Eikonal Blog

2010.04.27

WordPress attacks

Filed under: infosec — sandokan65 @ 13:28

Following a link posted recently in the sci.physics.research USENET newsgroup, I stepped upon an example of the WordPress exploit that some sites wrote recently. The web server redirects your browser request to the URL that in addition to the original requested URL has tucked at its end following string

%&evalbase64_decode_SERVERHTTP_EXECCODE.+&%/

. The content of that page is:

400 Bad Request
-----------------------------------------------------
nginx

First example (that I have seen) of hacked WordPress-based blog.

The discussion at the address http://wordpress.org/support/topic/383414 gives some usefull links on that type of hack:

If that’s happening on your blog, then you’ve been hacked.

Make a new backup of your files and database and save that:

Give this a good read:
http://codex.wordpress.org/FAQ_My_site_was_hacked

This is also good and referenced in that article: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Once you’ve deloused your installation consider hardening your blog using this guide:
http://codex.wordpress.org/Hardening_WordPress

Blog at WordPress.com.