Hi all, I need some expertise assistance. I have some type of virus that is working its way into my wordpress sites and altering the code. This has happend accross multiple IP address, user names, passwords and domains, different hosting companies (godaddy, hostgator, tierra.net)

I have run norton anti virus, spyhunter, malware anti malware and its not helping. the virus corrupts the code, examples here:

www.jarvispainting.com
www.thehomeconnection.com

and has now infected over 50 sites I have, any suggestions are greatly appreciated.

THANKS!!

WOW - how interesting that no one is replying - I don't think anyone will take the risk of clicking on any of those links??!

There is only one way that many sites across that many servers and passwords can be affected.. Your computer has been compromised in some way..

that said, it doesn't feel like a hack.. It feels like a fault in the way you are saving the files to there server when you are working on them.. Since I can't see the source code it's hard to tell.. What software do you use to edit your files? Do you edit locally then upload or edit right on the server?

this is the error message I get when trying to access the site.

Parse error: syntax error, unexpected '?' in /home/floodwat/public_html/jarvispainting.com/index.php on line 18


I use hostgator for most sites and rarely ftp anything online, thus I am mostly editing via /wp-admin. I updgraded to most recent version and it fixes the bug in some themes, but not all, would like to try and find the bug and kill from my laptop or possibly network as this has been going on for over 1 month now. It was recomended that I install immunet calmay and try this to scan my desktop and the servers, I have run norton and a few other malware programs but it is not catching the problem

okay, step one, turn off every single plugin that you are running.. Then go to the default theme.. If the site works then you can start with putting your theme back in..then start turning on plugins one at a time.. I would wager you have a plugin issue since all the sites are doing the same thing..

If that still doesn't solve the issue you will need to reupload a clean version of WP and start form there..

I will try this, I only run 2 plugins, all in one seo and contact form 7 on almost all sites, the virus is creating a bogus index.php file which was detected on our corporate network but not my personal pc, I am trying to run immunetplus clam ay locally and have also contacted the security team at hostgator to see if they have any suggestions....its just a big pain when you are talking abount potentially hundreds of sites being infected :( thx for the help here

This is server header response...




HTTP/1.1 200 OK
Date: Wed, 01 Jun 2011 17:46:01 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.15
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

So you are on apache linux, with front page extensions? If you're not using the front page extensions, those can go. I have heard (but not experienced) about security problems with that means of web development.


70.85.20.39 is the ip for jarvispainting.com

Other websites on those IPs are fine http://blekko.com/ws/ip:70.85.20.39

70.85.77.107 is the ip for thehomeconnection.com

Other websites on those IPs are fine http://blekko.com/ws/ip:70.85.77.107

except

http://noiraqescalation.com/
http://www.krabi-nightlife.com/
http://www.truthofthespoon.net/
http://www.aphrael.net/ (but they look like old errors)


Are they related to you? If not... consider contacting your host. If the virus has just started, and it has for one reason or another infected more that just your websites, or only partially some of your websites have been breached, not all of them, or especially if the problem is getting worse, then the virus could just be busy working it's way through the computer. Once a virus gets into a shared hosting environment, then it has to go to work to breach all the other accounts, but once it's in, it may have access to the shadow passwords (not sure the correct terminology), then it just needs to crack the hashed passwords to get to the other accounts.

I am guessing as to what is happening of course.

But, your host should be involved, especially if those other websites are hacked, and not related to you, and that should be the evidence to get them to start looking if they are a large organization that is busy, jmo...

Another thing you can try is whitelisting your IP so you are the only one who can access your accounts, that will help you figure out if the script doing damage is coming from your network and not from somewhere else, if the hosting company is not helping.

Then your other option is to get your corporate firewall to limit the service ports which are in use to access the remote host which is being attacked. Limiting FTP, or whatever other ports which might be causing an issue, with maybe just leaving HTTP 80 the only port available for access, until you get everything figured out.


EDIT: Everything looks fine now... what happened?

these 2 are not mine,

http://noiraqescalation.com/
http://www.krabi-nightlife.com/

but appear to have some sort of virus as well so now I am not sure if this is potentially where I am getting the virus from or if I am spreading it to these (gotta love the shared hosting environment). I have alerted hostgator as we are spread out across 45 ip addresses with them, hopefully they dont blow this off as a simple wordpress coding error.

hopefully they dont blow this off as a simple wordpress coding error.

They are all wordpress? You are running versions



<meta name="generator" content="wordpress 2.9.2" />

<meta name="generator" content="wordpress 3.0.1" />
Since 2.9.2 version they have released ALOT of security upgrades, maybe consider upgrading wordpress to the latest version.

I don't really follow it, but even since version 3.0.1 they have released "critical security upgrades" (they do it constantly)

http://wordpress.org/news/2010/12/3-0-4-update/

I don't really know... but maybe you downloaded a desktop wordpress utility that was malware in disguise? Maybe a utility that supposedly kept track of all your wordpresses on your desktop?

hostgator identified the malware and believe it was somehow able to access the login/pass information to spread via ftp or cpanel. They have done a clean sweep of the affected servers to remove the malicious files. I have requested more details on the malware and will post the info for reference in the event anyone else runs into this issue in the future. I am still not 100% confident I have removed this from my personal pc as norton and spybot seemed to have missed this, hopefully immunet can catch in locally.

thanks for all of the help so far!

If it helps, I use a firewall which will prohibit outbound calls from my computer over certain ports.

FTP is port 21 and 22 (encrypted)
CPanel is usually port 2082 and 2083 (encrypted)

So if you find a firewall that will allow to block outbound calls from your machine to the internet over those ports, that will help protect your websites, until you are sure you are not a threat anymore.

This might be relevant to your immunet software - http://support.immunet.com/tiki-read_article.php?articleId=6

Well you should scan your computer with Malware Removal for complete virus protection which provide you best virus security so let's try...