Removing wp-stats-php Infection From WordPress
- 21 Comment
Enter your name and email only to get information
Starting Tuesday, I had 2 bad lucks(minor and major).
Bad luck 1
I went to deposit a check(affiliate) at the bank and my car did not want to start again when I left the bank. To cut it short, it cost me more at the auto shop than the check I deposited. That's not counting the time waisted by waiting for the work to be done.
Bad luck 2
When I finally got home, I went to check my emails. I had left a few comments in a few posts. But I had also received an email from Google concerning one of my blog. Google had detected "badware" on it. Was it the same blog as last time? No it was not and was not about my software giving a false positive. So, I went to check the blog in question and I could not even load the main page at all.
Note: I must mentioned that the blog was not upgraded to WordPress 2.5.1 yet. I think it still had v2.2.x on it. When I had installed 2.3 on another blog, one plugin was not working correctly thus I put the upgrades on hold. I had planned of upgrading them later once my project was released.
In my case, all I got was a blank page with a redirection(?) to a badware site. That was written on the status bar of Firefox but it look like it was in a loop or the site was too busy(many infected besides me). Now, I had to find a way of removing wp-stats-php from the blog.
Note: It's not the same thing as wp-stats.php. That's a real known plugin.
After a few minutes of searching, I found others had the same "infection" performed on their blogs too. You will find code starting like this in a post:
<!-- Traffic Statistics --> bad code here <!-- End Traffic Statistics -->
or a javascript with
function count(str){var res.... (some code did not belong there)
The trouble was I could not even login the admin section blog. Checking the last backup(SQL file), I was able to find the post in question. Some code was inserted in one of my older post from November 2007.
I tried a few ways to patch things like renaming the plugin folder or using the default theme. I did not have any success. So, I decided to do an upgrade on the current blog to WordPress v2.5.1. At one time, I was able to make it work until I selected the current theme. The site was "infected" again even if I edited the post in question to removed the offending code. I then lost the admin privilege again. I also lost part of the last post I had written and found some weird code in it before the cut off. Of course, I had to edit the database directly(MySQL) to do this in phpAdmin.
The drastic solution I took
I had already waisted far too many hours on this so I took one drastic solution: I deleted the current content of my domain. The database still existed and I made a backup(uploaded) of some of the folders not related to WordPress like my pictures, php redirections.... I also kept the wp-config.php and .htaccess.
Note 1: Even files not related to WordPress like php redirection or html were infected on a second look.
Note 2: Since I had once been able to upgrade to v2.5.1, I still needed to perform the upgrade steps even with an almost clean install. In version 2.5+, you need to had a new key in your wp-config.php file. That's in the upgrade instructions.
All was working okay now. Since I suspected the theme had bad code somewhere too, I used a new SEO optimized theme instead. But when I clicked on any of the posts, I got a 404 error. Only the frontpage was working. Don't forget to check if a .htaccess was recreated during the upgrade. Since I deleted everything and WordPress thought I already upgraded because of the first upgrade, it did not create the .htaccess again in that case.
Unfortunately, I lost the list of the plugins I was using(activated or not). I would advise you to just write them down before starting. But since, I had to move from v2.2.x version to v2.5, I took the time to download an all new set of updated plugins and see if the plugin was compatible or not with v2.5. This will be important when I will tackle my other blogs.
WordPress v2.5.1 safer?
Some had success in just removing the nasty code in the infected post. But some like me, we had to take a longer road. Now, is version 2.5.1 safer against this kind of infection? I don't know but I suspect that because I was using an older version, I opened the door so that it was too late when I upgraded to v2.5.1 the first time. Doing a fresh installation with new plugins and a new theme must have closed the door. At least, I hope so. 
Lesson 1
If you have niche blogs that are not updated very often, do verify them. It's important because some are doing blogs that might bring them $5-10 a click. It would be a shame to lose that income.
That blog in question was updated on Sunday but the automatic backup plugin did not have the last post in it's entirety. I suspect it was infected between Sunday and Monday morning.
Lesson 2
I lost time and money on this and yes, it was my fault by not WordPress upgrading sooner. Because most of the traffic was coming from Google, my traffic drop to zero from Google. Why? Because Google writes a warning under the URL. When a person click on it, they are redirected to a Google page about the risk. The few visitors since were from MSN, Yahoo or other sites(directories).
When I went in Google Webmasters Tools, I was able ask for a review but it could take time.
Lesson 3
Recently, someone suggested of using phpBay for WordPress instead of using BANS. But this whole experience let me wonder if it would had been a good thing after all. WordPress might offer greater flexibility but it comes at this kind of cost. Plus, It's more profitable for a badware to find a weakness in WordPress(Millions) versus BANS(Thousands).
A few blogs is manageable but what if you had 100s of WordPress/phpBay sites. You must think of upgrading WordPress more often than BANS. With BANS, you don't have the plugins, comments, trackbacks issues to deal with thus less security issues.
If you use phpBay within you own main blog, then it would be okay since you are going to update it more often that a static blog anyway.
Conclusion
Now, I will be busy upgrading my other blogs but I decided to post this first to warned my fellow bloggers that might not have updated their blogs yet.
Related post:
21 Comments on this post
Trackbacks
-
Elliott said:
Steve,
I can relate to the hassles of upgrading, I just completed all of my upgrades yesterday and I wish there was an easier way to upgrade. I guess if you use a fantastico install on each site, it would speed things up a little.
I recommend also removing the “leave this for stats” crap in the header section of WP installs. This shows what version you are using, and basically once an exploit is found that can benefit someone for unethical reasons, they just need to search for your system running that version. I haven’t had a problem since doing this.
Hope all is back up and running normally now!
June 5th, 2008 at 2:57 pm -
Steve McGrath said:
Hi Elliot,
A build-in upgrade is what is needed in WordPress. At least for security updates they could do that. But when you will go from 2.5 to 2.6, they might change something more important(databases). It’s not easy to think ahead in those cases.
Could a plugin author use that info to make a plugin behave according to the version? Unless they have some other parameter they could use.
No, I’m not finished yet.
June 5th, 2008 at 3:13 pm -
bbrian017 said:
How ironic you guys are here trying to remove the wordpress stats and I can’t seem to get it to work. I own three blogs and it’s works only on 2 no matter what I do!
So in the end what’s happening here? Did you fix the stats mod issue?
I’m a little lost in your post seeing you have a tendency to jump all over
As a good example I will use the car thing… where did that come from? Are you normally a ranter lol thanks for sharing these issues by the way!
June 5th, 2008 at 4:07 pm -
Steve McGrath said:
Elliot was talking about WordPress stats and I was posting about a “infection” or “virus” that is called “wp-stats-php”. Those are 2 different things and mine is the worst of the 2.
“Car”
I just thought that it was ironic. In the post, I wrote about depositing “affiliate money” to the bank and that it costed me more for repairing the car than the actual check I had just deposited. So, I lost money/time 2 ways that day.“jump all over”
Do you mean the rest of the WordPress “infection”(Bad Luck 2) was not clear enough? That was the order I did used to clean up my problems. Some might not have to go that far if they are lucky in their “bad luck”. It’s was pain in the …. Just spread the word: Update!!!!
June 5th, 2008 at 4:32 pm -
Thomas said:
Hi Steve, just wanted to drop by and check out your blog(s). Thanks for the heads-up on the pop contest plugin fix btw
It’s been 2 years now since my site was hacked (phpBB forum that time) and I’ve been nevrotic about getting updates ultra-quick ever since. Postings like this sure contribute to get more people alert of the ongoing problem. So, in short – great job informing and sharing!
As a sidenote to answer your thoughts on security… I believe WP 2.5.1 is only going to be safe until it’s hacked (obviously). That’s why the WP community are heading for the 4 main updates a year (to keep it safe and increase the effort to hack). The biggest problems are probably introduced through themes and plugins. Thus, before installing these things (from 3rd party) ALWAYS have a look at the code (or have someone help you)!
June 6th, 2008 at 2:06 am -
Steve McGrath said:
Hi Thomas,
The Popularity Contest is one of the few plugin I had to find a fix. For those that don’t know, you need to edit the plugin for it to work.
Yes, I heard of phpBB being hacked often. I still weary of upgrading to fast. Sometimes a fix can brake something else. But, that’s why software use “version” and cars use “recalls”.
If the WP go with 4 big upgrades/year or even less, it might not be too bad. Btw, thanks for the info. Updates will still have to be made.
Just to be clear:
Upgrades: 2.5 -> 2.6 -> 2.7
Updates: 2.5.1 -> 2.5.2 ->2.5.3If they could add build-in “updates”, at least that would be safer for most person. 1 Click and you are done.
I’m using the Live 0.5 plugin(old was .41). So far, it “works” but I do get an error when I activate it or check the new detail page. I don’t see patterns.
As for checking the code, I don’t but I check the popularity of the plugins in most cases. There should be some kind of “official signing” for WP plugins. I don’t know enough about PHP to determine that myself.
June 6th, 2008 at 11:24 am -
Steve McGrath said:
Just an update: I just noticed that Google has finally cleared the blog.
June 6th, 2008 at 11:35 am -
gotafish said:
Steve,
Thanks for the Heads up on this. I only have 1 hosted wordpress blog but it was still running the old version and I’m in the process of upgrading it now.June 7th, 2008 at 2:44 pm -
Steve McGrath said:
You just need one blog to get infected.
The next security updates will not be that bad since I have mostly 2.5 compatible plugins now.
While doing my upgrade, I did noticed a folder with “/content/1″. In it, there was html files that I did not put there. Doing some researched, it’s clue that you have one post that is infected.
Anyway, just tell your readers(bloggers) to update too.
June 7th, 2008 at 3:14 pm -
April said:
I have certainly taken your advice and have spent the whole morning upgrading all my WP blogs. I found it very easy but pretty boring and time consuming. I don’t know what you use for upgrading WP but I use a plugin called wordpress automatic upgrade and it works great.
It makes me wonder whether I really want to go down the road of owning lots of small blogs rather than a few larger ones. Also having static sites might be a better solution than to always be upgrading.
June 11th, 2008 at 11:16 am -
Steve McGrath said:
Glad you did not have trouble upgrading your blogs. Thos with less plugin were fast for me. Like you, it was more time consuming.
Btw, I used the old fashion way(FTP) but I did heard of the automatic upgrade plugin before. Did you go from 2.3 to 2.5 or 2.5.0 to 2.5.1?
I was thinking the same thing about having a lot of small niche blogs. With static, you don’t have an easy way to add a RSS feed and getting ping like with WP. That’s a downside to consider too. It also don’ t use a MySQL database like WP.
June 11th, 2008 at 8:28 pm -
TheMainer said:
I’m sorry you had to experience this. Live and learn I guess. Thanks for sharing with everyone so we can try to avoid the problem before it occurs.
July 29th, 2008 at 9:47 am - Steve McGrath said:
-
Max said:
Sorry for troubles with WP, but I still vote for WP with phpBay – more flexible, easy to add content, easy to customize auctions on every page/post (either 15 items or 3). I am running several blogs (WP 2.5.1+ and up) and don’t see any probems so far.
July 30th, 2008 at 8:33 pm -
Steve McGrath said:
Several blogs is not the same as several hundreds sites. That’s why the 3 methods(BANS, phpBay plugin+WP, phpBay API) are fine AND should all be used.
July 30th, 2008 at 9:15 pm -
stefaniexu said:
It makes me wonder whether I really want to go down the road of owning lots of small blogs rather than a few larger ones. Also having static sites might be a better solution than to always be upgrading.
March 2nd, 2011 at 6:06 am
Removing wp-stats-php Infection From WordPress | McGrath Dot Ca…
If you don’t upgrade your WordPress often, I hope you don’t get what I had on one of my blog. I had a hard time of removing wp-stats-php. It cost me time, money and Google traffic. I wanted to warned others of the possible danger. That’s also true f…
[...] During the last week, I had to update my network of blogs including this one. I already wrote about Removing wp-stats-php. Pass the word to your own [...]
[...] fault here thus it’s less secure since it’s using WordPress. Just read my post about it here. Now, imagine 100s of blogs like that. It also take more resource(space/CPU time) than phpBay API [...]
[...] Tuesday, I had 2 bad lucksminor and major. Bad luck 1 I went to deposit a checkaffiliate at thhttp://www.mcgrath.ca/2008/06/05/removing-wp-stats-php-infection-from-wordpress/Trend Micro: Antivirus industry lied for 20 years – ZDNet UKWe respect other people&39s intellectual [...]
[...] By secondary, I mean that I don’t post or update WP to the new version like I should. And last year, I learned that the hard way. One of my blog that was much more updated(post) than the others was infected. I wrote about it: Removing wp-stats-php Infection From WordPress. [...]