php.cmdshell.unclassed.347 virus in lightweight theme licence

tomaszs
(@tomaszs)

10 years, 4 months ago

I’ve updated last week WordPress (from inside of blog admin, auto update) to latest version (3.8). It occurred that lightweight theme has a virus {HEX}php.cmdshell.unclassed.347 in licence.php file.

This is the source of this file: http://pastebin.com/MgYW2uAG

Viewing 7 replies - 1 through 7 (of 7 total)

Thread Starter tomaszs
(@tomaszs)

10 years, 4 months ago

Do you know what can b the source of this infection?

WPyogi
(@wpyogi)

10 years, 4 months ago

Where did you get that theme? I don’t see it here:

http://wordpress.org/themes/

This may be relevant:

http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/

See these also:

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thread Starter tomaszs
(@tomaszs)

10 years, 2 months ago

@wpyogi

Thanks for support. I really dont know from where was this theme.

In the licence it’s written:

Lighweight WordPress Theme example

Copyright (c) 2002,2001 WordPress.org

Since its so strange i decided to remove the theme. Maybe it will help.

Thread Starter tomaszs
(@tomaszs)

10 years, 2 months ago

Will post updates on this.
kvandivo
(@kvandivo)

9 years, 10 months ago
I just had this happen to me.. Access pattern that seems to have caused it:
```
91.121.10.229 - - [09/Jun/2014:16:43:24 -0500] "POST /wp-login.php HTTP/1.1" 302 879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4"
91.121.10.229 - - [09/Jun/2014:16:43:25 -0500] "GET //wp-admin/themes.php HTTP/1.1" 200 49459 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4"
91.121.10.229 - - [09/Jun/2014:16:43:26 -0500] "POST /wp-admin/update.php?action=upload-theme HTTP/1.1" 200 30854 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4"
91.121.10.229 - - [09/Jun/2014:16:43:28 -0500] "GET //wp-content/themes/lightweight/license.php HTTP/1.1" 200 312 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317  Firefox/3.0.4"
```
Not sure what the actual exploit was, beyond that.. but it appears to be something in wp-login, themes.php or, update.php.

WordPress 3.9.1, with no pending updates available.
Thread Starter tomaszs
(@tomaszs)

9 years, 10 months ago

Hello Kvandivo, sorry to hear it.

I had the same scenario in my case. After i discovered it i’ve installed plugin Simple History. It shows who logs in into your blog. It occured someone / something logs into one of authors account to the blog at the same time. And it ocurred it was old account of one of my authors. Surprisingly she had basic privilages, no admin privilages at all. It was in theory unable to upload themes. But the bot (i suppose) was able to break privilages and upload theme from author account.

Less said when i removed the author account this problem stopped to occur.

I think there is some kind of security hole in latest WordPress also that any user can upload themes without being an admin :/

esmi
(@esmi)

9 years, 10 months ago

I am now closing this 5 month old topic as it references an older version of WordPress. In the meantime, please refer to the reply in the second post of this topic.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘php.cmdshell.unclassed.347 virus in lightweight theme licence’ is closed to new replies.

php.cmdshell.unclassed.347 virus in lightweight theme licence

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics