I started this thread cause I thought I just had rss problems but it turns out it was a virus.
My website is at veryserious.org, if you go there now you will just see an index.html I put there. But, if you’re not running IE, go to veryserious.org/index.php and then view the source. There is a bit of code that starts out “Yahoo! counter”.
This malicious little piece of js is all over my site and I has appended itself to every file that it can. It was on the wordpress dashboard pages even, until i reinstalled.
I don’t have shell access so I downloaded everything to my local machine and did a text search using agent ransack for any text matching “Yahoo! Counter”. I mostly just found html files that had been infected.
Strangely enough, the wordpress/index.php is uninfected:
My question is, which files go into making the index.php file?
I need to know so I can clean them.
Almost all the theme files:
header.php (and it calls the style.css)
Add the comments.php when on a single post view,
page.php when seeing Pages
and so on.
On different views the index.php is replaced in the structure above by single.php, page.php, archive.php and any other Page template and/or Category template.
If it’s not my theme, it must be my index.php, right? The file looks like this, is this how it’s supposed to look?
/* Short and sweet */
no, its not, and if you look inside the index.php that comes inside the downloadable zip file, you would see this.
<?php /* Short and sweet */ define('WP_USE_THEMES', true); require('./wordpress/wp-blog-header.php'); ?>
thats all that should be in that file. whats the permissions of that file, btw?
The permission had been set wrong, I’ve fixed it. The problem is one my hosts know about, it’s running a script that’s in the tmp folder which I don’t even have access to.
I am curious as to the fix your host had. I too am seeing this code placed on all of my wordpress php pages but it does not exist in any of the files themselves that I can find. Can you provide more information please?
This just happened to me!
I have no idea what it is or what it does, but after decompressing some of the text i got this:
if(typeof(yahoo_counter)!=typeof(1))eval(unescape(‘%2F%2F!.$%2E%2…some compressed text….\n
<!– counter end –></script>
I found this text in ALMOST every .php on my webarea (total of some thousand files). And I havent even touched wordpress-files in ages. This happened to me last night.
Is it yahoo counter or what?
I’m having the same issue
which issue? The 2 posts above are not the same.
What is/are the name(s) of the file(s) affected? footer.php only?
What is the name of the theme that you are using? Where did you get it?
And what is the exact code that you see in the file(s)?
never mind — I found your blog. I see the code — hang on .. I’m looking at it.
youre hosted with ixwebhosting. its a server wide issue. there were posts earlier today here from at least 2 other people hosted there.
additionally, read this:
“HKLM\software\microsoft\windows nt\currentversion\drivers32” key,
with value and valuedata containing “aux”=”sysaudio.sys” or “aux2″=”sysaudio.sys”. Export (for safety), then delete these entries. That should fix things.
Also, look closely at your websites; the injection attack is a nasty piece of work. Look for fake .htaccess files redirecting search engines to a Russian Mafia hosted malware factory. If you go direct, everything is normal. If you surf from search engines like Yahoo or Google, you get redirected to the bad guys.
Take care, nice to meet you.
Guy De Marco, IT Services Manager, Cabela’s (www.cabelas.com)
They have been rooted by another process
Now go read this, paying close attention to what I said about privilege escalation and root.
Get a copy of your database. Change hosts. Now.
I’ve had this same attack twice in the last week. Hosted by bluehost.com. What is the way to prevent this? Is php safe mode going to help?
also I recommend the Ask Apache plugin
- The topic ‘Virus attack! – please advise’ is closed to new replies.