My upcoming graduation and recent site suspension have kept me out-of-loop from the latests in blogosphere. It was only now that I learned about the latest huge hacking exploits on WordPress 2.3.3. The script (a Trojan horse) has infected over 6 thousand WordPress 2.3.3 bloggers (as of today). It creates a directory in your wp-contents folder named “1″ and creates a directory of list of “search engine-friendly” gambling, porn, and other illegal sites. Currently, solutions are yet to be formulated.
To know if you have been infected with this malware, you can check your wp-content and look if there is a directory named “1″. You can do it through FTP or through your file manager or simply check your website at http://yourdomain.com/wp-content/1/. If you are infected, you will see a list of those illegal sites.
How does the virus affect your website?
Google has flagged some of the infected sites as harmful. Unfortunately, if you were affected, it may cause significant drop to your traffic because a “this website may harm your PC” message will appear below your link warning visitors not to come to your site (take the case of BonTB who were one of the firsts to discover this exploit).
It may also affect your SERPs and PR since you are “hosting” illegal sites. You may also be suspended from your host since you will be violating their terms and conditions.
What to do if you are infected?
Smackdown suggested not to visit any of these infected infected pages listed in those serps, or on your own blogs if you have been hacked.
You may try to delete the folder from your wp-content directory. However, it will not assure you that you will completely be free from the viruses. The script may create another similar folder.
Further, BonTP suggests to:
Go to your Admin Dashboard click on Manage in search type in:
noscript ( this one uses many of other sites so be carefull deleting it if it’s pointing to something like .html) that is malwareiframe
wp-stats-php
if you see something like
MALWARE TEXT INCLUDING IFRAME OR SOME IP ADDRESS STARTING WITH 69.132.X.X
< !– End
Traffic Statistics –>Also go to Admin Dashboard click on Users , delete all users you don’t know or look suspicious.
Here is an example:
comment_author = ‘Lierthearne‘
OR
comment_author_email = ‘preotononsomi@mytop-in.net
How you may avoid this malware?
Please avoid installing new WordPress plugins or themes or any script. BonTB found that one of the theme he installed on one of his blogs calls for the script. Also, he concluded that one of the WordPress plugins he installed is partially causing it.