Problems with 3.0.3

If your site have this PE*.php file, then your site is hacked and probably displaying malware to your visitors…

It basically acts as a backdoor and creates a new document.write to one of your javascript files to send malware to visitors of your site.

What is interesting is that it only shows the malware once a day per IP and only to Windiws/IE users… Making it harder for the site owner to notice.

This is the code displayed to the users:
https://sucuri.net/malware/entry/MW:JS:457

*just as a curiosity, for the people affected, were your sites hacked in the past?

thanks,

@dd–

Thanks, this seems to be helping.

FWIW, I’ve observed 3 hacked sites — all on Media Temple, two of which were hit previously, one is a brand new site.

@dd@sucuri.net

Thanks a lot. This was infact the issue. By cleaning the .htaccess at media temple and delete PE*.PHP files the error message goes away.

Thanks a lot.

Guys I must say this was excellent post and folks helping each other out.

I having been upgrading this year from 3.x everytime to latest 3.0.1

Well it seems the wordpress blogs on Media Temple are the targets.

The Exploit checks if this WP blog then it initialzes bunch of arrays with base64 encoded strings i think.

So perfect way to enable Javascript inject on your webpages as well as allowing it to download on reader’s computer malicious script which mostly IE folks will fall pray.

@dd@sucuri.net and @eveevans
Can’t thank enough Guy.

You guys are great and solved my problem.

I cleaned up my .htaccess and removed PE*.php files from all domains and the error message went away.