davidjamesca

Hi w8lifter2000,

In this specific case, the attacker modified footer.php inside the wordpress themes directory to add a hidden iframe. The attack was cloaked using base64_decode and only showed up in the HTML the first time a visitor was on the site.

The attacker also added a C99 shell to the website, also cloaked using base64_decode. The C99 shell was added both to the root directory of the website and to the wordpress directory.

In the database, the attacker edited the most recent post on the website to add a hidden script include. It referenced http://zlu.emapis.org/js/jquery.min.js, which interestingly returns different content depending on the number of times you have loaded the page. The first time you load the javascript from a particular IP address, it returns the suspected malware script content; after the first load, it then returns an innocuous script. I saved the suspected malware version of the script at http://pastebin.ca/1882657 for further analysis in case anyone wants to take a closer look at the attack code.

Looks like Rackspace has upgraded their phpMyAdmin software to 2.11.10 now. Hopefully this will help!

If the attacker created backdoor accounts or installed trojan software onto the servers, he’ll still be able to cause trouble. Hopefully, Rackspace will watch for this and prevent further damage.