ccfelomvhk virus on WordPress based sites | JamiiForums | The Home of Great Thinkers

Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

ccfelomvhk virus on WordPress based sites

Discussion in 'Tech, Gadgets & Science Forum' started by Invisible, Apr 24, 2008.

  1. Invisible

    Invisible Admin Staff Member

    #1
    Apr 24, 2008
    Joined: Feb 11, 2006
    Messages: 9,099
    Likes Received: 170
    Trophy Points: 160
    Hello buddies, there's this virus ccfelomvhk.com that's attacking so many sites. Your site will be attempting to download a virus, you need to get your space swept!

    This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

    Try to do this:

    1. Keep searching for wp-info.txt to make sure it's not around, if so, delete it.

    find . -name wp-info* 2. get rid of all _new _old .jpgg .giff and .pngg
    find . -name *_old* -exec rm '{}' \;

    3. find all instances of the backdoor account looks like

    <?php if(md5($_COOKIE['_wp_debugger'])=="randomhash"){ Use grep to find this:
    grep -ri _wp_debugger * *.php Then do a global search and replace (for now) to replace _wp_debugger with 'unknown'
    find . -name '*.php' | xargs perl -pi -e 's/_wp_debugger/unknown/'

    4. Upgrade all installations to 2.5

    5. Use phpmyadmin to remove the hidden 'wordpress' user account from the wp_users table in the database

    6. Reset all user passwords by replacing the MD5 hash through the database directly.


    All doesn't work?

    Probably follow this:
     
  2. Steve Dii

    Steve Dii JF-Expert Member

    #2
    Apr 24, 2008
    Joined: Jun 25, 2007
    Messages: 6,417
    Likes Received: 49
    Trophy Points: 145
    If you have got a WordPress based user content management system, i think it's best not to allow anonymous posting of comments from your website visitors, I know there is no silver bullet solution to this, but at least in that way you can to SOME POINT limit spammers and some attacks similar to above.

    SteveD.
     
  3. Invisible

    Invisible Admin Staff Member

    #3
    Apr 25, 2008
    Joined: Feb 11, 2006
    Messages: 9,099
    Likes Received: 170
    Trophy Points: 160
    A Trojan program will try to reach your pc once you visit an infected site:

    Trojan name: Trojan-Clicker.HTML.IFrame.od

    Target: wp-includes/js/thickbox/loadingAnimation.gif
     
  4. Steve Dii

    Steve Dii JF-Expert Member

    #4
    Apr 25, 2008
    Joined: Jun 25, 2007
    Messages: 6,417
    Likes Received: 49
    Trophy Points: 145
    ......it is about time people revisited this thread: Viruses, malware, spyware, trojans Updates

    ..... and specifically on that thread, i highlighted on the following post the emergence of 'iFrame' attacks: http://www.jamboforums.com/showpost.php?p=168126&postcount=69


    ....be wary people!!! :(

    SteveD.
     
Loading...