Themocracy WordPress Themes » malware http://themocracy.com WordPress Theme Design Thu, 18 Aug 2011 07:34:18 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 WordPress and Gumblar – a significant problem http://themocracy.com/2009/11/wordpress-and-gumblar-a-significant-problem/ http://themocracy.com/2009/11/wordpress-and-gumblar-a-significant-problem/#comments Fri, 06 Nov 2009 17:48:34 +0000 Lisa http://themocracy.com/?p=199

virus signYou’ve got a problem – all your WordPress pages show an error message something like this

Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) : eval()’d code:1)
in /xxx/yyy/site/wp-config.php(1) : eval()’d code on line 1

the eval()’d code is the significant part.

So you have a look – and you’ve got a whole heap of rubbish in all php files that starts off something like

eval(base64_decode(‘aWYoIWlzc2V0K….

You might also hunt around for any files helpfully named exploit.php

You’ve caught Gumblar – which is an unpleasant business that attacks any PHP driven application, WordPress, Joomla, e-commerce applications, anything.

Its main purpose seems to be to redirect Google search results – results that were yours will start heading off somewhere else. It may also grab sensitive information from compromised machines, and target your site visitors with attacks on PDF and Flash Player vulnerabilities to plant malware on their PCs.

1. First thing, remove all the infected files and replace them – you have got a clean copy of your site sitting on your desktop…? You should do, and probably will after this… If not, the quickest way is to make sure that all your /wp-content folder is clean, then download the latest version of WordPress and do an update on the way.

2. Change your FTP access details – and that doesn’t mean, if you’re a developer, changing them and then sending the new details to all interested parties by unencrypted email. Use a text message… it’s about the best use for a text message I’ve ever found.

3. Change your wp-config password details – obviously.

4. Check through your file/folder permissions, CHMOD etc – if you’ve somehow got folders at 777 that shouldn’t be, you need to sort this now. But this can be a tricky one. Depending on server configuration, image uploads may require varying permissions – check out Hardening WordPress on the subject – and if you are still unsure, get someone who does some sysadmin to have a look

If there’s any updates in this area, do comment and we will also include any other info as it becomes available.

]]> http://themocracy.com/2009/11/wordpress-and-gumblar-a-significant-problem/feed/ 0