Virus Being Added to Blogs

[walrus]

This is the third time I've seen this on various blogs and CMS's in about a week. Someone is adding a nasty little java script right at the top of your meta area. I've seen it on a couple WP blogs and now a Joomla CMS site.

What they are attempting to load is the old download.trojan.

[Useless]

Does this mean that there is a security hole in WP and Joomla? Or perhaps the culprits are finding holes via other scripts on the same server?

[walrus]

Quote:

Originally Posted by Useless Warrior

Does this mean that there is a security hole in WP and Joomla? Or perhaps the culprits are finding holes via other scripts on the same server?

At this time, I'm not sure other than the Joomla site is one I put up just last weekend for someone so I doubt there is any other script they could be going through. I've contacted my host to see if it can be tracked back but havent' heard from them.

But the one common thread I have found is that they only seem to be affecting the default templates.

[walrus]

This is the only additional info I have:

We've removed the javascript server side.
This is not necessarily a Joomla exploit.
It is definitely a php exploit that we are looking in to.

[2msacras]

which verision of wordpress? or does it seem to even matter?

[walrus]

Quote:

Originally Posted by 2msacras

which verision of wordpress? or does it seem to even matter?

From what I've gathered so far, it's not a script based exploit but a PHP exploit.

[RawAlex]

PHP exploits are pretty rare... what version of PHP is this involving?

Alex

[walrus]

Quote:

Originally Posted by RawAlex

PHP exploits are pretty rare... what version of PHP is this involving?

Alex

I know, they are extremely rare and the information I'm getting from my host possibly isn't the best. Originally, they blamed it on an outdated script. And if it's really a PHP exploit, why did it only affect the one domain. I'm hosting 5 from the same account.

Anyway to answer your question its version 4.3.9

[AbsolutePorn]

Damn, this sucks big time.

Im using WP, but luckly I wasnt hijacked yet...

[cd34]

Quote:

Originally Posted by walrus

Anyway to answer your question its version 4.3.9

4.3.9 was released in Sep 2004, and there have been numerous security patches since then.

However, I would still believe the exploit came through something like phpmyadmin, awstats or some other php script as some of the exploits on php itself require some pretty specific circumstances.

[walrus]

Your definately much more knowledgable on this type of thing than I ever hope to be. All I can say is that when I checked my index.php file the javascript wasn't there. When rendered to my browser and viewed using view source, it over wrote the W3C document type statement.

What path it took to get there, I haven't a clue.

[RawAlex]

Walrus, the idea that something in PHP is changed is possible, but that doesn't make it an exploit of PHP... don't look at the result, the question is the door it came in with. It might not be in PHP either, it could be right in the apache webserver or other.

This sort of thing is about the illness, not just the symptoms.

Alex

[walrus]

Actually, I'm not calling it an exploit, the CS rep at my host did. I'm just trying to relay the information I get as I can. Post #4 I fucked up and should have made that more clear. The last three lines of the post are quoted from an e-mail and not me making assumptions.

[cd34]

if the code isn't in your index.php, I would suspect a template got changed. If your host runs setuid (where the apache process runs as the owner rather than as nobody/www-data or an unprivileged account), any remote exploit would allow them to overwrite a number of files. It would be more difficult if they didn't run setuid.

you mentioned Joomla, are you running the latest patches for that? They had 5 or 6 exploitable bugs that were patched in December.

So far, I haven't seen evidence of an issue on Wordpress 2.0.2 that we couldn't find exploited through other software running on that site.

Any method that it occurred, its in your best interest to figure out how it was exploited.... because it will happen again.. and again... and again.