WordPress Troubleshooting and Support
Public Group active 8 months, 3 weeks ago agoWordPress support from our community
New exploit?
- This topic has 6 replies, 3 voices, and was last updated 10 years ago by
D.K. Smith.
-
AuthorPosts
-
June 16, 2012 at 4:42 pm #1466
Joly MacFie
ParticipantToday from more than one source – including a waylaid friend’s account – I have received emails with a simple url that is an html file within a wordpress theme directory.
Naturally I haven’t clicked them.
Any ideas?
June 16, 2012 at 5:47 pm #2510Steve
KeymasterWhat’s the name of the file?
June 16, 2012 at 6:40 pm #2511Joly MacFie
ParticipantI don’t want to put the full urls, obviously..
one is wp-content/themes/photo-workshop/yahoolinksus.html
another is wp-content/themes/theme1181/godmfas.html?jff=jkjk.nffnl&jjj=nnnn.jnk&jn=fckb
it seems to steal yahoo passwords and then mail the entire address book
June 16, 2012 at 7:37 pm #2513Steve
KeymasterSuggest you scan the sites here: http://sucuri.net/
June 16, 2012 at 7:57 pm #2514Joly MacFie
ParticipantBoth sites came up clean, but outdated WordPress. One I could see is 3.0.1 one had just been checked by someone else. I guess since the file isn’t part of the actual site it doesn’t show up..
It’s probably just the old timthumb or something like it – but odd that I should see it twice on the same day – degrees of separation I guess.
I’ll try and find time to write to the site owners advising them to clean up.
June 17, 2012 at 6:03 am #2515D.K. Smith
ParticipantJoly, good catch! Not a new exploit. “yahoolinksus.html” is a meta-refresh page injection that goes to a spam HRG salesletter on msbbc-story.com. We haven’t determined the injection vector yet, but outdated WordPress and sites that aren’t well secured are both factors.
Sucuri doesn’t scan deep enough to catch the types of hacks that are occurring now.
@Steve… How long must the NYC Meetup wait to get WordPress security knowledge from a local does-it-every-day expert and fellow member? Knowledge way beyond the security-101 everyone else presents. Remember, you cancelled my September 2011 presentation at the last minute?Read the Westchester Meetup ratings for some independent feedback, http://www.meetup.com/Wordpress-Westchester-Meetup-Group/events/59255372/
June 18, 2012 at 2:46 am #2516D.K. Smith
ParticipantI’ve received several emails from people who’ve clicked on similar links, …./godmfas.html?whatever-is-afterwards. In most recent email the injected page was in the “flexsqueeze” theme folder.
The re-direct and target pages are not currently loading malware or a virus however, it’s best practice to never click on a link you’re not 100% sure of.
Re-direct just received goes to x—x-story.com (not the domain mentioned above, x’s added to slow the spread). The domain was registered via “CENTER OF UKRAINIAN INTERNET NAMES.” It seems they do not publish network admin info and also block traceroutes, which is typical of spammer companies.
Yes, there are companies that lease servers to spammers. Last year we helped bust one who had a datacenter in NJ. Unlikely anything can be done about hackers/spammers operating out of Kharkiv in the Ukraine.
I traced the hacker/spammer’s nameserver to a registrar in the Bahamas and sent details and screen captures of everything to their [email protected] address. Hopefully the Bahamian registrar (who appears to be legitimate) will shut down the nameserver domain, which may eliminate the hacker’s website for a little while.
-
AuthorPosts
- You must be logged in to reply to this topic.