[resolved] Spiderpass virus found (6 posts)

  1. digistep
    Posted 4 years ago #

    I was asked to look at an infected wp install where the logon page was something other than a wp thing.

    After further investigation I found that the /wp-admin/includes/file.php was totally rewritten. It looks to be a highly complex file containing 1953 lines of pure evil. For lack of a better name, I will call it "spiderpass" because this is name value for the password element of the form that was presented on the bogus logon page.

    Does anyone want to see it? I don't know how to ship it to you because my virus checker immediately flags it.

    Anyways, I was able to fix wp by simply removing this file and replacing it with a proper one and the site was back in business.

    I hope others find this useful and if people want to see it, let me know.

  2. Patrick Nommensen
    Posted 4 years ago #

    Good job - just replace with original file and secure permissions for the future.

  3. digistep
    Posted 4 years ago #

    What permissions do you recommend on this file?

    I would love to submit the infected file for others to see but don't know where to post it. It is an interesting php script.

    Thanks for your interest.

  4. Patrick Nommensen
    Posted 4 years ago #

    The WordPress administration area: all files should be writable only by your user account.


    http://pastebin.com/ is a great free tool to share php scripts longer than 10 lines.

  5. digistep
    Posted 3 years ago #

    Hi Patrick,

    The code of the attack has been posted to Pastebin. And can be seen here:

  6. digistep
    Posted 3 years ago #

    Correction. Here is the link: http://pastebin.com/rx6E6KhP

Topic Closed

This topic has been closed to new replies.

About this Topic