[wp-hackers] WP exploit , was Re: [Webmaster Central Help] Site hacked.

Harish Narayanan harish.mlists at gmail.com
Wed Dec 2 17:28:31 UTC 2009


Mike Little wrote:
> 2009/12/2 Malaiac <malaiac at gmail.com>
> 
>> Ok. The base64 statement was in ./wp-includes/locale.php, at the end
>> of the file. The file seems a legit one to me, so I guess the lien was
>> added by the exploit... ?
>>
>> I removed the lines, and I'm going to check it stays like that.
>>
>> FYI, the lines were :
>>
>> <?php
>> $V210305394="VlE+KSk0..... SNIP
>>
> 
> 
> It won't fix the problem. That line was added by some other code running on
> your sever.  Next time it could be added to a different file, with a
> different variable name and a different encoding scheme.
> 
> Did you do the download and compare?
> 
> You should also compare your themes and plugins against the originals too.

In general (I think) it also makes sense to keep your web sites under
revision control. So you can easily see what's been changed and when,
allowing for easily spotting and reverting things like this.

Harish


More information about the wp-hackers mailing list