Support » Fixing WordPress » This must be a hack, but it seems so odd…

  • Resolved rygardner


    I am hosting a WP blog for a friend and she just told me that a friend of hers went to the site and got a computer virus from it. Nonsense, I said, there’s no way that can happen.

    So I fired up Virtual PC (I’m on a Mac as is the friend who is the owner of the site, the person who got the virus is on Windows machine) went to the site and it instantly started downloading crazily. I immediately tried to shut it down and now my Virtual PC installation which is never used for anything but testing local sites has a trojan horse virus (66 viruses found) and a whole host of spyware including a desktop picture that won’t go away now.

    Is it possible that this came from the WP site? I immediately updated to the newest version of WordPress, but it seems that it’s still there. I’ve checked the MySQL database and there doesn’t seem to be anything too weird, but this is the only install I’ve ever done of WordPress, so I don’t know too much about it.

    I’m hesitant to put the address here as I don’t want to be responsible for ruining anyone’s computer, but I’m really desparate to figure out what’s going on here. The site is PLEASE don’t go there unless you have a serious anti-virus program running.

    A few hours ago I would have called myself crazy for thinking this could happen — I guess I get too spoiled and lax in my Macintosh world.

    Any help or ideas would be great.


Viewing 6 replies - 1 through 6 (of 6 total)
  • I can’t help with your specific problem but can confirm that many of the Blogger sites had this problem.

    Not sure if it has been corrected but it was all the buzz a month or so ago.

    Mark (podz)


    Support Maven

    There is code in there that is linking to a .ru site and others.

    Delete the Themes folder for a start – just erase it.
    Do NOT overwrite.
    Re-upload a new themes dir from a fresh WP download.
    Post back.

    Mark (podz)


    Support Maven

    Looking further, the problem is the very last line of code, right above the </html> line.

    Change the passwords to at least 8 character random ones: e.g.

    So, the question now is: how did it get into a WP blog? From an outside theme?

    Mark (podz)


    Support Maven

    Looks like the default theme.

    rygardner – if you have access to the error / access logs, can you check them for any activity that would indicate either access or file changing ?

    There is an issue which is currently being addresses and it could be related, but don’t hold me to that.

    Thanks so much to all of your for your help — I can’t believe I didn’t remember to overwrite the old themes. That code at the bottom is definitely gone now.

    I don’t have the raw access logs from when it happened — though it certainlly was the footer of the default theme that was changed and it looks like it happened last Friday.

    The weird thing is that I set up the passwords to start with and they were all 8+ characters with random symbols/numbers/capitalization — They’ve all been changed now.

    I’d love to figure out what happened but I don’t know if I have enough evidence left to do so.

    Thanks again all for your help — absolutely invaluable!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘This must be a hack, but it seems so odd…’ is closed to new replies.