More WordPress security troubles

After a few days of communicating with the people at about links that are showing up (pointing to viagra sites) I found a new link today, pointing to a domain that is trying to install a virus.

The domain used to trigger people to install it is hosted at a subdir of secure-19926.tld (the extention has been changed). This page holds an iframe pointing to a domain called http://tds.narrativepatterns.tld/ (extention changed). There you will see a so called explorer window stating you are having problems with mallware and offer you a download (exe file).

As stated before this proves to me that the code for showing the clicks, or the code it is calling, is  the real problem, not the spamming itself. If, like stated on the wordpress fora, it was fixed we would not see these kinds of sites.

As for the plugin itself. I am not sure what the exact plugin is showing these stats. There are several of them available for download. Maybe the team can give more details about it.

If you are hosting your blog on then it might be a good idea to at least disable this plugin. In that case you visitors will not be bothered with them. Also think about hiding links to simular articles beneath your blogarticles.

Update: The exe file offered at that site is not being detected as a virus. Maybe it needs to be installed first. Have no idea how to do that :-)

The malware or virus that is offered at these sites is called Suspicious:W32/Malware!Online (or other simular names, depending on the anti virus seller).

Currently only the following vendors support protection:


This does not mean that it will not be cleaned by others soon. It’s a rather new thingy.


Tagged: ,

5 thoughts on “More WordPress security troubles

  1. Wells December 10, 2009 at 10:26 pm Reply

    Just for peace of mind, this is probably only showing up in admin and not on the site itself, right? Should I warn visitors or anything?

    • Hans December 10, 2009 at 10:29 pm Reply

      It depends on what you are using I think. is allowing you to show what visitors have clicked on. These malware/virus links do show up there. Therefor you should disable it.

      I am not sure if this is a plugin/widget or a general one.

  2. Hans December 10, 2009 at 10:20 pm Reply

    It’s not a dumb question. The ‘Top Clicks’ should be disabled since it will hold links to the sites trying to trick you into downloading the virus. See the updates I just posted.

    As for now, they are switching to tinyurl I think. If you do not disable the preview you will probably see a weird link. Do not go there when you are using MS Windows.

  3. Wells December 10, 2009 at 9:56 pm Reply

    What plugin is it?

    • Wells December 10, 2009 at 10:07 pm Reply

      Sorry, this was a dumb question. I am dumb.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: