www.purebasic.fr/blog infected with malware?!

[c4s]

Looks like the PureBasic blog got infected with some kind of spam malware:
http://sitecheck.sucuri.net/results/www ... ic.fr/blog


Edit: (Currently) it doesn't seem to be harmful - just a few hidden spam links have been added. Still, the Wordpress installation got infected with unwanted code...

[ts-soft]

Google shows no problems: http://safebrowsing.clients.google.com/ ... ic.fr/blog

[Didelphodon]

hacked == hacked

[c4s]

Google shows no problems: http://safebrowsing.clients.google.com/ ... ic.fr/blog

So what? No need to give all your trust in the almighty / omniscient Google corporation...
Just take a look at the source code of purebasic.fr/blog (at the very bottom) to check it out for yourself.

[Bisonte]

WordPress version outdated: Upgrade required.

Maybe an update can help with security ...

[Kukulkan]

Hi,

I can not see any MALWARE distribution on the page source code. But I'm just wondering about the last block in the HTML source:

Code: Select all

<div style="left: -3565px; position: absolute; top: -4812px"><li>Buy Cheapest <a href="http://subcreators.com/blog/buy-no-prescription-periactin">buy no prescription periactin</a> Online Discount Online Pharmacy. Low Prices.</li>
<li>Buy Cheap <a href="http://mebelisirakov.com/purchase-dostinex-from-canada">purchase dostinex from canada</a> Online Best Online. 100% Satisfaction Guaranteed.</li>
<li>Buy Cheap <a href="http://mebelisirakov.com/india-online-pharmacies">india online pharmacies</a> Online Online Medical Shop. Cheap Online Pharmacy.</li>
<li>Buy Cheapest <a href="http://www.navegandoxlared.es/?p=35112">cheapest lotrisone pills</a> Now Best Prices. Pharmacy At The Best Price!</li>

(...)

<li>Buy Cheapest <a href="http://krischronicles.com/?p=36752">buy pills ephedraxin</a> Online Best Drugstore. Guaranteed Shipping.</li>
<li>Buy Cheap <a href="http://waxidermy.com/with-prescription-levitra-plus">with prescription levitra plus</a> Now Top Online Pharmacy Supplier. Best Internet.</li>
</div>

Looks like spamming... But maybe the WordPress template used by Fred is just a "bad" one

Kukulkan

[c4s]

I'm pretty sure that these spam links are new. So how did they get there? It seems that someone besides the PB team was able to manipulate the Wordpress installation...

[Didelphodon]

as far as i know recently there have been published some new wordpress vulns. through january we have seen a massive attack on joomla websites due to new vulns. so its absolutely necessary to keep those CMSes up to date - including all of the other stuff like plugins and the like. regarding wordpress there is a new release 3.5.1 available - just for the sake of completeness.

[Fred]

I just updated wordpress and it seems all gone.

[SFSxOI]

It wasn't suspicious to Google because Google doesn't count spam (like that shown above in this thread) as malicious content, because it actually isn't (and isn't malware if the links don't point to known malware content) and its more of an annoyance. Sucuri Site does include such spam in their consideration for exclusion, so it shows up with Sucuri Site and not Google.

[c4s]

I just checked the blog and noticed that the spam links are again listed in the source code. My only explanation for this is that the bad guys somehow have access to the Wordpress installation - could be through the theme, a plugin, comment system or even ftp. Maybe this has to do with the recent down-times of the forum?!

[Kukulkan]

I have to confirm. There is an additional div container full of spam links on the homepage. Best would be to change all admin passwords to that server...

Kukulkan