Support » Fixing WordPress » Trojan Issue on WP Blog

  • My friend called me this morning and said that she went to publish a post and was given a screen in her WP Admin area that “looked like a wordpress page” telling her she needed to update in order to continue. The page had a “click here” link on it which she clicked.

    After clicking on the link it showed a screen saying update complete. However, now when people visit her blog they are given the option to download a file (which through testing we’ve confirmed to be a trojan horse). The file name is xpl.wmf and in the download window it says that it comes from proffy209 DOT com (PLEASE do not visit that domain, we have not tested it for nutrality yet).

    For your saftey I’d rather not post the link to her blog, however has anyone seen anything like this before and if so how did you fix it?

    She’s running WP 2.0, if you need more info please just ask as any help would be great. Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Samuel Wood (Otto)

    (@otto42) Admin

    That’s really unusual. Not the xpl.wmf, that’s a fairly standard metafile trojan making the rounds right about now.

    What’s unusual about it is that her site was compromised enough to insert something into the admin pages somehow (thus displaying what she saw to “update”), but not enough for the hacker to go ahead and simply install the thing himself.

    I’m just trying to grasp why, if a hacker can actually write to the blog’s files, he wouldn’t be able to go ahead and execute said code as well? Once you’re in, you’re in, I can’t think of any reason to have the code wait for the real blog user to come along and do something.

    Just seems odd, is all.

    As for how to fix it, well, I’d download a backup copy of the entire blog directory onto my own system, then wipe the directory and put a fresh copy there. Put fresh copies of all the plugins back in, manually go over your theme files and then put them back in one by one, and finally put your wp-config.php back into position to reconnect to your database. The nice thing about having the blog posts and such in a database is that rebuilding the actual blog itself doesn’t cause you to lose your posts and such.

    But if you’re compromised, wiping and starting over is the only really safe thing to do.

    Please do a search on Google for “wmf exploit”. Most likely the top few results will give explicit instructions for cleaning up after this.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Trojan Issue on WP Blog’ is closed to new replies.