[Joly MacFie]

Today from more than one source – including a waylaid friend’s account – I have received emails with a simple url that is an html file within a wordpress theme directory.

Naturally I haven’t clicked them.

Any ideas?

[Steve]

What’s the name of the file?

[Joly MacFie]

I don’t want to put the full urls, obviously..

one is wp-content/themes/photo-workshop/yahoolinksus.html

another is wp-content/themes/theme1181/godmfas.html?jff=jkjk.nffnl&jjj=nnnn.jnk&jn=fckb

it seems to steal yahoo passwords and then mail the entire address book

[Steve]

Suggest you scan the sites here: http://sucuri.net/

[Joly MacFie]

Both sites came up clean, but outdated WordPress. One I could see is 3.0.1 one had just been checked by someone else. I guess since the file isn’t part of the actual site it doesn’t show up..

It’s probably just the old timthumb or something like it – but odd that I should see it twice on the same day – degrees of separation I guess.

I’ll try and find time to write to the site owners advising them to clean up.

[D.K. Smith]

Joly, good catch! Not a new exploit. “yahoolinksus.html” is a meta-refresh page injection that goes to a spam HRG salesletter on msbbc-story.com. We haven’t determined the injection vector yet, but outdated WordPress and sites that aren’t well secured are both factors.

Sucuri doesn’t scan deep enough to catch the types of hacks that are occurring now.

@Steve… How long must the NYC Meetup wait to get WordPress security knowledge from a local does-it-every-day expert and fellow member?  Knowledge way beyond the security-101 everyone else presents.  Remember, you cancelled my September 2011 presentation at the last minute?

Read the Westchester Meetup ratings for some independent feedback, http://www.meetup.com/Wordpress-Westchester-Meetup-Group/events/59255372/

[D.K. Smith]

I’ve received several emails from people who’ve clicked on similar links, …./godmfas.html?whatever-is-afterwards. In most recent email the injected page was in the “flexsqueeze” theme folder.

The re-direct and target pages are not currently loading malware or a virus however, it’s best practice to never click on a link you’re not 100% sure of.

Re-direct just received goes to x—x-story.com (not the domain mentioned above, x’s added to slow the spread). The domain was registered via “CENTER OF UKRAINIAN INTERNET NAMES.”  It seems they do not publish network admin info and also block traceroutes, which is typical of spammer companies.

Yes, there are companies that lease servers to spammers. Last year we helped bust one who had a datacenter in NJ.  Unlikely anything can be done about hackers/spammers operating out of Kharkiv in the Ukraine.

I traced the hacker/spammer’s nameserver to a registrar in the Bahamas and sent details and screen captures of everything to their [email protected] address. Hopefully the Bahamian registrar (who appears to be legitimate) will shut down the nameserver domain, which may eliminate the hacker’s website for a little while.

[Author]

Posts