Warning webmasters ! Possible new virus

freediver · #1 (**permalink**) 07-01-2008, 11:47 PM

Does anyone know anything about this? It seems to be three days old and I accidentally found it.

The virus infiltrates these files:

* index.php
* index.html
* main.php
* header.php
* footer.php

And sends information to a certain site.

My findings here Warning webmasters ! Check your website for virus attack !

**wige** · #2 (**permalink**) 07-02-2008, 09:51 AM

Very interesting. It is good that you were able to find the problem files and correct it, as the usual goal of this type of attack is to compromise the computers of anyone who visits your site. (The page that is loaded for visitors typically attempts to identify the browser they are using, and targets known weaknesses in the browser to plant malware)

The question I have is, what did you do to prevent this from happening again? You mention that you believe this is a virus (unlikely, but for argument's sake...) so have you run any antivirus scans of the server? If it is in fact a virus, the program will simply reinsert the code after a set delay. That is the "self-replicating" element that makes a virus a virus.

Most likely, this was a drive by attack - someone saw your server, scanned it for vulnerabilities, found one (or more) and uploaded the attack code. There are vulnerabilities in older versions of WordPress that could make this possible, for example. Have you taken steps to find weak spots on your server and correct the issue? And have you made the server admin aware of the problem as soon as you noticed it so they could investigate the compromise?

There is at least one software application known to researchers that actively crawls the web, looking for servers running services with known weaknesses. The software is configured to exploit the detected weaknesses to gain write access to the server, and alter pages in the way you describe, planting an iframe to load a page that attacks your users. This is all done automatically. The software is able to bypass many protections by using common user agents, and by passing the server a seemingly appropriate referrer string. In one scan by such a bot, the bot seemed to simulate visits from a search engine. Each visit would crawl the site from link to link, mimicking a human visitor. Each subsequent scan had a referrer that made it appear as if the traffic was coming from a search engine, with the query becoming more specific (If the site was about blue widgets, the first scan had a referrer from MSN with the keyword florida, next one was florida widgets, and then florida blue widgets, becoming more specific as the bot saw more of the site)

freediver · #3 (**permalink**) 07-02-2008, 11:34 AM

I have notified my hosting company about the details of the attack as I believe it was an attack on the server and I keep my software up-to data. There is not much more I can do about it.

Tech Manager · #4 (**permalink**) 07-02-2008, 12:33 PM

The script is part of a malicious iframe attack that works in conjunction with a remote exploit that downloads the Gozi Trojan. While technically not a virus, it does act as a backdoor. Much like other javascriptcross-site-scripting attacks it is used to install additional malicious software through the browsers of your site visitors.

Here's a little background on the Gozi portion.

Unless your hosting company designed or is otherwise responsible for your website, it is most likely that the responsibility lies with you (I am not suggesting it is your fault). Most of these and similar attacks are made possible through poor coding and improperly validated variables within your own scripts. Exploitable variables are quite common in certain versions of WordPress and other Blogging software.

Make sure you upgrade your WordPress to the latest version and also check for variable problems within NextGen or other addons.

The most common exploits come in through contact or search forms, but any imporperly validated variable can be exploited. This includes variables that load pages (i.e., ?page=3) or servers content.

MajorTom · #5 (**permalink**) 07-07-2008, 05:42 PM

It's definitely a Wordpress related issue. I've had the same problem on several of my blogs and on client blogs I'm hosting. The issue arises from wp-register.php which is deprecated but redirects to wp-login's register function. Even if you have user registration turned off here, I would recommend going an extra step and altering your wp-login where you see this :

Quote:

case 'register' :
if ( !get_option('users_can_register') ) {
wp_redirect('wp-login.php?registration=disabled');
exit();
}

replace it with something like this...

Quote:

case 'register' :
wp_redirect('http://some-other-url-here.com');
exit();

I have been very creative with my redirect and send these hackers to a Clickbank offer that they probably need. You can see it by checking the link to my wp-register.php...

http://www.affiliatebestprograms.com/wp-register.php

Web-Design-Guy · #6 (**permalink**) 08-20-2008, 02:11 AM

Nice one Major Tom