[wp-hackers] Weird PHP Injection

Otto otto at ottodestruct.com
Thu Oct 29 19:54:17 UTC 2009


On Thu, Oct 29, 2009 at 2:45 PM, Lew Ayotte - Full Throttle
Development <lew at fullthrottledevelopment.com> wrote:
> I'm not sure if anyone has seen this before... except for this guy:
> http://wordpress.org/support/topic/320918?replies=8
>
> But I just ran into an issue with a client using WP2.8.4. It seems like
> every single file in WP (including themes and plugins) had this injected at
> the top:

In the cases where I've seen all files hit like this, then I've always
discovered two things.

1. The server is a shared host (many websites, same server).
2. The server itself is insecure (the web user can easily write to all
the web facing files).

The usual method of entry is for some site (any site) on that shared
server to get hacked. The attacker then runs a piece of code which
simply recursively searches all sites on that system and adds its
malicious code to them all that fit some pattern (like *.php, for
example).

Well setup shared servers don't have this problem. A server running
suPHP, for example, would prevent this sort of attack because the php
processes run under the user account, not the generic web account. So
when the attacker gains privileges, he's running as the generic user
who doesn't have the same kind of access that the "web" user does.

My advice: Switch hosts. A host that can't properly configure their
systems is not one worth sticking with.

-Otto
Sent from Memphis, TN, United States


More information about the wp-hackers mailing list