WordPress Hack Causes VirusScan Alert
March 1st, 2008I received a strange email from a client, who said that he thought his website had a virus. When he went to his WordPress blog, he received this pop-up warning from VirusScan:
If you have a WordPress blog, please read on.
The message said:
Message: VirusScan Alert!
Pathname: Script executed by IEXPLORE.EXE
Detected As: JS/Downloader-AUD
State: Script execution blocked
My client contacted DreamHost.com, his hosting company, and they found the culprit, a bunch of Javascript code had been appended to one of his WordPress Theme files (the header.php file) and it was this code that was detected as a virus on his PC.
We upgraded him to the latest version of WordPress and the VirusScan alert message has disappeared.
We do not know for sure how the hacker gained access to the WordPress Theme header.php file, but we’re hoping it is now addressed by the latest version of WordPress. Since this client had virus protection, the virus (if indeed it was one) was never downloaded to his computer.
It’s a jungle out there in internet land so keep that virus software and your blog software current!
Update: Here’s some recent articles:
WordPress JS/Downloader.Agent Virus
WordPress Hack Alert: sattan.org spam redirect in wp-blog-header.php files
Patching the WordPress AnyResults.Net Hack
WordPress Exploit: wordpress_options
Jill--------------
J. Olkoski
Aldebaran Web Design, Seattle
Jill Olkoski has a BS in Engineering, a BS in Computer Science and an MA in Clinical Psychology. She delights in using her advanced technical and psychological skills to help small business owners develop cost-effective and successful websites.
March 15th, 2008 at 4:21 pm
same problem on my 2.3.3 wordpress blog.. that a huge problem
September 18th, 2008 at 7:18 am
Thumbs up to McAfee ;P I’ve seen VirusScan Enterprise working on Windows Server 2003 – it did pretty good. And there are not that many antivirus programs for Windows servers.