WordPress.org

Ready to get started?Download WordPress

Forums

'Troj/Unif-B' trojan (11 posts)

  1. anthonyd
    Member
    Posted 7 years ago #

    I have just tried to access my wordpress site, ourshire.net from work, and the Sophos virus software detected and blocked the site because of 'Troj/Unif-B'.

    This seems to be related to a line of javascript which I discovered in a theme/template for bbPress, called bbPress-forum. This code results in the site calling x-victory.ru. I have written about this on the bbPress forum.

    These are just a few quick notes - I will fill in more detail tonight after work - just wanted to get the word out. I can't access the bbPress forum from work.

    Anyone using the bbPress - forum theme: trentadams.com/2007/02/07/bbpress-support-forum-theme/ may be spreading this Trojan.

  2. Trent Adams
    Member
    Posted 7 years ago #

    Don't know about that file, but I am taking a look at it for you now.

    Trent

  3. Trent Adams
    Member
    Posted 7 years ago #

    I have searched through the download file since it was re-uploaded after a server crash and the only thing that was in there was a javascript for the anarchy-media plugin that was left over from my own modifications to the original theme. I have got rid of that line and the download is clean and reloaded to the server. Could someone look it over as well and confirm what I am seeing.

    http://onvertigo.com/downloads/bbpress-forum.zip

    Thanks,

    Trent

  4. Trent Adams
    Member
    Posted 7 years ago #

    The discussion is also over at http://bbpress.org/forums/topic/x-victoryru-exploit?replies=10#post-11991 and it seems there might be an issue with the host and not theme.

    Trent

  5. moshu
    Member
    Posted 7 years ago #

    Trent,
    I downloaded that zip file you linked to - and couldn't find anything in it. (I mean anything harmful)

  6. anthonyd
    Member
    Posted 7 years ago #

    It seems to be a case of MPack:
    http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html

    The host of this infested site is 3ix.

  7. Trent Adams
    Member
    Posted 7 years ago #

    Thanks for the update anthonyd and thanks for checking that moshu!

    Trent

  8. afdenahy
    Member
    Posted 7 years ago #

    My host has fixed the problem:
    We have investigated the root cause of the issue and it is a type of iframe hacking from an Serbian IP which got into one of the customised php scripts of one of the clients and then got FTP access of domains and modified the pages.

    We have removed that script and banned the IP and process of removing that hacked script . Your account has been cleaned.

    Thanks for the beaut bbPress theme Trent.
    Anthony

  9. heriz
    Member
    Posted 7 years ago #

    I have just been told that my blog holds the same virus, a malicious JavaScript that re-directs browsers to other malicious sites. It is hosted by 3iX, so I have notified them to see whether there has been a repeat.

    Thought I'd let people know in case this is spreading.

  10. zoom56ok
    Member
    Posted 7 years ago #

    Hi
    I also had some kind of iframe script that actually turned my blog into a redirect page, and wrote a long piece about it here. And I was also hosted by 3ix, but left them last night. That dollar a month seems like a good deal but...

  11. macsoft3
    Member
    Posted 7 years ago #

    In reference to zoom56ok's link, I saw that u0069 blah blah thing when I was examining the source of redirection 2 or 3 weeks ago. It could be 123Greetings.com. Anyway, I couldn't figure out how it was related to involuntary redirection to another website.

Topic Closed

This topic has been closed to new replies.

About this Topic