Determining the origin of an exploit

  • I have two wordpress installations where l10n.js and the jquery.js were both infected with Malware. Both sites were running the most uptodat wordpress installation and had the most up-to-date plugins [plugin list at the bottom of the email]. I fixed those two files, however, I’d like to find the cause. Sucuri.net never said the sites had malware but the files were padded with a js array of numbers that obviously decoded into something.

    I’d like to learn how to figure out the source of the issue and squash it before it happened again.

    Plugin list:

    affordableelegancecatering.com =
    {“AIOSEO”:”Version 1.6.13.4″,
    “Exclude Pages from Navigation”:”Version 1.91″,
    “NextGen Gallery”:”Version 1.8.3″,
    “Secondary HTML Content”:”Version 2.0″,
    “Widget Context”:”Version 0.7″,
    “XML Sitemap Feed”:”Version 3.9.1″}

    brunchkansascity.com =
    {“AIOSEO”:”Version 1.6.13.4″,
    “Google Analytics for WordPress”:”Version 4.1.3″,
    “Google Analytics Tracking Code Embeder”:”Version 1.5.1″,
    “vSlider”:”Version 4.1.1″,
    “WP-Slimbox2″:”Version 1.0.3.2”}

    I already fixed the sites back when the Timthumb exploit came out, however, affordable elegance never had a timthumb plugin installed.

Viewing 1 replies (of 1 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    I already fixed the sites back when the Timthumb exploit came out

    Are they on the same server? When you ‘fixed’ the site, did you change ALL your passwords for both your WordPress account and your FTP/SSH account.

Viewing 1 replies (of 1 total)
  • The topic ‘Determining the origin of an exploit’ is closed to new replies.