Forums

WordPress › Support » How-To and Troubleshooting

what exploit was used? (7 posts)

  1. macewan3rdTime
    Member
    Posted 12 months ago #

    WordPress Version 3.3.2

    wp-config.php was altered adding this:
    require('/path/to/wp-content/uploads/2009/04/themes.php');

    themes.php file looked like this:
    http://instagr.am/p/LB81Q0s-oL/

    crypt.php file looked like this:
    http://instagr.am/p/LB8h_PM-n_/

    in here they included crypt.php & themes.php along with multiple 16kb files

  2. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 12 months ago #

    What exploit was used isn't the important part, the thing that matters is that you were hacked...

    If you havn't already done so you need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/
    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

  3. macewan3rdTime
    Member
    Posted 12 months ago #

    Thank you for the resources listed. Gives a great starting point. The events surrounding the hack I show occurred yesterday around 2pm EST. It was witnessed live so others will probably be affected.

    You will notice problems if you try to alter your theme as this is when the themes.php file is called. It takes over you admin page to display http://dmitext.net/ instead of admin.

  4. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 12 months ago #

    You will notice problems if you try to alter your theme

    Hopefully I wont notice it on my system at all! :D

    It's all about closing the doors that the attacker got in via. If you're lucky it will be something as simple as an old timthumb library. If you are unlucky it will be a weakness on your server.

    Go through those resources, they're a good start on getting a handle on this.

  5. macewan3rdTime
    Member
    Posted 12 months ago #

    Uploading both files for viewing pleasure.

    http://www.macewan.org/crypt.txt
    http://www.macewan.org/themes.txt

  6. robmuzo
    Member
    Posted 12 months ago #

    check your raw server log files and you will be able to see the point where they got in, probably through a plugin or incorrect permissions.

  7. macewan3rdTime
    Member
    Posted 12 months ago #

    I'll leave the files there for viewing until 5pm EST for those that want to check it out.

Reply

You must log in to post.

About this Topic

Tags