Content
PHP/WPTrojan.b
- Type
- Trojan
- SubType
- PHP Script
- Discovery Date
- 11/07/2008
- Length
- 54,915 bytes
- Minimum DAT
- 5427 (11/07/2008)
- Updated DAT
- 5427 (11/07/2008)
- Minimum Engine
- 5.2.00
- Description Added
- 11/07/2008
- Description Modified
- 11/07/2008 7:20 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
This is a detection for modified PHP script file from WordPress 2.6.4 that had been trojanized to allow remote code inclusion and execution.
The trojanized file is hosted on a typosquatted domain. The attacker could exploit older unpatched vulnerabilities in Wordpress to modify the dashboard modules to point to a feed of attacker's choosing. This could social engineer users to download and install the trojanized version of the file.
The affected file is:
- pluggable.php
Symptoms
- HTTP requests attempting a connection to http://wordpresz[blocked]
Method of Infection
These are trojanized scripts that were modified with a malicious intent. Users of this application should obtain the latest version from the vendor.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
-- Update November 7, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/11/06/trojanised_wordpress/
--
This is a detection for modified PHP script file from WordPress 2.6.4 that had been trojanized to allow remote code inclusion and execution.
Aliases
- WPHack-A (Sophos)
Characteristics
Characteristics -
This is a detection for modified PHP script file from WordPress 2.6.4 that had been trojanized to allow remote code inclusion and execution.
The trojanized file is hosted on a typosquatted domain. The attacker could exploit older unpatched vulnerabilities in Wordpress to modify the dashboard modules to point to a feed of attacker's choosing. This could social engineer users to download and install the trojanized version of the file.
The affected file is:
- pluggable.php
Symptoms
Symptoms -
- HTTP requests attempting a connection to http://wordpresz[blocked]
Method of Infection
Method of Infection -
These are trojanized scripts that were modified with a malicious intent. Users of this application should obtain the latest version from the vendor.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
