Possible Security Hole in Free Hosting?

changc · Dec 28, 2009

Hello,

Recently I had a problem where my Wordpress blog was attacked by a malicious script. It appended a Javascript to the ends of dozens of files in my blog, and it broke it to where it would not load.

I have searched around and it appears that this error has happened for other people as well, as seen in this forum thread. http://wordpress.org/support/topic/344181?replies=12#post-1330209 If you do a google search for the OP's error message, the same problem appears to have occured for other bloggers. http://www.google.com/search?q=unexpected+"/wp-includes/default-filters.php+on+line+229"

There any not any confirmed security holes in Wordpress 2.9 yet, and so someone in that thread suggested that it may have something to do with a breach in security for my hosting here.

edit: it appears to be a form of the Gumblar iframe virus. http://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html

Livewire · Dec 28, 2009

changc said:
Hello,

Recently I had a problem where my Wordpress blog was attacked by a malicious script. It appended a Javascript to the ends of dozens of files in my blog, and it broke it to where it would not load.

I have searched around and it appears that this error has happened for other people as well, as seen in this forum thread. http://wordpress.org/support/topic/344181?replies=12#post-1330209 If you do a google search for the OP's error message, the same problem appears to have occured for other bloggers. http://www.google.com/search?q=unexpected+"/wp-includes/default-filters.php+on+line+229"

There any not any confirmed security holes in Wordpress 2.9 yet, and so someone in that thread suggested that it may have something to do with a breach in security for my hosting here.

edit: it appears to be a form of the Gumblar iframe virus. http://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html

I do have to disagree with it being a hosting vulnerability; if it was, shouldn't my own wordpress blog which is linked in my signature have been affected by now too?

The problem I can guess at is that it's actually bruteforcing the password or obtaining it through other means, such as a keylogger on your pc that snags the password so someone else can login and infect the site later. This won't be true for everyone though, but I'm still thinking that's the cuase - either they're getting the cpanel password, or they're getting the admin login details for wordpress and they're doing damage that way.

I don't see how it's a server vulnerability though, but maybe I'm wrong. Just giving my reasons why I dun think it is

TechAsh · Dec 28, 2009

I agree with Livewire, the most likely cause is an undetected security issue with WordPress, or someone that has your password.
I strongly recommend that you change both your cPanel password and your WordPress password and run a full virus scan on your PC.

scylla · Dec 28, 2009

also I remember seeing in my updates that vbulletin made a patch due to an exploit in older versions of adobe flash

descalzo · Dec 28, 2009

Some thoughts...

Funny, it seems to affect WordPress, but not Drupal, Joomla, etc? None of the other PHP based systems?

And the WordPress people don't seem to answer how the supposed infection of the hosting system started. Logic would say through WordPress. But WordPress is bullet-proof. We have their word on it.

And if x10 hosting is "infected", why aren't all the other WordPress users here complaining?

Lastly, if someone had a way to infect an entire hosting system, would they settle for an iFrame redirect?

Livewire · Dec 29, 2009

descalzo said:
Some thoughts...

Funny, it seems to affect WordPress, but not Drupal, Joomla, etc? None of the other PHP based systems?

And the WordPress people don't seem to answer how the supposed infection of the hosting system started. Logic would say through WordPress. But WordPress is bullet-proof. We have their word on it.

And if x10 hosting is "infected", why aren't all the other WordPress users here complaining?

Lastly, if someone had a way to infect an entire hosting system, would they settle for an iFrame redirect?

+1 point on all counts except the first part; I've already seen it affecting other CMS's and other sites that aren't even using CMS's. That leads me to believe it's actually a virus on the user's system in some of those cases, and that said virus is looking -only- for php and html files.

I can also verify that one source of said virus/malicious app is game trainers and no-dvd patches. I recently got two (one from each), although I've made sure the site itself is safe....

My localhost copy of it is friggin obliterated though. Thank GOD for backups

x32admin · Dec 29, 2009

Their are 0-day exploits for Wordpress 2.9 (look at password reset

)

changc · Dec 29, 2009

Livewire said:
I do have to disagree with it being a hosting vulnerability; if it was, shouldn't my own wordpress blog which is linked in my signature have been affected by now too?

The problem I can guess at is that it's actually bruteforcing the password or obtaining it through other means, such as a keylogger on your pc that snags the password so someone else can login and infect the site later. This won't be true for everyone though, but I'm still thinking that's the cuase - either they're getting the cpanel password, or they're getting the admin login details for wordpress and they're doing damage that way.

I don't see how it's a server vulnerability though, but maybe I'm wrong. Just giving my reasons why I dun think it is

/After some more research, it looks like it is a user-end virus. Apparently, it steals saved passwords you have saved on your computer, especially FTP programs, and then it exploit you from there.

I did a full sweep of my computer, and changed all my blog-related passwords (MySQL, cPanel, Wordpress Admin, FTP), and it is clean now. =)

Jarryd · Dec 29, 2009

That's excellent changc.

Glad everything is sorted now.

farscapeone · Dec 29, 2009

Yes it's a Gumblar. I have heard about it before.

From cnet (http://news.cnet.com/8301-1009_3-10244529-83.html):

The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.

Very nasty one.

Possible Security Hole in Free Hosting?

changc

New Member

Livewire

Abuse Compliance Officer

TechAsh

Retired

scylla

Member

descalzo

Grim Squeaker

Livewire

Abuse Compliance Officer

x32admin

New Member

changc

New Member

Jarryd

Community Advocate

farscapeone

Community Advocate

Free Web Hosting

Our Community

Legal