[wp-hackers] Evaluating impact from yesterday's Trojan'd plugins?

[Otto]

On Wed, Jun 22, 2011 at 7:59 AM, Doug Stewart <zamoose at gmail.com> wrote:
> Howdy all,
> I was one of the users that blindly updated one of the affected
> plugins (WPtouch). I quickly updated to the recommended clean version
> as soon as I heard about the exploit, but the descriptions of the
> attack thus far have been free of details. I'd like to know more about
> what, if any, of my site's data was compromised and how best to keep
> watch over my sites in case any follow-on exploits are attempted.
>
> Was it simply insertion of spam links in body content, or did it call
> home? Did it send in-flight passwords, or DB contents, or file
> locations, or did it traverse my filesystem to check for other
> potentially-vulnerable software?

It was an insertion of backdoor code. Somebody would have had to later
target your site specifically in order to get anything from it. It
didn't do anything by itself, other than leave a hole open.

Given the timeframe, it's unlikely they got anything out of it. It
didn't really go to that many sites, all told.

-Otto