Virus Being Added to Blogs

walrus · 2006-05-18, 09:44 PM

This is the third time I've seen this on various blogs and CMS's in about a week. Someone is adding a nasty little java script right at the top of your meta area. I've seen it on a couple WP blogs and now a Joomla CMS site.

What they are attempting to load is the old download.trojan.

Useless · 2006-05-18, 11:44 PM

Does this mean that there is a security hole in WP and Joomla? Or perhaps the culprits are finding holes via other scripts on the same server?

walrus · 2006-05-19, 12:24 PM

Quote:

Originally Posted by Useless Warrior

Does this mean that there is a security hole in WP and Joomla? Or perhaps the culprits are finding holes via other scripts on the same server?

At this time, I'm not sure other than the Joomla site is one I put up just last weekend for someone so I doubt there is any other script they could be going through. I've contacted my host to see if it can be tracked back but havent' heard from them.

But the one common thread I have found is that they only seem to be affecting the default templates.

walrus · 2006-05-19, 07:01 PM

This is the only additional info I have:

We've removed the javascript server side.
This is not necessarily a Joomla exploit.
It is definitely a php exploit that we are looking in to.

2msacras · 2006-05-20, 09:33 AM

which verision of wordpress? or does it seem to even matter?

walrus · 2006-05-20, 01:29 PM

Quote:

Originally Posted by 2msacras

which verision of wordpress? or does it seem to even matter?

From what I've gathered so far, it's not a script based exploit but a PHP exploit.

RawAlex · 2006-05-20, 06:22 PM

PHP exploits are pretty rare... what version of PHP is this involving?

Alex

walrus · 2006-05-20, 07:33 PM

Quote:

Originally Posted by RawAlex

PHP exploits are pretty rare... what version of PHP is this involving?

Alex

I know, they are extremely rare and the information I'm getting from my host possibly isn't the best. Originally, they blamed it on an outdated script. And if it's really a PHP exploit, why did it only affect the one domain. I'm hosting 5 from the same account.

Anyway to answer your question its version 4.3.9

AbsolutePorn · 2006-05-20, 08:34 PM

Damn, this sucks big time.

Im using WP, but luckly I wasnt hijacked yet...

cd34 · 2006-05-21, 02:22 AM

Quote:

Originally Posted by walrus

Anyway to answer your question its version 4.3.9

4.3.9 was released in Sep 2004, and there have been numerous security patches since then.

However, I would still believe the exploit came through something like phpmyadmin, awstats or some other php script as some of the exploits on php itself require some pretty specific circumstances.

walrus · 2006-05-21, 05:02 PM

Your definately much more knowledgable on this type of thing than I ever hope to be. All I can say is that when I checked my index.php file the javascript wasn't there. When rendered to my browser and viewed using view source, it over wrote the W3C document type statement.

What path it took to get there, I haven't a clue.

RawAlex · 2006-05-21, 07:20 PM

Walrus, the idea that something in PHP is changed is possible, but that doesn't make it an exploit of PHP... don't look at the result, the question is the door it came in with. It might not be in PHP either, it could be right in the apache webserver or other.

This sort of thing is about the illness, not just the symptoms.

Alex

walrus · 2006-05-21, 07:36 PM

Actually, I'm not calling it an exploit, the CS rep at my host did. I'm just trying to relay the information I get as I can. Post #4 I fucked up and should have made that more clear. The last three lines of the post are quoted from an e-mail and not me making assumptions.

cd34 · 2006-05-21, 09:13 PM

if the code isn't in your index.php, I would suspect a template got changed. If your host runs setuid (where the apache process runs as the owner rather than as nobody/www-data or an unprivileged account), any remote exploit would allow them to overwrite a number of files. It would be more difficult if they didn't run setuid.

you mentioned Joomla, are you running the latest patches for that? They had 5 or 6 exploitable bugs that were patched in December.

So far, I haven't seen evidence of an issue on Wordpress 2.0.2 that we couldn't find exploited through other software running on that site.

Any method that it occurred, its in your best interest to figure out how it was exploited.... because it will happen again.. and again... and again.

2006-05-18, 09:44 PM	#1
walrus Oh no, I'm sweating like Roger Ebert Join Date: May 2005 Location: Los Angeles Posts: 1,773	Virus Being Added to Blogs This is the third time I've seen this on various blogs and CMS's in about a week. Someone is adding a nasty little java script right at the top of your meta area. I've seen it on a couple WP blogs and now a Joomla CMS site. What they are attempting to load is the old download.trojan. __________________ Naked Girlfriend Porn TGP free partner account

2006-05-18, 11:44 PM	#2
Useless Certified Nice Person Join Date: Oct 2003 Location: Dirty Undies, NY Posts: 11,268	Does this mean that there is a security hole in WP and Joomla? Or perhaps the culprits are finding holes via other scripts on the same server? __________________ Click here to purchase a bridge I'm selling.

2006-05-20, 08:34 PM	#9
AbsolutePorn You tried your best and you failed miserably. The lesson is 'never try' Join Date: Apr 2005 Posts: 164	Damn, this sucks big time. Im using WP, but luckly I wasnt hijacked yet... __________________ TripleX-Studios.com - Cheap, Fast Delivery and Convertable Gallery Designs!

2006-05-21, 05:02 PM	#11
walrus Oh no, I'm sweating like Roger Ebert Join Date: May 2005 Location: Los Angeles Posts: 1,773	Your definately much more knowledgable on this type of thing than I ever hope to be. All I can say is that when I checked my index.php file the javascript wasn't there. When rendered to my browser and viewed using view source, it over wrote the W3C document type statement. What path it took to get there, I haven't a clue. __________________ Naked Girlfriend Porn TGP free partner account

2006-05-21, 07:36 PM	#13
walrus Oh no, I'm sweating like Roger Ebert Join Date: May 2005 Location: Los Angeles Posts: 1,773	Actually, I'm not calling it an exploit, the CS rep at my host did. I'm just trying to relay the information I get as I can. Post #4 I fucked up and should have made that more clear. The last three lines of the post are quoted from an e-mail and not me making assumptions. __________________ Naked Girlfriend Porn TGP free partner account

2006-05-19, 07:01 PM	#4
walrus Oh no, I'm sweating like Roger Ebert Join Date: May 2005 Location: Los Angeles Posts: 1,773	This is the only additional info I have: We've removed the javascript server side. This is not necessarily a Joomla exploit. It is definitely a php exploit that we are looking in to. __________________ Naked Girlfriend Porn TGP free partner account

2006-05-20, 09:33 AM	#5
2msacras The sun? That's the hottest place on Earth Join Date: Jul 2004 Location: Chicago Posts: 394	which verision of wordpress? or does it seem to even matter?

2006-05-20, 06:22 PM	#7
RawAlex Took the hint. Join Date: Mar 2003 Posts: 5,597	PHP exploits are pretty rare... what version of PHP is this involving? Alex

2006-05-21, 07:20 PM	#12
RawAlex Took the hint. Join Date: Mar 2003 Posts: 5,597	Walrus, the idea that something in PHP is changed is possible, but that doesn't make it an exploit of PHP... don't look at the result, the question is the door it came in with. It might not be in PHP either, it could be right in the apache webserver or other. This sort of thing is about the illness, not just the symptoms. Alex

2006-05-21, 09:13 PM	#14
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	if the code isn't in your index.php, I would suspect a template got changed. If your host runs setuid (where the apache process runs as the owner rather than as nobody/www-data or an unprivileged account), any remote exploit would allow them to overwrite a number of files. It would be more difficult if they didn't run setuid. you mentioned Joomla, are you running the latest patches for that? They had 5 or 6 exploitable bugs that were patched in December. So far, I haven't seen evidence of an issue on Wordpress 2.0.2 that we couldn't find exploited through other software running on that site. Any method that it occurred, its in your best interest to figure out how it was exploited.... because it will happen again.. and again... and again. __________________ SnapReplay.com a different way to share photos - iPhone & Android