I run a web hosting service and have a number of customers who use WordPress. About 3 days ago it appears that someone uploaded a number of files to one of my customers’ WP installations. These files are in directories several levels down, under ~/wp-content/uploads with the names iskorpitx and gogo_wget.txt. The former is an executable, and I found two instances of this running with the privileges of the apache (web server) user which couldn’t be killed, nor could the box be rebooted. The file gogo_wget.txt appears to be a PHP script which downloads iskorpitx and several other pieces of malware. There were 4 pairs of these two files in directories such as ~/wp-content/uploads/2008/10/190727843/ which I assume are WordPress directories, which is why I suspect that an exploit in WordPress was responsible for this.
My customer’s website is now shut down and I’d like to help him get it back up and running, but unless and until we can find out exactly how this exploit was done, the site will have to remain shut down. Any advice or avenues of research will be appreciated.
Although I do system administration, I’m not very familiar with WordPress. I don’t know how to determine the version numbers of the main routines or of the plugins. I’ve done a lot of PHP programming, but large applications such as WordPress are a world of their own.
Any help will be appreciated!
- The topic ‘iskorpitx worm/trojan’ is closed to new replies.