Free Wordpress EXPLOIT remove utility here - GoFuckYourself.com

ilbb · 06-04-2008, 02:22 AM

Well my wordpress blogs were infected by some sort of exploit that allows hacker write files to my server and redirect traffic. It's really recommend to check your server for this shit+ upgrade to WP 2.51 asp! Here is handy tool I made to detect infected files + mysql database rows and remove this shit.

1) download tool here: http://64.15.156.39/remove_exploit.zip
2) download remove_exploit.zip -> unzip -> upload to your server
3) edit remove_exploit.php configuration part
4) login to your server via ssh
5) chdir to location where remove_exploit.php is located
5) run the tool: php remove_exploit.php

notice: you must be logged as user who has rights to the files ('root' will work for sure)

WARNING: USE THIS TOOL ON YOUR OWN RISK

bringer · 06-04-2008, 02:24 AM

Liar!!!!!!!!!!!!!

jollyperv · 06-04-2008, 02:24 AM

Rrrrrrrrrrrrrrrrriiiiiiight........

Electric Lights · 06-04-2008, 02:26 AM

Quote:

Originally Posted by ilbb

1) download tool here: http://64.15.156.39/remove_exploit.zip

I'm not clicking that.

bringer · 06-04-2008, 02:27 AM

that link is broken, try this one instead
correct link

ilbb · 06-04-2008, 02:30 AM

PHP script in TXT for paranoids and noobs:

http://64.15.156.39/remove_exploit.txt

Electric Lights · 06-04-2008, 02:32 AM

Quote:

Originally Posted by ilbb

PHP script in TXT for paranoids and noobs:

http://64.15.156.39/remove_exploit.txt

RICK ROLL!

ilbb · 06-04-2008, 02:34 AM

for 110% paranoids is tool here:

Quote:

<?

/////////////////////////////////////////////////
$ABS_PATH_TO_WWW_DIR="/home/www";
$MYSQL_SERVER="localhost";
$MYSQL_ROOT_USER="root";
$MYSQL_ROOT_PASS="password";
////////////////////////////////////////////////

$i=0;
test ($ABS_PATH_TO_WWW_DIR);

function test($dir) {
global $i;
if(!$dh = @opendir($dir)) return;
while (($obj = readdir($dh))) {
if($obj=='.' || $obj=='..') continue;
if (is_dir($dir.'/'.$obj)) {
test($dir.'/'.$obj);
} else {
if ( (strpos("x".$obj,"pngg")>0) || (strpos("x".$obj,"jpgg")>0)) {
echo $dir.'/'.$obj."...exploit detected\n";
$i++;
unlink ($dir.'/'.$obj);
} else { echo $dir.'/'.$obj."...clean\n";}
}
}
}

$dbLink = mysql_connect($MYSQL_SERVER, $MYSQL_ROOT_USER, $MYSQL_ROOT_PASS) or die("Unable to connect to the database.");

$sql = "show databases";
$query = mysql_query($sql) or die("error fetching database names");
while ($rs=mysql_fetch_array($query)) {
mysql_select_db($rs['Database'],$dbLink) or die("Unable to select database: " . $rs['Database']);
$sql = "show tables";
$query2 = mysql_query($sql) or die("error fetching table names");
while ($rs2=mysql_fetch_array($query2)) {
$key = "Tables_in_" . $rs['Database'];
echo $rs['Database'].":".$rs2[$key];
mysql_query ("delete from ".$rs2[$key]." where option_name='wordpress_options'");
if (mysql_affected_rows()>0) {echo "...exploit detected\n"; $i++;} else {echo "...clean\n";}
}}
echo "============================================\ n";
echo "Infected objects: ".$i."\n";
?>

ilbb · 06-04-2008, 02:36 AM

Exploit described here: http://wordpress.org/support/topic/169246

Camco · 06-04-2008, 02:45 AM

Great tool, running it now, thanks ilbb

ilbb · 06-04-2008, 02:49 AM

If you are not sure about the script, you can remove 'unlink' commands to be 100% safe. Tool will then report if infected files were found.

u-Bob · 06-04-2008, 04:49 AM

well intended but pretty useless. If your box has been compromised there's only 1 thing to do: wipe and reinstall.

potter · 06-04-2008, 05:26 AM

hackers suck

Agent 488 · 06-05-2008, 03:51 PM

anyone have a better solution?

fluffygrrl · 06-05-2008, 09:25 PM

Nice catch.

Do you have any idea how you caught it ?

fluffygrrl · 06-05-2008, 09:28 PM

And by caught it I mean, how you came to be infected.

Agent 488 · 06-05-2008, 09:30 PM

trying to find out. was using the latest version of wp - when outdated versions were thought to be the culprit.

Agent 488 · 06-05-2008, 09:30 PM

it's only on one of my smaller virtual hosts - so that may be the problem.

fluffygrrl · 06-05-2008, 09:40 PM

The big concern is if wp is inherently vulnerable, through some mysql injection or xss issue maybe.

AlienQ - BANNED FOR LIFE · 06-05-2008, 10:28 PM

Quote:

Originally Posted by budsbabes

anyone have a better solution?

Yeah...

Upgrade your current version with the newest one.

Agent 488 · 06-06-2008, 06:21 AM

Quote:

Originally Posted by AlienQ

Yeah...

Upgrade your current version with the newest one.

it was the newest one.

Agent 488 · 06-06-2008, 06:37 AM

disabling plugins seems to work ... on some of my blogs anyway.

just a punk · 06-06-2008, 06:38 AM

Quote:

Originally Posted by ilbb

Exploit described here: http://wordpress.org/support/topic/169246

I'm reading it already. Thanks for the link!

fluffygrrl · 06-06-2008, 07:09 AM

I've spent hours poring over this matter, and I have to my satisfaction resolved that

1. The point of infection is template/widget installation.

2. The version number has no bearing. You can get it just as well on 251.

3. It's not an inherent flaw in the wp php/mysql code.

just a punk · 06-06-2008, 07:59 AM

Quote:

Originally Posted by fluffygrrl

1. The point of infection is template/widget installation.

Did you find out how exactly they are using this vulnerability? It's very important to know in order to make an universal protection algorithm.

fluffygrrl · 06-06-2008, 08:13 AM

It's not really a vulnerability per se.

Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected.

Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.

just a punk · 06-06-2008, 08:23 AM

Quote:

Originally Posted by fluffygrrl

It's not really a vulnerability per se.

Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected.

Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.

Aha, so it's done by trojaned templates. One more reason so say: "free stuff is not always good and to always secure".

fluffygrrl · 06-06-2008, 08:33 AM

Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI.

If you don't know how to crack your wp template, I've just explained it in my blog.

just a punk · 06-06-2008, 08:43 AM

Quote:

Originally Posted by fluffygrrl

Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI.

Just in case if it's free. If you buy a commercial product you should trust to the developer or never buy it. However that should be a really insane "developer" who will put an exploit into his own product because otherwise sooner or later he will be exposed and will lose all this business, reputation and the money. It's like a shooting into your own leg

fluffygrrl · 06-06-2008, 09:21 AM

Which reasoning explains why blackhat seo or nigerian scams don't exist.

teg0 · 06-06-2008, 09:29 AM

im 100% against any themes that contain encrypted elements.

tranza · 06-06-2008, 09:38 AM

Quote:

Originally Posted by bringer

Liar!!!!!!!!!!!!!

I agree men!!!

06-04-2008, 02:22 AM	#1
ilbb Confirmed User Industry Role: Join Date: May 2005 Location: EU - Czech republic Posts: 3,025	Free Wordpress EXPLOIT remove utility here Well my wordpress blogs were infected by some sort of exploit that allows hacker write files to my server and redirect traffic. It's really recommend to check your server for this shit+ upgrade to WP 2.51 asp! Here is handy tool I made to detect infected files + mysql database rows and remove this shit. 1) download tool here: http://64.15.156.39/remove_exploit.zip 2) download remove_exploit.zip -> unzip -> upload to your server 3) edit remove_exploit.php configuration part 4) login to your server via ssh 5) chdir to location where remove_exploit.php is located 5) run the tool: php remove_exploit.php notice: you must be logged as user who has rights to the files ('root' will work for sure) WARNING: USE THIS TOOL ON YOUR OWN RISK

06-04-2008, 02:24 AM	#2
bringer i have man boobies Join Date: Jul 2003 Location: van down by the river Posts: 13,082	Liar!!!!!!!!!!!!! __________________ 333-765-551

06-04-2008, 02:27 AM	#5
bringer i have man boobies Join Date: Jul 2003 Location: van down by the river Posts: 13,082	that link is broken, try this one instead correct link __________________ 333-765-551

06-04-2008, 02:30 AM	#6
ilbb Confirmed User Industry Role: Join Date: May 2005 Location: EU - Czech republic Posts: 3,025	PHP script in TXT for paranoids and noobs: http://64.15.156.39/remove_exploit.txt Last edited by ilbb; 06-04-2008 at 02:31 AM..

06-04-2008, 05:26 AM	#13
potter Confirmed User Industry Role: Join Date: Dec 2004 Location: Denver Posts: 6,559	hackers suck __________________

06-04-2008, 02:24 AM	#3
jollyperv Confirmed User Industry Role: Join Date: Nov 2001 Location: NYC Posts: 3,927	Rrrrrrrrrrrrrrrrriiiiiiight........

06-04-2008, 02:36 AM	#9
ilbb Confirmed User Industry Role: Join Date: May 2005 Location: EU - Czech republic Posts: 3,025	Exploit described here: http://wordpress.org/support/topic/169246

06-04-2008, 02:45 AM	#10
Camco Confirmed User Join Date: Feb 2008 Posts: 137	Great tool, running it now, thanks ilbb

06-04-2008, 02:49 AM	#11
ilbb Confirmed User Industry Role: Join Date: May 2005 Location: EU - Czech republic Posts: 3,025	If you are not sure about the script, you can remove 'unlink' commands to be 100% safe. Tool will then report if infected files were found.

06-04-2008, 04:49 AM	#12
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	well intended but pretty useless. If your box has been compromised there's only 1 thing to do: wipe and reinstall.

06-05-2008, 03:51 PM	#14
Agent 488 Registered User Industry Role: Join Date: Feb 2006 Posts: 22,511	anyone have a better solution?

06-05-2008, 09:25 PM	#15
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	Nice catch. Do you have any idea how you caught it ?

06-05-2008, 09:28 PM	#16
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	And by caught it I mean, how you came to be infected.

06-05-2008, 09:30 PM	#17
Agent 488 Registered User Industry Role: Join Date: Feb 2006 Posts: 22,511	trying to find out. was using the latest version of wp - when outdated versions were thought to be the culprit.

06-05-2008, 09:40 PM	#19
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	The big concern is if wp is inherently vulnerable, through some mysql injection or xss issue maybe.

06-06-2008, 06:37 AM	#22
Agent 488 Registered User Industry Role: Join Date: Feb 2006 Posts: 22,511	disabling plugins seems to work ... on some of my blogs anyway.

06-06-2008, 07:09 AM	#24
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	I've spent hours poring over this matter, and I have to my satisfaction resolved that 1. The point of infection is template/widget installation. 2. The version number has no bearing. You can get it just as well on 251. 3. It's not an inherent flaw in the wp php/mysql code.

06-06-2008, 08:13 AM	#26
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	It's not really a vulnerability per se. Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected. Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.

06-06-2008, 08:33 AM	#28
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI. If you don't know how to crack your wp template, I've just explained it in my blog.

06-06-2008, 09:21 AM	#30
fluffygrrl So Fucking Banned Join Date: May 2006 Posts: 2,187	Which reasoning explains why blackhat seo or nigerian scams don't exist.

06-06-2008, 09:29 AM	#31
teg0 Confirmed User Join Date: Jan 2006 Location: Gringo in Puerto Rico Posts: 4,204	im 100% against any themes that contain encrypted elements.