Hello,
I managed to track down the vulnerability .. It involves a rfi exploit inside the WordPress Download Manager plugin.
the malicious code to be evaluated -> http://pastebin.com/r95QVeXE
Please consult following link for security update:
http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html
First RevSlider and now these. Interesting. Thank you for the info rawcoder!
oh, you also have to remove line 9 from the script you pasted:
$code_inject_sape = //malicious code//
.. and try to look for other obfuscated code blocks ( eval(base64_decode(..) ) .. generally when you can’t read that code, someone is trying to hide something 😉
I found them all, I’m just doing a quick brush up on them.
However, the beautiful thing is I’m lucky the main file wasn’t deleted, and I can track all the locations the hacks occured, including the footer of every theme.
This hack is quite annoying!
Here are some useful commands/information for anyone interested in targeting some files
Locate files modified on December 31, 2013 at 4:17 GMT. The command for such hack can be found at:
touch("wp-optionstmp.php", mktime(12, 17, 11, 12, 31, 2013));
Some hacks occurred on this date: October 25 2013
Weird hack involving auth and humungous base64 code
$auth_pass = "63a9f0ea7bb98050796b649e85481845";
$default_charset = 'Windows-1251';
Find files between certain times
find public_html/ -newermt 2013-10-25 ! -newermt 2013-10-26 -ls
Find files affected by hacks
grep -rnw public_html/ -e "<!-- Begin WordPress Cache (DO NOT MODIFY) -->"
Find all instance where eval base64 code occurs
grep -rnw public_html/ -e "eval(base64_decode("
