Support » Requests and Feedback » Notification of Hacking Attempts

  • Recent hacks on my blog have prompted me to upgrade to 2.6.1 and install a $_Post logging facility.

    Within 12 hours of installation, I captured a hacking attempt! The first entry with the suspect IP was:

    file = ZWNobyAnYmxpYV9ibGlhX2pvb3AnOyBleGl0Ow==

    The second was:

    file = [an impossibly long string of characters]

    There were two other attempts immediately following the one I looked at, with the same IP; I did not investigate, or even compare the character strings.

    I will divulge the [impossibly long string of characters] to anybody who can prove they are full member of the WordPress development team, but if I could capture it within 12 hours, I suspect that those who need to know about it are way ahead of me!

    Putting the string through an on-line base64_decode() utility resulted in the unveiling of an “outer hack” and an “inner hack”.

    The “inner hack” simply sets the variable $fake to a base64 encoded version of what appears (to my untrained eye) to be an innocuous RSS feed. The “outer hack”:

    • defines some nasty looking constants
    • Sets “$txt=get_option(‘rss_f541b3abd05e7962fcab37737f40fad8’);”
    • Performs other operations
    • Incorporates (or replaces?) $txt with $fake
    • Calls “update_option(‘rss_f541b3abd05e7962fcab37737f40fad8’,base64_decode($txt));”
    • Runs “$wpdb->query(“UPDATE $wpdb->users SET user_pass='”.md5($PP[1]).”‘ WHERE user_login=’WordPress'”);”

    I have 14 of these funny ‘rss_XXX’ options in my wp_options table, but I do not have any ‘user_login’ = ‘WordPress’ in my wp_users table, so I’m not sure what’s going on with that one.

    Anyway … I’m deleting all the “rss_XXX” entries from my ‘wp_options’ table, in accordance with this post. But I would like to be assured that

    • filenames of such extreme length are rejected by an editor prior to doing anything
    • I will be notified by the WordPress software of such attempts in future versions of the software
Viewing 3 replies - 1 through 3 (of 3 total)
  • whooami



    Within 12 hours of installation, I captured a hacking attempt!

    lol! and its so exceiting when that happens too, isnt it?? 🙂

    thats my script you caught that with, btw, and I would love a copy of the undecoded base64, if youre willing to send it to me, please.

    In fact, the entire content of all 6 of the above lines would be awesome.

    you can always send via email to whoo@domain where you got the script 🙂


    I have sent the extracts from the logfile to the indicated eMail.

    Please let me know if you’d like anything more.




    Nope, thats fine, and thank you VERY much 🙂

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Notification of Hacking Attempts’ is closed to new replies.