Support » Fixing WordPress » XML parsing error

  • Resolved iciman

    (@iciman)


    I have started to get a “XML parsing error” from my website http://www.glamourgrannytravels.com

    W3C Validator says that it is coming from line 195:
    <img heigth=”1″ width=”1″ border=”0″ src=”http://imgaaa.net/t.php?id=6744753″>

    This is directly after the </rss> line.

    I have no idea how to clear the problem!! Could somebody please explain the problem, how this line got there after the site is over 4 months old and most importantly how to solve it.

    Thank you in advance.

Viewing 15 replies - 1 through 15 (of 41 total)
  • esmi

    (@esmi)

    Forum Moderator

    Have you tried:

    – checking through Troubleshooting WordPress 3.1 – Master List

    – deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).

    – switching to the Twenty Ten theme to rule out any theme-specific problems.

    resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

    Thank you for your response. I have tried all of these suggestions but none of them worked.

    Please suggest another way of solving this problem.

    esmi

    (@esmi)

    Forum Moderator

    Try looking in your theme’s footer.php template file. You’ve got a whole load of code outside of the </body></html> tags.

    You or someone who also uses your FTP data had got a trojan –> win32/kryptik

    This trojan sents all your FTP data and passwords to someone who than uses it to change all index.html and index.php files on your server and adds to the end a string like <img heigth=”1″ width=”1″ border=”0″ src=”http://imgaaa.net/t.php?id=6744753″>
    the number at the end changes on every file…

    I had it today for a few customers on Joomla sites

    John Bekker
    SJL Creations

    Anyone know how to fully remove this trojan? In my web site hosting i saw this line end of file: <img heigth=”1″ width=”1″ border=”0″ src=”http://imgaaa.net/t.php?id=6744753″>. Also in my hosting was IP: 46.252.134.6. Help.

    esmi

    (@esmi)

    Forum Moderator

    Sorry, ’emsi’, I’m not newbie and this not helps, I’m not using WordPress. It’s was on no CMS website.

    esmi

    (@esmi)

    Forum Moderator

    Then why are you posting on a WordPress support forum?

    Thank you John. You was right. I removed the code from the index.php and it sorted it out. Unfortunately I have now found it on some of my other sites I look after 🙁

    So it looks like virus scans all night and then checking the other sites.

    Thanks again John.

    esmi

    (@esmi)

    Forum Moderator

    “So it looks like virus scans all night and then checking the other sites.”
    REMEMBER: its NOT wordpress that got hacked but YOUR PC

      Make sure:

    1. that the virus is removed from your PC
    2. you change ALL ftp passwords on the sites you used
    3. just over write all files with tha latest word press
    4. Check if there are more lines on your server
    5. //find all string imgaaa.net in all subdirs
      grep -lr imgaaa.net . > bad.txt

    @emsi – it makes sense to post here. Be it only to make clear it is not a WP epxloit (what one might think at first) – We have also Joomla, and custom coded websites affected by this.

    Important Note: the attack comes in two stages. In stage one you see the html code injected as above.
    About a day later I see uploads of files that have names like “23.php” or “56.php” – allways a two digit number.

    Those files are start with something like:

    <? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ...UQ=='))); ?>

    I haven’t yet decoded the binary to see what it does.

    You also see an upload of a .htaccess file wit this content:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /wp-admin/26.php?q=$1 [L]
    </IfModule>

    Where the binary code is being uncompressed and executed.

    From what I can see on my behalf I suspect the involvement of the TR/Crypt.XPACK.Gen Trojan – but I can not yet 100% confirm it.

    Sven

    Sven, you’re right its not a WP bug of hole but the initial attack comes from a Trojan on your PC…

    After getting you FTP data it changes the index.php and index.html files on the FTP servers…

    Did not know about the second step. Fortunately i changed all FTP passwords..

    Yes it starts with a Trojan – what bothers me is the 2 step approach. I don’t quite understand what the motivation is. If the Trojan sends out the passwords – why do they need the HTML injection to report the URL back? The Trojan could tell them…

    maby they use the injection to check if the site is monitored and only infect sites that call back for a while…

Viewing 15 replies - 1 through 15 (of 41 total)
  • The topic ‘XML parsing error’ is closed to new replies.