WordPress 2.2.3 and (unrelated) Trojan Horse…

I thought I better add the “(unrelated)” into the post title before I get a flame about WordPress having nothing to do with this. Just reporting two unrelated things in a single post! šŸ™‚

Wordress 2.2.3 was released over the weekend. I guess it won’t be long before the finished 2.3 release, but for the moment it’s just bug fixes of 2.2.x.

On a completely separate note, I got an email from someone today saying their antivirus software was detecting some malicious code when they accessed pages on my website. I asked for the full error message and checked out the suspect file and to my surprise found an extra bit of Javascript had been tagged to the end of one of my javascript files. The modification happened yesterday. I know it wasn’t me for two reasons:

  1. The code was written as a single line. I never write code like that. If it isn’t neat and indented properly it doesn’t make it to my site.
  2. The modification was done yesterday. I didn’t log on to a PC all day!

I checked the contents of my content management system and the offending line of code wasn’t there, so it had been added by someone or something else!

The code in question didn’t cause my AV software to log a problem, so I guess this guys AV software was more sensitive than mine. In my haste to correct the problem, I didn’t keep a record of the offending Javascript, so I don’t have any evidence to supply to my hosting provider, other than anĀ error message that was emailed to me.

 

I would be interested to know if anyone else saw got any AV messages when accessing my site over the last 24 hours. Hopefully not!

Cheers

Tim…

Update: It seems the file I fixed yesterday has been compromised again. I contacted my hosting provider and they claim there is nothing wrong on the server. They believe this additional line is being added manually, or via an exploit on my site. I’ve fixed the file again and changed every password I can ever remember having. I’ve now got to try and identify anything on my site that could possibly be exploited. Bummer!

Of course, if this is down to WordPress or phpBB I’m in trouble!

Author: Tim...

DBA, Developer, Author, Trainer.

8 thoughts on “WordPress 2.2.3 and (unrelated) Trojan Horse…”

  1. My F-Secure client reported a removed virus Trojan-Downloader.JS.Psyme.hz in common.js right now.
    I’d send you a screenshot of the message if you let me know your email (but there’s basically not mor information in the screenshot).
    Best regards,
    Martin

  2. Hi,

    Just mailed you Tim… It looks like common.js has been compromised again if you hadn’t already realised.

    Cheers,

    Rob

  3. Hi.

    Thanks for the input. The file was compromised again. I’ve fixed it again. See the update on the main post. If you see anything else please let me know. I’m on high alert!

    Cheers

    Tim…

  4. ESET is detecting the same virus on my wordpress site, and I have NO idea what is going on or how to fix it.

Comments are closed.