Invalid RSS

Something very interesting happened just now. When windows started AVG said this :
c:\windows\system32\dll.dll
Trojan horse Downloader.Delf.EZZ

There were multiple instances of it. When I tried cleaning it it said :
“Object does not exist or is inaccessible”

I created and saved an HTML and PHP file, and they seem to be ok..

Hi,

Same problem with debian server. Only wordpress sites affected.
Trying to figure out where does it came from.

SYSTEMFARMER
https://systemfarmer.hu

My Google Analytics shows two visits from Brasov, Romania. That looks suspicious. How do I find out (or block) those IPs? Will that even help?

And those visits were the only ones with a bounce rate of more than 0%. They just visited one page and left the site…

I just checked your site to see what’s there, you gave that link, Romania doesn’t looks suspicious.

Hmm ok.. I was just wondering that since I haven’t really marketed my site, how come someone all the way from Romania is visiting hehe.

Hehe, I have multiple internet connections, Ploiesti, Brasov, USA.

I have same infection in 3 dedicated servers, all of them infected from 17:00 hours to 21:00 hours 27/04/2011 one of them have a just installed WordPress without any plugin in it. The other two dedicated servers in different providers are infected too, one of them only have a Prestashop site installed but protected by password because we was testing it.

I think this must be a infection on one of our team computer, the third server is fully unconnected from the other 2 and without public access and the index is infected.

I also am getting a similar message when I try to validate my RSS feed, but my index.php is clean.

I have disabled all my plugins, and it didn’t make a difference. I am NOT a programmer and really need help with this.

Hi all,

It seems to be not a “wordpress-specific” worm. I’m using joomla system and yesterday was the site hacked. In the public end of the site was nobody, because only i made some changes. The site is currently under contruction and has no back link, because I only just begann to build.

Therefore my suspicion is:

Itt is s server-side hack and nothing to do with the site itself.

What error are you getting? FeedBurner told me exactly what line was the problem..

I got exactly the same problem.
Got the same line of code “<img heigth=”1″ width=”1″ border=”0″ src=”https://imgddd.net/t.php?id=15896232″>&#8221; at the end of my website.

I asked the company where my website is hosted about it, and the answer was: Your computer is propably infected.
So I run a virus-scan , and got the same Trojan as ‘afcreatives’ got.
What a coincedence!

I guess this trojan is probobly a keylogger, which logged my username & pass from my computer..but i don’t know how exactly.

The files are modified over ftp. I checked it on our servers ftp log. All of them, only index files, were accessed by the same IP located in the Republic of Moldova. That IP could be the from the attacker or a zombie infected PC controlled from another country.

The moment one of those index files is visited they upload a randomly named php (bush.php,thai.php,nba.php) file with the viral charge to the same location.

Our theory is that we have a local windows trojan that is catching our ftp passwords. Some of the PCs have been formatted today by paranoid teammates. We have to check 3 more Windows PCs that are away from the office, they are offline until we can have them on Tuesday. We haven’t found the trojan but may have been in one of the formatted PCs or in the other 3 that we have to check.

I advise you to stop serving the webs until they are cleaned, changing all of your ftp passwords at least, check your DB passwords too if you have any local Mysql client. Our software with ftp access was Total Commander, Filezilla and PSPad, for mysql it was HeidiSql.

If you have ssh access I can provide you with some commands to do a fast search and cleaning index files and to delete uploaded php files.

The same thing happened to me on a non-wordpress site. I’m running a virus scan now to see if it finds anything. I don’t think I accessed the site recently over FTP though, so I wonder if it could have hacked into the stored passwords in Filezilla?

I have thought about that too, Filezilla store passwords in plain text, it is possible.

Look at: c:\Users\<your user>\AppData\Roaming\FileZilla\sitemanager.xml

A simple xml file with easily readable passwords.