Well, I just got done cleaning my WordPress program. There were a couple of exploits that I was unaware of for my older v2.1. Here’s how the story goes. One day I visit my blog and get a Virus Alert from my AVG antivirus program: JS / Downloader Agent Virus. I also noticed that I got reported on Google’s block list as an Attack Site. Doh! Doh!
So, I immediate started an upgrade to v2.6, but it didn’t help. After scouring the Internet for information, I came across a WordPress article that mentioned a bit of code in the Themes. In particular, in the footer.php and index.php files. I had some crap in the footer.php and also cleaned a strange php write() from the end of the index.php file. After that, I thought I was good to go, but I was wrong.
Somehow my site was still infected. Luckily, I noticed that I was downloading something from another Website when I loaded the blog page. The file was loading from 65.155.8.157 which was somewhere in California, US. So, I figured this was some kind of exploit for link building schemes or something of that spamish nature.
Noticing that the IP address couldn’t be found in any of my blog files, I turned to my database. I did a search of my entire database using the phpMyAdmin tool: search. It helped me find the blog entry that somehow had an iframe tag added to it. Doh! Doh! I removed the additional code from my blog posting and the Virus alert finally was gone. I did one last search for “iframe” in the entire database just to make sure I got all of the problems. Looks like XSS / iframe attacks are more serious than I expected.
Cheers! I hope this helps someone.
Jeff Walters