Free Wordpress EXPLOIT remove utility here

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • ilbb
    Confirmed User
    • May 2005
    • 3025

    #1

    Free Wordpress EXPLOIT remove utility here

    Well my wordpress blogs were infected by some sort of exploit that allows hacker write files to my server and redirect traffic. It's really recommend to check your server for this shit+ upgrade to WP 2.51 asp! Here is handy tool I made to detect infected files + mysql database rows and remove this shit.

    1) download tool here: http://64.15.156.39/remove_exploit.zip
    2) download remove_exploit.zip -> unzip -> upload to your server
    3) edit remove_exploit.php configuration part
    4) login to your server via ssh
    5) chdir to location where remove_exploit.php is located
    5) run the tool: php remove_exploit.php

    notice: you must be logged as user who has rights to the files ('root' will work for sure)

    WARNING: USE THIS TOOL ON YOUR OWN RISK
  • bringer
    i have man boobies
    • Jul 2003
    • 13082

    #2
    Liar!!!!!!!!!!!!!
    333-765-551

    Comment

    • jollyperv
      Confirmed User
      • Nov 2001
      • 3927

      #3
      Rrrrrrrrrrrrrrrrriiiiiiight........

      Comment

      • Electric Lights
        So Fucking Banned
        • May 2008
        • 224

        #4
        Originally posted by ilbb
        I'm not clicking that.

        Comment

        • bringer
          i have man boobies
          • Jul 2003
          • 13082

          #5
          that link is broken, try this one instead
          correct link
          333-765-551

          Comment

          • ilbb
            Confirmed User
            • May 2005
            • 3025

            #6
            PHP script in TXT for paranoids and noobs:

            http://64.15.156.39/remove_exploit.txt
            Last edited by ilbb; 06-04-2008, 01:31 AM.

            Comment

            • Electric Lights
              So Fucking Banned
              • May 2008
              • 224

              #7
              Originally posted by ilbb
              PHP script in TXT for paranoids and noobs:

              http://64.15.156.39/remove_exploit.txt
              RICK ROLL!

              Comment

              • ilbb
                Confirmed User
                • May 2005
                • 3025

                #8
                for 110% paranoids is tool here:

                <?

                /////////////////////////////////////////////////
                $ABS_PATH_TO_WWW_DIR="/home/www";
                $MYSQL_SERVER="localhost";
                $MYSQL_ROOT_USER="root";
                $MYSQL_ROOT_PASS="password";
                ////////////////////////////////////////////////

                $i=0;
                test ($ABS_PATH_TO_WWW_DIR);

                function test($dir) {
                global $i;
                if(!$dh = @opendir($dir)) return;
                while (($obj = readdir($dh))) {
                if($obj=='.' || $obj=='..') continue;
                if (is_dir($dir.'/'.$obj)) {
                test($dir.'/'.$obj);
                } else {
                if ( (strpos("x".$obj,"pngg")>0) || (strpos("x".$obj,"jpgg")>0)) {
                echo $dir.'/'.$obj."...exploit detected\n";
                $i++;
                unlink ($dir.'/'.$obj);
                } else { echo $dir.'/'.$obj."...clean\n";}
                }
                }
                }

                $dbLink = mysql_connect($MYSQL_SERVER, $MYSQL_ROOT_USER, $MYSQL_ROOT_PASS) or die("Unable to connect to the database.");

                $sql = "show databases";
                $query = mysql_query($sql) or die("error fetching database names");
                while ($rs=mysql_fetch_array($query)) {
                mysql_select_db($rs['Database'],$dbLink) or die("Unable to select database: " . $rs['Database']);
                $sql = "show tables";
                $query2 = mysql_query($sql) or die("error fetching table names");
                while ($rs2=mysql_fetch_array($query2)) {
                $key = "Tables_in_" . $rs['Database'];
                echo $rs['Database'].":".$rs2[$key];
                mysql_query ("delete from ".$rs2[$key]." where option_name='wordpress_options'");
                if (mysql_affected_rows()>0) {echo "...exploit detected\n"; $i++;} else {echo "...clean\n";}
                }}
                echo "============================================\ n";
                echo "Infected objects: ".$i."\n";
                ?>

                Comment

                • ilbb
                  Confirmed User
                  • May 2005
                  • 3025

                  #9
                  Exploit described here: http://wordpress.org/support/topic/169246

                  Comment

                  • Camco
                    Confirmed User
                    • Feb 2008
                    • 137

                    #10
                    Great tool, running it now, thanks ilbb

                    Comment

                    • ilbb
                      Confirmed User
                      • May 2005
                      • 3025

                      #11
                      If you are not sure about the script, you can remove 'unlink' commands to be 100&#37; safe. Tool will then report if infected files were found.

                      Comment

                      • u-Bob
                        there's no $$$ in porn
                        • Jul 2005
                        • 33063

                        #12
                        well intended but pretty useless. If your box has been compromised there's only 1 thing to do: wipe and reinstall.

                        Comment

                        • potter
                          Confirmed User
                          • Dec 2004
                          • 6559

                          #13
                          hackers suck

                          Comment

                          • Agent 488
                            Registered User
                            • Feb 2006
                            • 22511

                            #14
                            anyone have a better solution?

                            Comment

                            • fluffygrrl
                              So Fucking Banned
                              • May 2006
                              • 2187

                              #15
                              Nice catch.

                              Do you have any idea how you caught it ?

                              Comment

                              • fluffygrrl
                                So Fucking Banned
                                • May 2006
                                • 2187

                                #16
                                And by caught it I mean, how you came to be infected.

                                Comment

                                • Agent 488
                                  Registered User
                                  • Feb 2006
                                  • 22511

                                  #17
                                  trying to find out. was using the latest version of wp - when outdated versions were thought to be the culprit.

                                  Comment

                                  • Agent 488
                                    Registered User
                                    • Feb 2006
                                    • 22511

                                    #18
                                    it's only on one of my smaller virtual hosts - so that may be the problem.

                                    Comment

                                    • fluffygrrl
                                      So Fucking Banned
                                      • May 2006
                                      • 2187

                                      #19
                                      The big concern is if wp is inherently vulnerable, through some mysql injection or xss issue maybe.

                                      Comment

                                      • AlienQ - BANNED FOR LIFE
                                        best designer on GFY
                                        • Mar 2003
                                        • 30307

                                        #20
                                        Originally posted by budsbabes
                                        anyone have a better solution?
                                        Yeah...

                                        Upgrade your current version with the newest one.

                                        Comment

                                        • Agent 488
                                          Registered User
                                          • Feb 2006
                                          • 22511

                                          #21
                                          Originally posted by AlienQ
                                          Yeah...

                                          Upgrade your current version with the newest one.
                                          it was the newest one.

                                          Comment

                                          • Agent 488
                                            Registered User
                                            • Feb 2006
                                            • 22511

                                            #22
                                            disabling plugins seems to work ... on some of my blogs anyway.

                                            Comment

                                            • just a punk
                                              So fuckin' bored
                                              • Jun 2003
                                              • 32393

                                              #23
                                              Originally posted by ilbb
                                              I'm reading it already. Thanks for the link!
                                              Obey the Cowgod

                                              Comment

                                              • fluffygrrl
                                                So Fucking Banned
                                                • May 2006
                                                • 2187

                                                #24
                                                I've spent hours poring over this matter, and I have to my satisfaction resolved that

                                                1. The point of infection is template/widget installation.

                                                2. The version number has no bearing. You can get it just as well on 251.

                                                3. It's not an inherent flaw in the wp php/mysql code.

                                                Comment

                                                • just a punk
                                                  So fuckin' bored
                                                  • Jun 2003
                                                  • 32393

                                                  #25
                                                  Originally posted by fluffygrrl
                                                  1. The point of infection is template/widget installation.
                                                  Did you find out how exactly they are using this vulnerability? It's very important to know in order to make an universal protection algorithm.
                                                  Obey the Cowgod

                                                  Comment

                                                  • fluffygrrl
                                                    So Fucking Banned
                                                    • May 2006
                                                    • 2187

                                                    #26
                                                    It's not really a vulnerability per se.

                                                    Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected.

                                                    Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.

                                                    Comment

                                                    • just a punk
                                                      So fuckin' bored
                                                      • Jun 2003
                                                      • 32393

                                                      #27
                                                      Originally posted by fluffygrrl
                                                      It's not really a vulnerability per se.

                                                      Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected.

                                                      Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.
                                                      Aha, so it's done by trojaned templates. One more reason so say: "free stuff is not always good and to always secure".
                                                      Obey the Cowgod

                                                      Comment

                                                      • fluffygrrl
                                                        So Fucking Banned
                                                        • May 2006
                                                        • 2187

                                                        #28
                                                        Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI.

                                                        If you don't know how to crack your wp template, I've just explained it in my blog.

                                                        Comment

                                                        • just a punk
                                                          So fuckin' bored
                                                          • Jun 2003
                                                          • 32393

                                                          #29
                                                          Originally posted by fluffygrrl
                                                          Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI.
                                                          Just in case if it's free. If you buy a commercial product you should trust to the developer or never buy it. However that should be a really insane "developer" who will put an exploit into his own product because otherwise sooner or later he will be exposed and will lose all this business, reputation and the money. It's like a shooting into your own leg
                                                          Obey the Cowgod

                                                          Comment

                                                          • fluffygrrl
                                                            So Fucking Banned
                                                            • May 2006
                                                            • 2187

                                                            #30
                                                            Which reasoning explains why blackhat seo or nigerian scams don't exist.

                                                            Comment

                                                            • teg0
                                                              Confirmed User
                                                              • Jan 2006
                                                              • 4204

                                                              #31
                                                              im 100&#37; against any themes that contain encrypted elements.

                                                              Comment

                                                              • tranza
                                                                ICQ: 197-556-237
                                                                • Jun 2003
                                                                • 57559

                                                                #32
                                                                Originally posted by bringer
                                                                Liar!!!!!!!!!!!!!
                                                                I agree men!!!
                                                                I'm just a newbie.

                                                                Comment

                                                                Working...