[wp-hackers] Weird PHP Injection

[Lew Ayotte - Full Throttle Development]

Thanks Otto,

It's actually a rackspace managed server, not exactly shared hosting, only
semi-shared. In the sense that each site they own is a virtual server. So it
would only have access to the files on this particular virtualization.

I did another grep for "base64" which yielded some interesting results.
These three files in particular:
wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/dg.php
wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/s.php
wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php

So there is a ton more encoded code in those files, but again, since this is
located in the phpMyAdmin plugin dir for WP, it makes me think that it is an
exploit in that particular plugin -- of course, it could just be a
coincidence.

Chris,

Yeah, the only reason we noticed was because the code actually screwed up
the formatting for wp-admin. Like it was missing a </div> or something.

Lew Ayotte
Full Throttle Development, LLC
706.363.0688
478.246.4627
lew at fullthrottledevelopment.com
http://fullthrottledevelopment.com
http://twitter.com/full_throttle
http://twitter.com/lewayotte


On Thu, Oct 29, 2009 at 3:54 PM, Otto <otto at ottodestruct.com> wrote:

> On Thu, Oct 29, 2009 at 2:45 PM, Lew Ayotte - Full Throttle
> Development <lew at fullthrottledevelopment.com> wrote:
> > I'm not sure if anyone has seen this before... except for this guy:
> > http://wordpress.org/support/topic/320918?replies=8
> >
> > But I just ran into an issue with a client using WP2.8.4. It seems like
> > every single file in WP (including themes and plugins) had this injected
> at
> > the top:
>
> In the cases where I've seen all files hit like this, then I've always
> discovered two things.
>
> 1. The server is a shared host (many websites, same server).
> 2. The server itself is insecure (the web user can easily write to all
> the web facing files).
>
> The usual method of entry is for some site (any site) on that shared
> server to get hacked. The attacker then runs a piece of code which
> simply recursively searches all sites on that system and adds its
> malicious code to them all that fit some pattern (like *.php, for
> example).
>
> Well setup shared servers don't have this problem. A server running
> suPHP, for example, would prevent this sort of attack because the php
> processes run under the user account, not the generic web account. So
> when the attacker gains privileges, he's running as the generic user
> who doesn't have the same kind of access that the "web" user does.
>
> My advice: Switch hosts. A host that can't properly configure their
> systems is not one worth sticking with.
>
> -Otto
> Sent from Memphis, TN, United States
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>