05-29-2013, 04:31 AM
05-29-2013, 05:12 AM
That's what I'm thinking...
my system has been scanned and checked inside out all day, several tools and checkers everything reports clean..
I've manually gone through all the usuals, no signs of nasties creeping in...
odd..
oh well..
thankfully, no bad payloads..
in reply to the other question, no nothing in common, all on the same reseller account, along with the untouched accounts.
infected and untouched sites both contain a mixture of wp and non-wp sites.
only thing in common is that the infected appeared on filezilla on this machine
I did at first suspect that it got access via the main reseller account cpanel then accessed the others, but that account was hit after the others, timestamps show same order as alphabetical order in filezilla list (some have nicknames etc)
What I can tell is that it is automated crawler.. working on a few simple rules..
1. only hits index.php files
2. looks for the first ?> after that it inserts the code
3. if no ?> is found in index.php it will pop the code at end of file.
4. targets footer.php and page.php in WP themes, again inserting code after first ?>
so you may get many infections per site depending upon theme count and index.php count
If you do get hit, just re-secure the site - passwords etc and manually clean the code, nothing else will be hurt
feel free to pm me if ever needed
Thanks for comments and feedback,
Si
(05-29-2013 04:14 AM)jbrown63 Wrote: [ -> ]@simey69needless to say, filezilla is already gone, all passwords changed, all files cleaned..
Seems you caught a trojan that looked especially for the filezilla server manager XML file...
It contains all ftp account data in clear text (no encryption for passwords here :-(
Cheers, Johnny63
my system has been scanned and checked inside out all day, several tools and checkers everything reports clean..
I've manually gone through all the usuals, no signs of nasties creeping in...
odd..
oh well..
thankfully, no bad payloads..
in reply to the other question, no nothing in common, all on the same reseller account, along with the untouched accounts.
infected and untouched sites both contain a mixture of wp and non-wp sites.
only thing in common is that the infected appeared on filezilla on this machine
I did at first suspect that it got access via the main reseller account cpanel then accessed the others, but that account was hit after the others, timestamps show same order as alphabetical order in filezilla list (some have nicknames etc)
What I can tell is that it is automated crawler.. working on a few simple rules..
1. only hits index.php files
2. looks for the first ?> after that it inserts the code
3. if no ?> is found in index.php it will pop the code at end of file.
4. targets footer.php and page.php in WP themes, again inserting code after first ?>
so you may get many infections per site depending upon theme count and index.php count
If you do get hit, just re-secure the site - passwords etc and manually clean the code, nothing else will be hurt
feel free to pm me if ever needed
Thanks for comments and feedback,
Si
05-29-2013, 10:29 PM
sounds like the gumbler hack... steels password from FTP software and infect files
05-29-2013, 11:20 PM
Malware injections into Wordpress theme are a real pain. Recently WP themes have been laced with all sorts of crap and most encoded in Base64 to hide payload.
To fight this I use two wp plugins: Theme Authenticity Checker 1.5 and Exploit Scanner 1.3.3 both free available at Wordpress.org.
Anybody got any other Wordpress ideas or solutions for this?
To fight this I use two wp plugins: Theme Authenticity Checker 1.5 and Exploit Scanner 1.3.3 both free available at Wordpress.org.
Anybody got any other Wordpress ideas or solutions for this?
05-30-2013, 05:13 AM
I recognize this code. I had it injected in multiple sites, on diferent servers... someone said to disable curl. i had it disabled... didnt work.
i really cleaned all my index files and upload folder, had some exe from some users, i had and somehow it stoped. look in your sites carefully in upload folder and all index files you have and others, is injected deep.
I was injected with this code several times in a year. Note that if one site is injected all sites in that nameserver will be injected.
i really cleaned all my index files and upload folder, had some exe from some users, i had and somehow it stoped. look in your sites carefully in upload folder and all index files you have and others, is injected deep.
I was injected with this code several times in a year. Note that if one site is injected all sites in that nameserver will be injected.
05-30-2013, 11:45 PM
scan your site with sucuri.net to see if your site is infected or not. I always scan my site when ever installing a new theme or plugin. once your site got infected all the other site got infected on the same hosting account since it will scan and injected malicious code to all php file. It a pain to remove the file one by one. get wingrep and search and replace all file
06-18-2014, 09:39 AM
I always use sucuri.net also! Thanks for share...
10-07-2014, 04:56 PM
Don't use the shit nulled theme called GENESIS. I had uploaded on godaddy domain and they banned my domain by saying me that your server sending spam emails. This is happened on 3 domain, so i stopped using genesis and using themeforest theme, atleast they are not much like a genesis zombies.
11-07-2014, 08:42 PM
Ok!
Glade that you post this. Thx!
Glade that you post this. Thx!
11-14-2014, 08:09 PM
Thanks a lot for this awesome share!