Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


PHP injection exploit?

  • Please log in to reply
No replies to this topic

#1 pakhan


  • Members
  • 1 posts
  • Local time:06:54 AM

Posted 26 February 2010 - 11:42 PM

Hi all,

I'd appreciate your help with some problems I have been facing.

I recently changed webhosts and updated my wordpress site: guitarbench.com

Soon after the move, I received emails that the site was flagged by AVAST. Removal of some IP to world map trackers solved that issue.

Then I noticed a lot of issues with the visual editor and reinstalled wordpress automatically as per wordpress.org faq advice. Soon after, I was getting a blank page on my dashboard. Looking through the process, Dashboard would fine but then try to reload to a blank page. I noticed that page was trying to load to www.foreigntechnolonies.com. A look through the page source and I found this: "http://foreigntechnologies.com/ivanyuk/JU3Zgt3HDr.php" which I didn't recognise.

Then a look through my folders showed: gifimg.php which looks like a PHP Script Injection Exploit.

I deleted the gifimg.php files- but no difference so I deleted all the .js files with the write:script in- also no difference. Than I disabled all the plugins- and it solved the problem. I narrowed it down to the add everything plugin which I then deleted. That seemed to solve the problem. So far so good, but then after adding back the .js files I deleted, all the time checking to see if the site worked ok. When I got to the end, the site came down with the same problem, again. So I repeated the same process: except there are no gifimg.php files left and now it doesn't solve the problem and the "http://foreigntechnologies.com/ivanyuk/JU3Zgt3HDr.php" is still showing up. Rats!

So I pumped in my url into unmaskparasites, which comes up as apparently clean. I'm now running malwarebyte on my own PC to see if I can find anything, but I'm kinda lost as to where to go from here.

Edited by pakhan, 26 February 2010 - 11:52 PM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users