Page 1 of 1
www.purebasic.fr/blog infected with malware?!
Posted: Wed Feb 06, 2013 6:11 pm
by c4s
Looks like the PureBasic blog got infected with some kind of spam malware:
http://sitecheck.sucuri.net/results/www ... ic.fr/blog
Edit: (Currently) it doesn't seem to be harmful - just a few hidden spam links have been added. Still, the Wordpress installation got infected with unwanted code...
Re: www.purebasic.fr/blog infected with malware?!
Posted: Wed Feb 06, 2013 6:37 pm
by ts-soft
Re: www.purebasic.fr/blog infected with malware?!
Posted: Wed Feb 06, 2013 7:14 pm
by Didelphodon
hacked == hacked
Re: www.purebasic.fr/blog infected with malware?!
Posted: Wed Feb 06, 2013 7:50 pm
by c4s
So what? No need to give all your trust in the almighty /
omniscient Google corporation...
Just take a look at the source code of
purebasic.fr/blog (at the very bottom) to check it out for yourself.
Re: www.purebasic.fr/blog infected with malware?!
Posted: Thu Feb 07, 2013 9:14 am
by Bisonte
WordPress version outdated: Upgrade required.
Maybe an update can help with security ...
Re: www.purebasic.fr/blog infected with malware?!
Posted: Thu Feb 07, 2013 10:24 am
by Kukulkan
Hi,
I can not see any MALWARE distribution on the page source code. But I'm just wondering about the last block in the HTML source:
Code: Select all
<div style="left: -3565px; position: absolute; top: -4812px"><li>Buy Cheapest <a href="http://subcreators.com/blog/buy-no-prescription-periactin">buy no prescription periactin</a> Online Discount Online Pharmacy. Low Prices.</li>
<li>Buy Cheap <a href="http://mebelisirakov.com/purchase-dostinex-from-canada">purchase dostinex from canada</a> Online Best Online. 100% Satisfaction Guaranteed.</li>
<li>Buy Cheap <a href="http://mebelisirakov.com/india-online-pharmacies">india online pharmacies</a> Online Online Medical Shop. Cheap Online Pharmacy.</li>
<li>Buy Cheapest <a href="http://www.navegandoxlared.es/?p=35112">cheapest lotrisone pills</a> Now Best Prices. Pharmacy At The Best Price!</li>
(...)
<li>Buy Cheapest <a href="http://krischronicles.com/?p=36752">buy pills ephedraxin</a> Online Best Drugstore. Guaranteed Shipping.</li>
<li>Buy Cheap <a href="http://waxidermy.com/with-prescription-levitra-plus">with prescription levitra plus</a> Now Top Online Pharmacy Supplier. Best Internet.</li>
</div>
Looks like spamming... But maybe the WordPress template used by Fred is just a "bad" one
Kukulkan
Re: www.purebasic.fr/blog infected with malware?!
Posted: Thu Feb 07, 2013 10:38 am
by c4s
I'm pretty sure that these spam links are new. So how did they get there? It seems that someone besides the PB team was able to manipulate the Wordpress installation...
Re: www.purebasic.fr/blog infected with malware?!
Posted: Thu Feb 07, 2013 12:50 pm
by Didelphodon
as far as i know recently there have been published some new wordpress vulns. through january we have seen a massive attack on joomla websites due to new vulns. so its absolutely necessary to keep those CMSes up to date - including all of the other stuff like plugins and the like. regarding wordpress there is a new release 3.5.1 available - just for the sake of completeness.
Re: www.purebasic.fr/blog infected with malware?!
Posted: Thu Feb 07, 2013 1:29 pm
by Fred
I just updated wordpress and it seems all gone.
Re: www.purebasic.fr/blog infected with malware?!
Posted: Thu Feb 07, 2013 7:03 pm
by SFSxOI
It wasn't suspicious to Google because Google doesn't count spam (like that shown above in this thread) as malicious content, because it actually isn't (and isn't malware if the links don't point to known malware content) and its more of an annoyance. Sucuri Site does include such spam in their consideration for exclusion, so it shows up with Sucuri Site and not Google.
Re: www.purebasic.fr/blog infected with malware?!
Posted: Tue May 21, 2013 11:46 am
by c4s
I just checked the blog and noticed that the spam links are again listed in the source code. My only explanation for this is that the bad guys somehow have access to the Wordpress installation - could be through the theme, a plugin, comment system or even ftp. Maybe this has to do with the recent down-times of the forum?!
Re: www.purebasic.fr/blog infected with malware?!
Posted: Tue May 21, 2013 11:51 am
by Kukulkan
I have to confirm. There is an additional div container full of spam links on the homepage. Best would be to change all admin passwords to that server...
Kukulkan