WordPress MU

slimp.net has hit my MU and somehow has left graphic skyscraper ads on all of my blogs. Any idea how such a thing happens and how it can be prevented?

The theme you're using perhaps?

You may have been hacked. Best bet would be to do a grep for 'slimp.net' within your file root to see from what file it;s coming from.

A link to your site would also be helpful.

I have the regular wordpress 2.7 and have been noticing the same issue when entering from google. My site is http://www.alluresound.com - I've tried deleting comments, changing my password, and I'm just starting to investigate further.

Just interesting as your url leads to a myspace page and not a wp install.

If the myspace site isn't yours, then it looks like you've been hit by a site redirect hack. Look in your apache.conf and look for any new or modified .htaccess files for something forcing a 301 redirect.

I did a http headers trace on the url you linked and the first thing I see is:
GET 301 Redirect to: http://www.myspace.com/alluresoundstudios http://www.alluresound.com/

So it appears to be something on your site doing the redirect instead of, say, DNS poisoning.

That redirect was mine - and I just ended up doing a fresh install. Haven't had any issues since.

Getting Slimp banners on my regular WP install, too. The hacker edited a AC_RunActiveContent.js file to bring up the advertisements. I'd check that and any javascript files you call within your template or through plugins... look for garbled function names like BBXsv0 which are a dead giveaway.

I got it on a regular install, but I don't have a AC_RunActiveContent.js in my theme (that I can immediately find, doing a more thorough programatic search). I use almost no javascript, except for what is in plugins.

If anyone has specific places where to look (i.e. "it was in the header file of my theme", or "it was in the 'X' plugin"), that would be a huge help.

lazymanandmoney, I thibnk doing a grep on your files was suggested further up. Please remember that you are the only one in a position who can check your files.

I know... that's why I said, "doing a more thorough programatic search" above.

I just figure if people have the information (and it seems like they do as they've been in this) it's best to share it. On my server, running a grep is not the one-liner it should be with easy shell access. It's FTPing down all the files, finding good recursive grep software for Windows (the built-in search is not very good).

I've got the grep set up and can't find any of the following:

- BBXsv0 (I know that was an example given earlier, but I can't tell grep to search for garbled functions).
- AC_RunActiveContent.js (just don't use it whatever it is)

I found some "base_decode", but it all looks benign.

I guess my next plan is to manually look through all javascript in my site. This is where it would be nice if anyone else having the problem shared the solution (other than the fresh install which is a last resort for me). I understand if I'm the only one though... will post back with anything I can find.

It looks like my wp-includes/tw-sack.js was somehow hacked. I don't know what the hack was, but since I wasn't using the file for any functionality I stopped "wp-includes/script-loader.php" from calling it and then renamed "tw-sack.js" to be safe.

It surely was a hack as there was a phantom user that also needed to be deleted.

Our site had the same thing happen. I found the hacked file, it was mootools.js. I posted the code here.

You can see they just added code to the top of the file.

I haven't found the rest of it if there is more.. somehow it has to detect if you're coming from google.

-cS

Oh the code is right in that hacked javascript to detect google as a referrer.

Grepping for 'slimp.net' won't work.. try to find 'Click Here' or if you can see the mumbled javascript function name it's calling grep for that.

The link to the penetrated javascript file is most certainly on whatever page the banner shows up on.

Could this be a hack on Apache? Our server is running Apache 2.

-cS

To find it, type this in your root directory:

find . -type f -name "*.js" -exec grep -il 'Click Here' {} \;

I've gotten hit with this, too, and I was able to find the offending code by grepping for "luaFZemu".

The file that got hacked was in the wp-content/themes/vSlider2/js directory, and it was vSlider.js. Once I located that, the symptoms were the same as described by cytralskunk here; similar (if not identical) code inserted at the beginning of the file.

Neither the date stamp nor the owner of the file was changed.

This sounds like it might have been something like a Gumblar attack.

The way Gumblar works is if you use an older/unpatched browser, it can infect your system. Then it looks for web files and modifies them. So when you upload the files, you effectively compromise your own site. It also steals your FTP credentials (remember, FTP passes cleartext), so your web files are open to direct attack.

http://www.pcantivirusreviews.com/update/2009/05/us-cert-malware-exploit-circulating.html