WordPress 3.0.1 Intrusion through TinyMCE

  • awmartin

    (@awmartin)


    15 years, 8 months ago

    I have just had 2 WordPress sites hacked by the addition of two files into the /wp-includes/js/tinymce folders and the insertion of HTML into the publicly facing files referencing those new files.

    Here is the HTML found after the <body> tag:
    <ads><script type=”text/javascript” src=”/wp-includes/js/tinymce/utils/drb-slider.js.php”></script></ads>

    The other site referenced this file:
    /wp-includes/js/tinymce/themes/jquery.rating.js.php

    These two files, drb-slider.js.php and jquery.rating.js.php are, of course, not part of the TinyMCE package that comes with WordPress, yet these files were inserted nonetheless in the attack. They contain rather nasty looking scripts that reference content on the IP address listed in this Norton warning:
    http://safeweb.norton.com/report/show?name=85.234.191.206

    Has anyone encountered this intrusion before? How would one go about preventing this from happening again?

Viewing 1 replies (of 1 total)
  • cwcage

    (@cwcage)

    15 years, 7 months ago

    I discovered a similar problem. I was alerted that my site was serving malware from null.corneliuspropertyvalue.com and from 85.234.191.213

    I couldn’t find anything through a direct search of the code, however when I ran a ClamWin antivirus scan it discovered the following file as being an infected file.

    \wp-includes\js\tinymce\utils\eject.php

    I think this post is about a similar problem.
    Trying to solve virus/malware problem

Viewing 1 replies (of 1 total)

The topic ‘WordPress 3.0.1 Intrusion through TinyMCE’ is closed to new replies.

Tags