[Klug-general] wanted: db advice/crashcourse for helping clean cracked wp site

James Morris jwm.art.net at gmail.com
Sat Feb 25 13:42:06 UTC 2012


i think the db might be ok. i've grepped a dump of it for spam
keywords and there doesn't seem to be anything there.

many of the wordpress php files are infected with obfuscated php. one
of the first i looked at was obfuscated to three levels which ended in
a javascript which i think added an iframe to the document and brought
something in from another site. wget on the url failed to get
anything.

there was an image.php file infected with code looking much like this:

http://pastebin.com/FtR7D2Ny

but i think is longer. i'm trying to work through it to see what it
does. i find it quite interesting!

james.




On 24 February 2012 14:27, Nathan Friend <nathan.friend at gmail.com> wrote:
> I had a similar thing happen to my Wordpress site.  Code came from a dogdy
> template, that went on to helpfully inject it's self into all the other
> templates in the directory.
>
> Nathan.
>
>
> On Thu, Feb 23, 2012 at 10:12 PM, <jwm.art.net at gmail.com> wrote:
>>
>> I think it's shared hosting so don't know who is a valid user or not. But
>> they have ten users in their a/c and several domains. None of the users are
>> named otunnel - who has logged in+out 520 times since 1st feb. I've told the
>> owners to contact dreamhost before I make too many assumptions.
>>
>> Several sites in the a/c have been affected.
>>
>> James
>> Sent using BlackBerry® from Orange
>>
>> -----Original Message-----
>> From: David Halliday <david.halliday at gmail.com>
>> Sender: kent-bounces at mailman.lug.org.uk
>> Date: Thu, 23 Feb 2012 21:16:18
>> To: Kent Linux User Group - General Topics<kent at mailman.lug.org.uk>
>> Reply-To: Kent Linux User Group - General Topics <kent at mailman.lug.org.uk>
>> Subject: Re: [Klug-general] wanted: db advice/crashcourse for helping
>> clean
>>  cracked wp site
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>
>



More information about the Kent mailing list