WordPress.org

Support

Support » How-To and Troubleshooting » My website redirects to a malwaresite

My website redirects to a malwaresite

  • Hi, Im using the latest WordPress and thought I was safe from hackers and script-exploits but apperently I was wrong.

    My website, http://wazzap.se, redirect to http://winantivirus2008.org/freescan/?id=68 which perfomes a fake virusscan. I cant find any changes in my files, and I cant figure out how this happend or how I remove it and make sure it doesnt happend again.
    Im really stunned, have anyone else experienced something similiar?
    I do not got virus or spyware in my computer, and the servers havnt been hacked (servage-server).

    I found this in the sourcecode (ctrl+u) but cant find it in the actual files: <meta http-equiv=”Refresh” content=”0; url=http://winantivirus2008.org/freescan/?id=68″>

    Any help is appreciated!

Viewing 15 replies - 1 through 15 (of 15 total)
  • whooami

    @whooami

    Member

    I found this in the sourcecode (ctrl+u) but cant find it in the actual files: <meta http-equiv=”Refresh” content=”0; url=http://winantivirus2008.org/freescan/?id=68″>

    then you havent looked hard enough. 😛 since its at the bottom of the page — check your theme’s footer.php

    I found the code in wp-blog-header.php

    whooami

    @whooami

    Member

    good job, that would have been my second suggestion. 🙂 did you happen to notice what the date stamp on that file was before you edited it? And what are it’s permissions?

    2008-07-10 17:51 (timezon +1)

    The permissions is -rw-r–r–

    Could it be a plug-in that is vulnerable, got the following:

    Akismet 2.0.2
    Audio player 1.2.3
    Kimili Flash Embed 1.4
    myGallery 1.4b10
    PHP Exec 1.7
    QuickTime Embed 0.1

    whooami

    @whooami

    Member

    there is an exploit for mygallery on milw0rm

    WordPress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability

    It says that the expolit is fixed in 1.4b7, so 1.4b10 should be fine I think. If its not a new unfound exploit.

    http://blogsecurity.net/wordpress/blogwatch/blogwatch/

    Did you try the WordPress Exploit Scanner? It can find more traces of the exploit. It also scans the database.

    Let us know if you find something interesting.

    Didnt know about the exploit scanner, thank you. It finds this two files suspicious, highlighted words in bold:

    /…/wazzap.se/wordpress/wp-content/plugins/mygallery/myfunctions/mygallinfo.php

    le="text-align:center;display:none" id="phpinfo"><<strong>iframe src</strong>="<?php echo myGalleryURL;?>myfunctions/serversettings.php" width="90%" height="400" name="system info">
        </iframe></div>
        </div>
        <?php
    
        ?>

    /…/wazzap.se/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php

    ` rror(“PSpell support was not found.”);

    $data = shell_exec($cmd);
    @unlink($this->_tmpfile);

    $returnData = array();
    $dataArr = preg_split(“/[\r\n]/”, $data, -1, PREG_SPLIT_NO_EMPTY);

    foreach ($dataArr as $dstr) {
    $matches = array();

    // Skip this line.
    if (strpos($dstr, “@”) ===

    throwError(“Error opening tmp file.”);

    $data = shell_exec($cmd);
    @unlink($this->_tmpfile);

    $returnData = array();
    $dataArr = preg_split(“/\n/”, $data, -1, PREG_SPLIT_NO_EMPTY);

    foreach($dataArr as $dstr) {
    $matches = array();

    // Skip this line.
    if (strpos($dstr, “@”) === 0)`

    What do you read from that?

    That looks like a mess =P

    Shortly the searchresult are “iframe scr” in mygallinfo.php and
    “shell_exec(” in PSpellShell.php

    whooami

    @whooami

    Member

    I understood it, mess or no :).. Suffice to say that your mygallery plugin installation was exploited. The other is a php root shell.. they had the run of your site once that had been uploaded.

    Change ALL of your passwords, especially the one for MySQL thats inside your wp-config.php. You will obviously need to change the password in that file to accommodate the change.

    If your host uses cpanel, AND you are using your cpanel login name for your mysql username, you can change that password in cpanel very easily. It will, however, affect ALL of your connections using that username though — ftp, cpanel login, mysql, etc..

    In this case though, thats good, since if you are using cpanel, and someone read your wp-config.php, they also have your ftp password.

    Your username was gotten the day they uploaded the PHP root shell.

    You might also consider making sure that you were running that particular version of that plugin that was newer than the one listed on milw0rm.com.. and if so, I would be contacting the plugin author and letting him know.

    Obviously, if one hole was fixed, another still exists.

    To me, the highlighted code looks legitimate.

    The original mygallinfo.php (from authors website) file looks the same. The iframe displays phpinfo(). I just wonder why it is hidden.

    The PSpellShell.php file is also the same as in the original WordPress package.

    The exploit scanner just notifies that the code looks suspicious. (Similar code may be used for malicious purpose)

    whooami

    @whooami

    Member

    yeh youre right — I didnt even look at the files.

    Nevermind.

    Time for me to not try to look at stuff after having worked all night.

    Ok, so the mystery remains I guess, how could they sneak in their code in my wp-blog-header.php?

    If you know the time stamp of the infected file, you might want to check server logs for that time. Maybe you’ll be abe to locate some suspicious request.

    Anyway, change your passwords and regularly check your site.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘My website redirects to a malwaresite’ is closed to new replies.
Skip to toolbar