[wp-hackers] WP exploit , was Re: [Webmaster Central Help] Site hacked.
Peter Westwood
peter.westwood at ftwr.co.uk
Wed Dec 2 15:12:28 UTC 2009
On 2 Dec 2009, at 14:55, Mike Little wrote:
> 2009/12/2 Malaiac <malaiac at gmail.com>
>
>> Ok. The base64 statement was in ./wp-includes/locale.php, at the end
>> of the file. The file seems a legit one to me, so I guess the lien
>> was
>> added by the exploit... ?
>>
>> I removed the lines, and I'm going to check it stays like that.
>>
>> FYI, the lines were :
>>
>> <?php
>> $V210305394="VlE+KSk0..... SNIP
>>
>
>
> It won't fix the problem. That line was added by some other code
> running on
> your sever. Next time it could be added to a different file, with a
> different variable name and a different encoding scheme.
>
> Did you do the download and compare?
>
> You should also compare your themes and plugins against the
> originals too.
>
It is also worth running the Exploit Scanner against your install to
find any malicious code.
http://wordpress.org/extend/plugins/exploit-scanner/
--
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
More information about the wp-hackers
mailing list