[theme-reviewers] Emergency Call

Chris chris at thematic4you.com
Fri Sep 3 15:34:44 UTC 2010


It's not that easy to create a lesson from this one. 

 

This is the second time that I ran into this worm. The original infection
source is a BuddyPress theme. I had two cases where WPMU installations were
infected. Both owners were testing themes. Unfortunately both cleaned the
systems too fast, so I couldn't get a list of installed themes.

 

There is no real signature for this worm. You could search for
_check_isactive_widget or $_GET["cperpage"] but everything could be changed
without any problem. Everything else could come directly from a PHP
tutorial. 

 

Maybe the upload script could create a fopen() flag. In this case, we could
check the code for a potential risk. 

 

Chris

 

  

 

Von: theme-reviewers-bounces at lists.wordpress.org
[mailto:theme-reviewers-bounces at lists.wordpress.org] Im Auftrag von Chip
Bennett
Gesendet: Freitag, 3. September 2010 15:59
An: theme-reviewers at lists.wordpress.org
Betreff: Re: [theme-reviewers] Emergency Call

 

Can you and Chris put together some kind of lesson for the rest of us? Sort
of a "watch out for this kind of thing" that we can learn from?

 

(I found the second one before you got it pulled from SVN; so at least I can
look at it in the meantime.)

 

Chip

On Fri, Sep 3, 2010 at 8:56 AM, Otto <otto at ottodestruct.com> wrote:

Actually, I went ahead and removed them from SVN because we don't need
malware of that sort in there.

But if you want a copy, I did save the bad functions.php file, just
for examination later. We may be able to detect this sort of thing in
the uploader and prevent it from uploading.

-Otto




On Fri, Sep 3, 2010 at 8:50 AM, Chip Bennett <chip at chipbennett.net> wrote:
> I'll have to take a look at those tickets.
> Good learning opportunity for the reviewers? (Or an example of why
security
> gurus are needed, for a security-review stage of the process?)
> Chip
>
> On Fri, Sep 3, 2010 at 8:45 AM, Otto <otto at ottodestruct.com> wrote:
>>
>> Never mind. I see it. It's in the functions.php file, disguised. Clever.
>>
>> -Otto
>>
>>
>>
>> On Fri, Sep 3, 2010 at 8:42 AM, Otto <otto at ottodestruct.com> wrote:
>> > I'm looking at it now.. Where's the worm? Not finding it.
>> >
>> > -Otto
>> >
>> >
>> >
>> > On Fri, Sep 3, 2010 at 8:07 AM, Chris <chris at thematic4you.com> wrote:
>> >> Tickets #870 and #873
>> >>
>> >>
>> >>
>> >> Von: theme-reviewers-bounces at lists.wordpress.org
>> >> [mailto:theme-reviewers-bounces at lists.wordpress.org] Im Auftrag von
>> >> Edward
>> >> Caissie
>> >> Gesendet: Freitag, 3. September 2010 14:47
>> >>
>> >> An: theme-reviewers at lists.wordpress.org
>> >> Betreff: Re: [theme-reviewers] Emergency Call
>> >>
>> >>
>> >>
>> >> SVN is a forever land ... without intervention by a "System Admin" as
>> >> far as
>> >> I know.
>> >>
>> >> We can keep it out of Extend/Themes easy enough but beyond that we do
>> >> not
>> >> have much control.
>> >>
>> >> What tickets/themes are you refering to?
>> >>
>> >>
>> >> Cais.
>> >>
>> >> On Fri, Sep 3, 2010 at 7:08 AM, Chris <chris at thematic4you.com> wrote:
>> >>
>> >> Indeed .. infecting all installed themes of a blog.
>> >>
>> >>
>> >>
>> >> Von: theme-reviewers-bounces at lists.wordpress.org
>> >> [mailto:theme-reviewers-bounces at lists.wordpress.org] Im Auftrag von
>> >> Philip
>> >> M. Hofer (Frumph)
>> >> Gesendet: Freitag, 3. September 2010 13:00
>> >> An: theme-reviewers at lists.wordpress.org
>> >> Betreff: Re: [theme-reviewers] Emergency Call
>> >>
>> >>
>> >>
>> >> Oh fricken lovely.
>> >>
>> >> ----- Original Message -----
>> >>
>> >> From: Chris
>> >>
>> >> To: theme-reviewers at lists.wordpress.org
>> >>
>> >> Sent: Friday, September 03, 2010 3:55 AM
>> >>
>> >> Subject: [theme-reviewers] Emergency Call
>> >>
>> >>
>> >>
>> >> Hi,
>> >>
>> >>
>> >>
>> >> -          who is able to remove / delete / nuke two themes from the
>> >> SVN??
>> >>
>> >> -          Who is in charge of the the scripts running right after
>> >> theme
>> >> upload??
>> >>
>> >>
>> >>
>> >> Had an encounter with not so clean themes .. the themes are rejected,
>> >> but
>> >> need to be removed from the SVN as soon as possible.
>> >>
>> >>
>> >>
>> >> In addition I would like to see the upload script filtering for a not
>> >> so
>> >> nice wormy gift.
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >>
>> >>
>> >> Chris
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ________________________________
>> >>
>> >> _______________________________________________
>> >> theme-reviewers mailing list
>> >> theme-reviewers at lists.wordpress.org
>> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >>
>> >> _______________________________________________
>> >> theme-reviewers mailing list
>> >> theme-reviewers at lists.wordpress.org
>> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> theme-reviewers mailing list
>> >> theme-reviewers at lists.wordpress.org
>> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>> >>
>> >>
>> >
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
_______________________________________________
theme-reviewers mailing list
theme-reviewers at lists.wordpress.org
http://lists.wordpress.org/mailman/listinfo/theme-reviewers

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20100903/fdce1d03/attachment-0001.htm>


More information about the theme-reviewers mailing list