Abdessamad Idrissi

i solved this by using si captcha anti spam plugin

someone decrypted the content of one of this nn.php files:
https://pastie.org/1794541

google says about 205 results.

The WassUp shows the following for the period of last two months when Iselect to show stats for Spam:
163 Visits
2830 Pageviews
17.36 Pages/Visits
2830(100.0%) Spams

here’s the corresponding graph
ps: the blue line is for visits (163 visit) and orange is for pageviews (2830 pageviews)

The ststs include all the website pages.

The spams are links to the malicious php file; “probably hack attempt!” as WassUp declares.

Since I deleted the file, all coming spam faces a 404 error. Here are some of addresses considered spam:
[404] /51.php?q=mtss-hall&page=7
Referrer: https://www.google.com/search?q=raj+shekhar+radiology&ie=UTF-8&oe=UTF-8&hl=en&client=safari
[404] /wordpress/wp-admin/kevlar-armor&page=6
Referrer: Direct hit
[404] /51.php?q=ijiek-jacket&page=3
Referrer: Direct hit

I think Google should put a quick solution for us webmasters to be able to delete the spammed search result in their directory.

Here’s the last two weeks statistics (generated by WassUp plugin) for one of my infected websites:
8685 Visits
49957 Pageviews
5.75 Pages/Visits
2828(5.7%) Spams
I should note that the daily average visits counter jumped, Saturday 30 April, from 350 to 1400 daily visit!
I removed the virus and submitted a notification to google (webmaster tools) and on Wednesday 4 May, the visits counter started to go down. Today it’s back to its normal state.
check the complete graph @ ImageShack

thanks sherwood83 for the detailed analyses.
So now we eliminated FileZilla as being a problem.
I use AVG too and it seems it failed in catching this ftp code.
It is not related to any host, since we have different hosting companies
I don’t think it is a keylogger virus because most of the passwords are copy-pasted once in the FTP program long time ago.

I really don’t know how did they steal our codes!

Please everybody, tell us what ftp client do you use?
I would like to know how did this a** h**** (sorry for my bad language!) got my passwords?

I use the latest version of FileZilla ftp client for windows.
(and a big security hole: i saved all my pases in a word document with a strong password)

what about you?

I checked my ftp logs and found the bad guys who put this files come from from this IP 91.200.240.10 which leads to Ukrain

Another bad thing is the fact that google says in his search results that my website is pirated! just next to the result title!

fortunately I used google webmaster tool to report this and was corrected the next day.

Again, change all your ftp passwords; I forget one password and the virus hit me again. it planted a file in the wordpress/wp-admin/41.php

Sorry moderator forposting the file directly on the thread, I put it now on https://pastebin.com/0JRY8GcX

here’s the content of this nasty thing:
[Code moderated as per the Forum Rules. Please use the pastebin]

it writes also to index.php and htaccess and leaves some html pages in the logs folder of the website.

so far ther’s another two topics dealing with the same issue:
malicious 96.php in wordpress
RSS feed won’t validate, junk after document element

The big question is: how this trojans got our “secured” ftp passwords? I’m using FileZilla as a client, what about you?

This is not related to WordPress; so far it is said that it’s a virus getting access to ftp accounts on your machine.

same symptoms are described in this post

one of the files I found in the logs mentions a url: pzyilmog.cw.cm (reported risky site by firefox)

I verified all my domains and found this “virus/trojan” in installations that use wordpress, other domains that don’t use wordpress platform are not infected by this. this leads to a fact that this virus uses wordpress as a mean to write to the root directory of wesite hosting wordpress.
So to conclude this is high security hole in WordPress, that we should fix.. i’ll inspect more to try and find out how can this b*****ds got in ??

I checked my other blogs and found it there too!

the name now is 51.php with the same scenario as above;

this is a serious security hole!

actually it works using the english version of plurals; just write the plural as the plural in english then in po edit it will give you to change the other plural forms.. kind of wiered but it works!