is a php root shell.. they had the run of your site once that had been uploaded.

    Change ALL of your passwords, especially the one for MySQL thats inside your wp-config.php. You will obviously need to change the password in that file to accommodate the change.

    If your host uses cpanel, AND you are using your cpanel login name for your mysql username, you can change that password in cpanel very easily. It will, however, affect ALL of your connections using that username though -- ftp, cpanel login, mysql, etc..

    In this case though, thats good, since if you are using cpanel, and someone read your wp-config.php, they also have your ftp password.

    Your username was gotten the day they uploaded the PHP root shell.

    You might also consider making sure that you were running that particular version of that plugin that was newer than the one listed on milw0rm.com.. and if so, I would be contacting the plugin author and letting him know.

    Obviously, if one hole was fixed, another still exists.

  13. UseShots
    Member
    Posted 6 years ago #

    To me, the highlighted code looks legitimate.

    The original mygallinfo.php (from authors website) file looks the same. The iframe displays phpinfo(). I just wonder why it is hidden.

    The PSpellShell.php file is also the same as in the original WordPress package.

    The exploit scanner just notifies that the code looks suspicious. (Similar code may be used for malicious purpose)

  14. whooami
    Member
    Posted 6 years ago #

    yeh youre right -- I didnt even look at the files.

    Nevermind.

    Time for me to not try to look at stuff after having worked all night.

  15. Anonymous
    Unregistered
    Posted 6 years ago #

    Ok, so the mystery remains I guess, how could they sneak in their code in my wp-blog-header.php?

  16. UseShots
    Member
    Posted 6 years ago #

    If you know the time stamp of the infected file, you might want to check server logs for that time. Maybe you'll be abe to locate some suspicious request.

    Anyway, change your passwords and regularly check your site.

Topic Closed

This topic has been closed to new replies.

About this Topic