Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#12220 closed defect (bug) (worksforme)

Godaddy trojan virus bibzopl.com/in.php is infecting Wordpress

Reported by: micasuh's profile micasuh Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: normal Version: 2.9.1
Component: Security Keywords: virus, trojan,
Focuses: Cc:

Description

Seems to be affecting only WP and phpBB so far.
http://www.whitefirdesign.com/resources/bibzoplcom-malware.html
http://wordpress.org/support/topic/362584
http://www.phpbb.com/community/viewtopic.php?f=46&t=1979715&start=0
http://bermudaisanotherworld.org/forum/index.php?action=printpage;topic=2388.0

From article: "I decrypted it and it turns out to be a redirect to a PHP script file on an address that reverse DNS resolved to a Hong Kong IP address. Turns out that if you let the script run it will install the SMSS32.exe fake trojan on your machine."

Seems to be affecting both OS X and Windows but the trojan can only harm Windows. Every instance of this virus I can find is limited to sites hosted by GoDaddy.

If site has strong passwords, it's less likely to be infected apparently.

Is this beyond WP just issuing a patch for it?

Change History (3)

#1 @nacin
14 years ago

  • Milestone Unassigned deleted
  • Priority changed from highest omg bbq to normal
  • Severity changed from critical to normal

This is a sever security issue -- eval code is getting stuffed into the top of PHP files, WordPress or not -- not a WordPress issue. So yea, nothing we can do here.

#2 @micasuh
14 years ago

Okay. I wasn't sure but saw increasing chatter and wanted to make sure Wordpress community knew something.

#3 @miqrogroove
14 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Hi thanks for the info. I took apart the payload described by the whitefirdesign link and it appears to be an Acrobat and/or Java virus, probably designed to infect PHP files on the victim's hard drive.

Please follow up if you find a problem with WordPress itself :)

Note: See TracTickets for help on using tickets.