Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#12220 closed defect (bug) (worksforme)

Godaddy trojan virus bibzopl.com/in.php is infecting Wordpress

Reported by: micasuh Owned by: ryan
Milestone: Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: virus, trojan,
Focuses: Cc:


Seems to be affecting only WP and phpBB so far.

From article: "I decrypted it and it turns out to be a redirect to a PHP script file on an address that reverse DNS resolved to a Hong Kong IP address. Turns out that if you let the script run it will install the SMSS32.exe fake trojan on your machine."

Seems to be affecting both OS X and Windows but the trojan can only harm Windows. Every instance of this virus I can find is limited to sites hosted by GoDaddy.

If site has strong passwords, it's less likely to be infected apparently.

Is this beyond WP just issuing a patch for it?

Change History (3)

#1 @nacin
6 years ago

  • Milestone Unassigned deleted
  • Priority changed from highest omg bbq to normal
  • Severity changed from critical to normal

This is a sever security issue -- eval code is getting stuffed into the top of PHP files, WordPress or not -- not a WordPress issue. So yea, nothing we can do here.

#2 @micasuh
6 years ago

Okay. I wasn't sure but saw increasing chatter and wanted to make sure Wordpress community knew something.

#3 @miqrogroove
6 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Hi thanks for the info. I took apart the payload described by the whitefirdesign link and it appears to be an Acrobat and/or Java virus, probably designed to infect PHP files on the victim's hard drive.

Please follow up if you find a problem with WordPress itself :)

Note: See TracTickets for help on using tickets.