This Site Wouldn’t Harm A Flea…

13 Responses to “This Site Wouldn’t Harm A Flea…”

1. David on April 30th, 2008 4:14 pm

   Running WordPress? Running an older version? You may have had your theme, or WP install compromised in a recent security issue and as such, in your header, or footer, of your theme, you will find some PHP code that shouldn’t be there.

   Check over your theme, upgrade WordPress, check your WordPress folders for php file that shouldn’t be there, and lock down you wp-content folders to a better security permission level.

   If you need any help with any of this, let me know.

   -David
   BloggingPro.com and other sites.

2. Martin Avis on May 1st, 2008 2:38 am

   According to Norton AV, every time I visit this site it blocks a virus that it identifies as ‘Downloader’ - a trojan.

   In the NAV’s history section it mentions a file called wp-stats[1].htm as being the culprit.

   I can’t see a file by that name in your source code but it may be hidden in something else.

   Martin

3. Eric Giguere on May 1st, 2008 9:48 am

   Thanks for the feedback, guys. I must have a bogus file somewhere on the site. I’ll start looking. The wp-stats.htm file is odd, I can’t find any reference to it, either. A quick eyeball of my page source code doesn’t show anything odd.

   Eric

4. Eric Giguere on May 1st, 2008 10:53 am

   So I found someone had inserted some code, including a call to wp-stats, over on AdSensePHP.com, which is linked to from here. Maybe that’s part of the problem. I’ve fixed AdSensePHP.com and upgraded it to WP 2.5. I’ve also upgraded MEMWG to WP 2.5 for good measure. I’ll see if I can find anything else.

   Eric

5. Eric Giguere on May 1st, 2008 11:11 am

   Now Google is flagging my “101 Uses For PLR Articles” post specifically as a culprit. I can’t find anything on it, though, that is suspect. If you do, let me know!

   Eric

6. Martin Avis on May 1st, 2008 11:32 am

   It may be one of your widgets of plugins.

   If you want to try disabling them one at a time, I’ll happily see if Norton reacts.

   Martin

7. Jean-Claude on May 1st, 2008 4:01 pm

   Every time I visit this site Norton also blocks a virus that it identifies as ‘Downloader’ - a trojan and I have been wondering why. This has been going on for at least two weeks.

   J.C.

8. Tony Depledge on May 2nd, 2008 4:47 am

   Hi Eric
   1. Everytime I visit the site, it seems to take forever to load - I don’t know if that’s relevant to the problem.
   2. When I clicked the link above to “101 uses for PLR Articles”, the status line at the bottom of the screen came up with a message transferring data from (or waiting for) http://www.wp-stats-php.info. It didn’t come up again when I reloaded the page or tried the link again, so I can’t confirm the exact wording of the message, but I’m pretty sure of the url.
   Cheers
   Tony

9. Eric Giguere on May 2nd, 2008 4:05 pm

   I’ve found two iframe injections so far, which explains the malware warning. Have to go looking for more…

   I’ve also enabled caching on the site, you should see a speed improvement because of it.

   Eric

10. Martin Avis on May 4th, 2008 4:48 am

    Norton remained silent when I visited here today, so it looks as if you’ve found the problem and solved it.

    Any idea what the cause was? If it did stem from a plugin it would be useful to know to avoid it!

    Martin

11. Eric Giguere on May 6th, 2008 5:53 am

    I don’t know what caused it, no. Could be a plugin, could be (more likely) a vulnerability in the earlier version of WordPress I was using.

    I’m working on something to help find these kinds of problems… watch this blog!

    Eric

12. Johnny on May 10th, 2008 9:25 am

    >>I’ve found two iframe injections so far, which explains the malware warning.<<

    What are iframe injections and how do I figure out if I have any of them on my wp blog?

    Johnny

13. Eric Giguere on May 17th, 2008 9:21 am

    Johnny, I’m preparing a post and a solution to those iframe injections… stay tuned!