2.3.1 vulnerability

  • My blog appears to have suffered a hack. Details are posted in an entry here.

    The hack appears to update wp-includes/default_filters.php to include a backdoor up upload files. It then uploads a file named class-mail.php and also updates classes.php. class-mail.php contains base-64 encoded data containing links and ads which are inserted into the body as hidden text and the page footer.

    Another few people appear to have suffered the same:

    https://www.howardowens.com/2007/this-blog-was-hacked/
    https://www.ads-software.com/support/topic/142586?replies=2

    I appreciate that a compromised FTP/filesystem access is the most likely cause, and am getting my host to check this out, but thought I would raise it here as well

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter aspender

    (@aspender)

    My host confirms that there were a number of attempted FTP logins from a Chinese IP on the day of the hack, but none of them were successful.

    Thread Starter aspender

    (@aspender)

    The hack above has happened again on my 2.3.1 blog. Again my host has confirmed that there wasn’t any successful ftp logins on or around the date that class-mail.php was placed on the server.

    This page seems to have information about how to get rid of the hack, suggesting it has been seen elsewhere:

    https://blog.kakkoi.net/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-jagger-goro-class-mailphp/

    FYI, I am running WP 2.3.1 with the Tranquility 1.2 theme and the following plugins activated:

    Askimet 2.0.2
    DupPrevent 1.0
    Feedburner Feedsmith 2.3
    Google Search Widget 1.0
    Google XML Sitemaps 3.0.1
    ShareThis 2.0
    Ultimate Google Analytics 1.5.3

    Site is at https://adrianspender.com/blog I have removed the hack.

    Can anybody else confirm they have seen this or give any reasonable explanation as to how the backdoor works?

    Thread Starter aspender

    (@aspender)

    Just to be clear, the following got inserted into my page footer:

    add_action(‘wp_footer’,’wpc7c16b8466d864eeefd20050625c7775′);
    function wpc7c16b8466d864eeefd20050625c7775() {
    @include(‘./wp-includes/class-mail.php’);
    if(sizeof($wparr)>0){
    echo “<div id=\”goro\”>”;
    foreach($wparr as $k=>$v){
    echo ““.ucwords($v[‘key’]).”\n”;
    if($i++==$inum) break;
    }
    echo “</div>”.$_footer;
    }
    }

    However after googling for the goro div and finding some results on these forums, what appears to be different in this case is that wp-includes/default_filters.php was the file that included the hack, not a theme.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Almost all of the hack attempts I’ve seen lately on my systems attempt to exploit vulnerable plugins and/or theme files. I’d look closely at those.

    And read the server logs, look for any direct accesses to plugin files or theme files. Except for very unusual plugins and or themes, those should not occur.

    WordPress 2.3.1 only has one known issue at present, and it only affects systems using non-standard character sets (not UTF-8 like the default is).

    this actually just happened to me on 2.1.1 so it’s not just a 2.3.1 vulnerability.

    same code injected.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘2.3.1 vulnerability’ is closed to new replies.