Forums

WordPress › Support » How-To and Troubleshooting

2.3.1 vulnerability (6 posts)

  1. aspender
    Member
    Posted 1 year ago #

    My blog appears to have suffered a hack. Details are posted in an entry here.

    The hack appears to update wp-includes/default_filters.php to include a backdoor up upload files. It then uploads a file named class-mail.php and also updates classes.php. class-mail.php contains base-64 encoded data containing links and ads which are inserted into the body as hidden text and the page footer.

    Another few people appear to have suffered the same:

    http://www.howardowens.com/2007/this-blog-was-hacked/
    http://wordpress.org/support/topic/142586?replies=2

    I appreciate that a compromised FTP/filesystem access is the most likely cause, and am getting my host to check this out, but thought I would raise it here as well

  2. aspender
    Member
    Posted 1 year ago #

    My host confirms that there were a number of attempted FTP logins from a Chinese IP on the day of the hack, but none of them were successful.

  3. aspender
    Member
    Posted 11 months ago #

    The hack above has happened again on my 2.3.1 blog. Again my host has confirmed that there wasn't any successful ftp logins on or around the date that class-mail.php was placed on the server.

    This page seems to have information about how to get rid of the hack, suggesting it has been seen elsewhere:

    http://blog.kakkoi.net/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-jagger-goro-class-mailphp/

    FYI, I am running WP 2.3.1 with the Tranquility 1.2 theme and the following plugins activated:

    Askimet 2.0.2
    DupPrevent 1.0
    Feedburner Feedsmith 2.3
    Google Search Widget 1.0
    Google XML Sitemaps 3.0.1
    ShareThis 2.0
    Ultimate Google Analytics 1.5.3

    Site is at http://adrianspender.com/blog I have removed the hack.

    Can anybody else confirm they have seen this or give any reasonable explanation as to how the backdoor works?

  4. aspender
    Member
    Posted 11 months ago #

    Just to be clear, the following got inserted into my page footer:

    add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
    function wpc7c16b8466d864eeefd20050625c7775() {
    @include('./wp-includes/class-mail.php');
    if(sizeof($wparr)>0){
    echo "<div id=\"goro\">";
    foreach($wparr as $k=>$v){
    echo "".ucwords($v['key'])."\n";
    if($i++==$inum) break;
    }
    echo "</div>".$_footer;
    }
    }

    However after googling for the goro div and finding some results on these forums, what appears to be different in this case is that wp-includes/default_filters.php was the file that included the hack, not a theme.

  5. Otto42
    Moderator
    Posted 11 months ago #

    Almost all of the hack attempts I've seen lately on my systems attempt to exploit vulnerable plugins and/or theme files. I'd look closely at those.

    And read the server logs, look for any direct accesses to plugin files or theme files. Except for very unusual plugins and or themes, those should not occur.

    WordPress 2.3.1 only has one known issue at present, and it only affects systems using non-standard character sets (not UTF-8 like the default is).

  6. bMunch
    Member
    Posted 10 months ago #

    this actually just happened to me on 2.1.1 so it's not just a 2.3.1 vulnerability.

    same code injected.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags