Removing wp-stats-php Infection From WordPress

Starting Tuesday, I had 2 bad lucks(minor and major). Bad luck 1 I went to deposit a check(affiliate) at the bank and my car did not want to start again when I left the bank. To cut it short, it cost me more at the auto shop than the check I deposited. That's not counting the time waisted by waiting for the work to be done. Bad luck 2 When I finally got home, I went to check my emails. I had left a few comments in a few posts. But I had also received an email from Google concerning one of my blog. Google had detected "badware" on it. Was it the same blog as last time? No it was not and was not about my software giving a false positive. So, I went to check the blog in question and I could not even load the main page at all. Note: I must mentioned that the blog was not upgraded to WordPress 2.5.1 yet. I think it still had v2.2.x on it. When I had installed 2.3 on another blog, one plugin was not working correctly thus I put the upgrades on hold. I had planned of upgrading them later once my project was released. In my case, all I got was a blank page with a redirection(?) to a badware site. That was written on the status bar of Firefox but it look like it was in a loop or the site was too busy(many infected besides me). Now, I had to find a way of removing wp-stats-php from the blog. Note: It's not the same thing as wp-stats.php. That's a real known plugin. After a few minutes of searching, I found others had the same "infection" performed on their blogs too. You will find code starting like this in a post: <!-- Traffic Statistics --> bad code here <!-- End Traffic Statistics --> or a javascript with function count(str){var res.... (some code did not belong there) The trouble was I could not even login the admin section blog. Checking the last backup(SQL file), I was able to find the post in question. Some code was inserted in one of my older post from November 2007. I tried a few ways to patch things like renaming the plugin folder or using the default theme. I did not have any success. So, I decided to do an upgrade on the current blog to WordPress v2.5.1. At one time, I was able to make it work until I selected the current theme. The site was "infected" again even if I edited the post in question to removed the offending code. I then lost the admin privilege again. I also lost part of the last post I had written and found some weird code in it before the cut off. Of course, I had to edit the database directly(MySQL) to do this in phpAdmin. The drastic solution I took I had already waisted far too many hours on this so I took one drastic solution: I deleted the current content of my domain. The database still existed and I made a backup(uploaded) of some of the folders not related to WordPress like my pictures, php redirections.... I also kept the wp-config.php and .htaccess. Note 1: Even files not related to WordPress like php redirection or html were infected on a second look. Note 2: Since I had once been able to upgrade to v2.5.1, I still needed to perform the upgrade steps even with an almost clean install. In version 2.5+, you need to had a new key in your wp-config.php file. That's in the upgrade instructions. All was working okay now. Since I suspected the theme had bad code somewhere too, I used a new SEO optimized theme instead. But when I clicked on any of the posts, I got a 404 error. Only the frontpage was working. Don't forget to check if a .htaccess was recreated during the upgrade. Since I deleted everything and WordPress thought I already upgraded because of the first upgrade, it did not create the .htaccess again in that case. Unfortunately, I lost the list of the plugins I was using(activated or not). I would advise you to just write them down before starting. But since, I had to move from v2.2.x version to v2.5, I took the time to download an all new set of updated plugins and see if the plugin was compatible or not with v2.5. This will be important when I will tackle my other blogs. WordPress v2.5.1 safer? Some had success in just removing the nasty code in the infected post. But some like me, we had to take a longer road. Now, is version 2.5.1 safer against this kind of infection? I don't know but I suspect that because I was using an older version, I opened the door so that it was too late when I upgraded to v2.5.1 the first time. Doing a fresh installation with new plugins and a new theme must have closed the door. At least, I hope so. ;) Lesson 1 If you have niche blogs that are not updated very often, do verify them. It's important because some are doing blogs that might bring them $5-10 a click. It would be a shame to lose that income. That blog in question was updated on Sunday but the automatic backup plugin did not have the last post in it's entirety. I suspect it was infected between Sunday and Monday morning. Lesson 2 I lost time and money on this and yes, it was my fault by not WordPress upgrading sooner. Because most of the traffic was coming from Google, my traffic drop to zero from Google. Why? Because Google writes a warning under the URL. When a person click on it, they are redirected to a Google page about the risk. The few visitors since were from MSN, Yahoo or other sites(directories). When I went in Google Webmasters Tools, I was able ask for a review but it could take time. Lesson 3 Recently, someone suggested of using phpBay for Wordpress instead of using BANS. But this whole experience let me wonder if it would had been a good thing after all. WordPress might offer greater flexibility but it comes at this kind of cost. Plus, It's more profitable for a badware to find a weakness in WordPress(Millions) versus BANS(Thousands). A few blogs is manageable but what if you had 100s of WordPress/phpBay sites. You must think of upgrading WordPress more often than BANS. With BANS, you don't have the plugins, comments, trackbacks issues to deal with thus less security issues. If you use phpBay within you own main blog, then it would be okay since you are going to update it more often that a static blog anyway. Conclusion Now, I will be busy upgrading my other blogs but I decided to post this first to warned my fellow bloggers that might not have updated their blogs yet.
Keywords: BANS, BANS, Blogging, infected, Internet, Money, Money, niche, phpbay, solution, SQL, time, Traffic, Virus, wordpress, wp-stats-php


21 Comments

Removing wp-stats-php Infection From WordPress | McGrath Dot Ca...

Steve,

Hi Elliot,

How ironic you guys are here trying to remove the wordpress stats and I can't seem to get it to work. I own three blogs and it's works only on 2 no matter what I do!

Elliot was talking about WordPress stats and I was posting about a "infection" or "virus" that is called "wp-stats-php". Those are 2 different things and mine is the worst of the 2. :(

Hi Thomas,

Hi Steve, just wanted to drop by and check out your blog(s). Thanks for the heads-up on the pop contest plugin fix btw :)

Just an update: I just noticed that Google has finally cleared the blog. :D

Steve,

You just need one blog to get infected. :(

[...] During the last week, I had to update my network of blogs including this one. I already wrote about Removing wp-stats-php. Pass the word to your own [...]

Glad you did not have trouble upgrading your blogs. Thos with less plugin were fast for me. Like you, it was more time consuming.

I have certainly taken your advice and have spent the whole morning upgrading all my WP blogs. I found it very easy but pretty boring and time consuming. I don't know what you use for upgrading WP but I use a plugin called wordpress automatic upgrade and it works great.

[...] fault here thus it’s less secure since it’s using Wordpress. Just read my post about it here. Now, imagine 100s of blogs like that. It also take more resource(space/CPU time) than phpBay API [...]

[...] Tuesday, I had 2 bad lucksminor and major. Bad luck 1 I went to deposit a checkaffiliate at thhttp://www.mcgrath.ca/2008/06/05/removing-wp-stats-php-infection-from-wordpress/Trend Micro: Antivirus industry lied for 20 years - ZDNet UKWe respect other people&39s intellectual [...]

That was the goal to share it.

I'm sorry you had to experience this. Live and learn I guess. Thanks for sharing with everyone so we can try to avoid the problem before it occurs.

Sorry for troubles with WP, but I still vote for WP with phpBay - more flexible, easy to add content, easy to customize auctions on every page/post (either 15 items or 3). I am running several blogs (WP 2.5.1+ and up) and don't see any probems so far.

Several blogs is not the same as several hundreds sites. That's why the 3 methods(BANS, phpBay plugin+WP, phpBay API) are fine AND should all be used.

[...] By secondary, I mean that I don't post or update WP to the new version like I should.  And last year, I learned that the hard way. One of my blog that was much more updated(post) than the others was infected. I wrote about it: Removing wp-stats-php Infection From WordPress. [...]

It makes me wonder whether I really want to go down the road of owning lots of small blogs rather than a few larger ones. Also having static sites might be a better solution than to always be upgrading.

Comments

Name:
Email:
Website URL:
Message:
Enter Captcha:
Case Sensitive Captcha Image
Note: The Captcha Image Is Case Sensitive