WordPress.org

Ready to get started?Download WordPress

Forums

what exploit was used? (7 posts)

  1. macewan3rdTime
    Member
    Posted 2 years ago #

    WordPress Version 3.3.2

    wp-config.php was altered adding this:
    require('/path/to/wp-content/uploads/2009/04/themes.php');

    themes.php file looked like this:
    http://instagr.am/p/LB81Q0s-oL/

    crypt.php file looked like this:
    http://instagr.am/p/LB8h_PM-n_/

    in here they included crypt.php & themes.php along with multiple 16kb files

  2. macewan3rdTime
    Member
    Posted 2 years ago #

    Thank you for the resources listed. Gives a great starting point. The events surrounding the hack I show occurred yesterday around 2pm EST. It was witnessed live so others will probably be affected.

    You will notice problems if you try to alter your theme as this is when the themes.php file is called. It takes over you admin page to display http://dmitext.net/ instead of admin.

  3. You will notice problems if you try to alter your theme

    Hopefully I wont notice it on my system at all! :D

    It's all about closing the doors that the attacker got in via. If you're lucky it will be something as simple as an old timthumb library. If you are unlucky it will be a weakness on your server.

    Go through those resources, they're a good start on getting a handle on this.

  4. macewan3rdTime
    Member
    Posted 2 years ago #

    Uploading both files for viewing pleasure.

    http://www.macewan.org/crypt.txt
    http://www.macewan.org/themes.txt

  5. robmuzo
    Member
    Posted 2 years ago #

    check your raw server log files and you will be able to see the point where they got in, probably through a plugin or incorrect permissions.

  6. macewan3rdTime
    Member
    Posted 2 years ago #

    I'll leave the files there for viewing until 5pm EST for those that want to check it out.

Topic Closed

This topic has been closed to new replies.

About this Topic