It happened since yesterday. When I was checking my blogs, I got this error message in every page.
Parse error: syntax error, unexpected ‘<’ in /home/$myhomedir$/public_html/wp-includes/default-widgets.php on line 1034
I immediately open default-widgets.php in wp-includes directory by using notepad, followed by pressing CTRL + G to go to line#1034. I’m very susprised when I found these codes were exist in default-widgets.php.
I also found similar malicious code from Google.
The 1st code above will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/, while the 2nd code above will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/
I could accessing my iPhone blog, though another error appeared:
Can not modify header information – headers already sent by (output started at …
At the same time, InternetDownloadManager asked me to download ChangeLog.pdf from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/pics/ChangeLog.pdf and MBAM (Malwarebytes’ Anti-Malware) detected C:\Documents and Settings\username\Local Settings\Temp\0.5147965079164781.exe (random file name) as Trojan.Dropper. Kaspersky Anti-Virus 2009 couldn’t detect it, but Kaspersky Anti-Virus 2010 detected it as unknow threat UDS: DangerousObject.Multi.Generic with High criticality.
I understand that I was being infected by a virus, though I had no idea what kind of virus was that. Searched via Google by using <script>/*GNU GPL*/ try{window.onload as a keyword, didn’t help much, while using setAttribute(‘id’, `myscript1`) just displaying list of websites, which has been infected. Last but not least, I used setAttribute(‘id’, `myscript1`) virus as keyword, then it refer me to WebHostingTalk.nl. I got a little enlightenment about what I was dealing with.
So, its name is Gumblar. You can find further information about Gumblar on Unmask Parasites Blog, Wikipedia, or ISS.net. I got alot of useful information.
However, I might be infected by its variant, because it wasn’t inject iframe, no base64 code, no images.php file, and even different code.
The one I got spreading itself by infected all javascript files (*.js) and index files (*index*, *default*). www.ryan-isra.net, which is hosted on same hosting also infected. So far, I suspected that either my Windows XP has infected a keylogger or someone is sniffing my network traffic :D
Now, my wordpress blog has been disinfected.
what most people search here: UDS:DangerousObject Multi Generic, js/infected a, malicious javascript code, js/infected c wordpress, js/infected c, js infected a, js infected, javascript enlightenment pdf, infected js, UDS:Dangerous Object Multi Generic, uds dangerous object multigeneric, js/infected c java script virus
Related posts:
Yes, got it too and my assumption is that my own computer has been hacked. Two days ago in the evening it started bevaving strangely and I got a warning about a trojan which I thought was blocked. The next morning I had most of my websites changed with the code.
Yeah, I see alot of websites infected when I was searching a piece code on Google.
I hope you've fixed all of your website?
Tnx Ryan, I will try that immediately!
That seems to be working, just notified google to do another review of my site because it’s now reported as a threat. Tnx Ryan!
You’re welcome. Anyway, you can check out my new post about how to fix it.
Oh, sorry to hear that, buddy. Luckily, mine had not been reported.
What did you do to fix it? I'm still having a blank screen and lots of infected .js, index default files.
I replaced the wp-admin and wp-includes directories, because I never made any changes.
Then, I zipped all files in wp-content, download it, replace all malicious code using notepad++, then re-upload it.