WordPress site blocked by SonicWall – JS.Agent.NKW_2 (Trojan)

Had a customer’s website blocked by our internal firewall.

dr_blum_homepage_blocked_infection_small

They were running WP Antivirus Site Protection plug-in. It listed the following files.

  • /wp-content/plugins/nextgen-gallery/nggallery.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/lib/imagemagick.inc.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.router.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/interface.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/functions.php
    /wp-content/plugins/si-contact-form/includes/class-fscf-process.php

 

This link provided me with some detail. There was a code that looked like “\x73\x63\x5F\x63\x6F”,\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68″,\x77\x69\x64\x74\x68″,\x68\x65\x69\x67\x68\x74″,\x63\x68\x61\x72\x73\x65\x74″,\x6C\x6F\x63\x61\x74\x69\x6F\x6E”,\x72\x65\x66\x65\x72\x72\x65\x72″,

Deleting this out is supposed to help.

https://wordpress.org/support/topic/jsagent-warnings-in-avg-nightmare-hack-in-multiple-wordpress-sites

Here is a good article on this issue.

http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html

 

 

This entry was posted in Joomla, Security, Tech Support, Uncategorized, WordPress. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *