Comments on: Blog error http://adrianspender.com/blog/2007/11/30/blog-error/ Cycling, software and random other thoughts Fri, 13 Jan 2012 10:17:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Andy Piper http://adrianspender.com/blog/2007/11/30/blog-error/comment-page-1/#comment-14341 Andy Piper Thu, 13 Dec 2007 04:31:34 +0000 http://adrianspender.com/blog/2007/11/30/blog-error/#comment-14341 Eek. Well I assume that WP.com blogs are not vulnerable to whatever backdoor these folks found. Eek. Well I assume that WP.com blogs are not vulnerable to whatever backdoor these folks found.

]]> By: Adrian Spender http://adrianspender.com/blog/2007/11/30/blog-error/comment-page-1/#comment-12631 Adrian Spender Sat, 01 Dec 2007 17:15:39 +0000 http://adrianspender.com/blog/2007/11/30/blog-error/#comment-12631 Edited to add. This happened well after I recently upgraded to Wordpress 2.3.1 as well! Edited to add. This happened well after I recently upgraded to WordPress 2.3.1 as well!

]]> By: Adrian Spender http://adrianspender.com/blog/2007/11/30/blog-error/comment-page-1/#comment-12630 Adrian Spender Sat, 01 Dec 2007 17:14:27 +0000 http://adrianspender.com/blog/2007/11/30/blog-error/#comment-12630 Unfortunately it looks like you are right. class-mail.php isn't part of Wordpress and seems to have been inserted into my wp-includes directory somehow, probably by the method you highlight. How somebody got the backdoor in in the first place is unknown. There is nothing to suggest that they gained access to the filesystem on my host (and no it isn't world-writable either) The contents of class-mail.php contained the assignment of two variables to the contents of a couple of Base 64 encode strings. One contained a load of binary data and some links to an innocuous looking web site blog at digitalsweeties.com The second decoded into a Javascript function to display an ad from googlesyndication.com Looks like it has <a HREF="http://www.howardowens.com/2007/this-blog-was-hacked/" rel="nofollow">happened to others</a> as well, and is probably an exploit of a Wordpress vulnerability Unfortunately it looks like you are right. class-mail.php isn’t part of WordPress and seems to have been inserted into my wp-includes directory somehow, probably by the method you highlight. How somebody got the backdoor in in the first place is unknown. There is nothing to suggest that they gained access to the filesystem on my host (and no it isn’t world-writable either)

The contents of class-mail.php contained the assignment of two variables to the contents of a couple of Base 64 encode strings. One contained a load of binary data and some links to an innocuous looking web site blog at digitalsweeties.com The second decoded into a Javascript function to display an ad from googlesyndication.com

Looks like it has happened to others as well, and is probably an exploit of a WordPress vulnerability

]]> By: Anton Piatek http://adrianspender.com/blog/2007/11/30/blog-error/comment-page-1/#comment-12618 Anton Piatek Sat, 01 Dec 2007 16:23:23 +0000 http://adrianspender.com/blog/2007/11/30/blog-error/#comment-12618 Looks to me like your blog got hacked and that is the code for a backdoor... The first line looks like it allows someone to load a file into your blog via a http post, which means they can do whatever they want. I would change passwords on the blog and start checking for other security problems - That code is not benign! Looks to me like your blog got hacked and that is the code for a backdoor…
The first line looks like it allows someone to load a file into your blog via a http post, which means they can do whatever they want.

I would change passwords on the blog and start checking for other security problems – That code is not benign!

]]>