GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Free Wordpress EXPLOIT remove utility here (https://gfy.com/showthread.php?t=832683)

ilbb 06-04-2008 02:22 AM
Free Wordpress EXPLOIT remove utility here
 
Well my wordpress blogs were infected by some sort of exploit that allows hacker write files to my server and redirect traffic. It's really recommend to check your server for this shit+ upgrade to WP 2.51 asp! Here is handy tool I made to detect infected files + mysql database rows and remove this shit.

1) download tool here: http://64.15.156.39/remove_exploit.zip
2) download remove_exploit.zip -> unzip -> upload to your server
3) edit remove_exploit.php configuration part
4) login to your server via ssh
5) chdir to location where remove_exploit.php is located
5) run the tool: php remove_exploit.php :thumbsup

notice: you must be logged as user who has rights to the files ('root' will work for sure)

WARNING: USE THIS TOOL ON YOUR OWN RISK :2 cents:

bringer 06-04-2008 02:24 AM
Liar!!!!!!!!!!!!!

jollyperv 06-04-2008 02:24 AM
Rrrrrrrrrrrrrrrrriiiiiiight........

Electric Lights 06-04-2008 02:26 AM
Quote:
Originally Posted by ilbb (Post 14275676)
I'm not clicking that.

bringer 06-04-2008 02:27 AM
that link is broken, try this one instead
correct link

ilbb 06-04-2008 02:30 AM
PHP script in TXT for paranoids and noobs:

http://64.15.156.39/remove_exploit.txt

Electric Lights 06-04-2008 02:32 AM
Quote:
Originally Posted by ilbb (Post 14275694)
PHP script in TXT for paranoids and noobs:

http://64.15.156.39/remove_exploit.txt
RICK ROLL!

:1orglaugh

ilbb 06-04-2008 02:34 AM
for 110% paranoids is tool here:

Quote:
<?

/////////////////////////////////////////////////
$ABS_PATH_TO_WWW_DIR="/home/www";
$MYSQL_SERVER="localhost";
$MYSQL_ROOT_USER="root";
$MYSQL_ROOT_PASS="password";
////////////////////////////////////////////////

$i=0;
test ($ABS_PATH_TO_WWW_DIR);

function test($dir) {
global $i;
if(!$dh = @opendir($dir)) return;
while (($obj = readdir($dh))) {
if($obj=='.' || $obj=='..') continue;
if (is_dir($dir.'/'.$obj)) {
test($dir.'/'.$obj);
} else {
if ( (strpos("x".$obj,"pngg")>0) || (strpos("x".$obj,"jpgg")>0)) {
echo $dir.'/'.$obj."...exploit detected\n";
$i++;
unlink ($dir.'/'.$obj);
} else { echo $dir.'/'.$obj."...clean\n";}
}
}
}

$dbLink = mysql_connect($MYSQL_SERVER, $MYSQL_ROOT_USER, $MYSQL_ROOT_PASS) or die("Unable to connect to the database.");

$sql = "show databases";
$query = mysql_query($sql) or die("error fetching database names");
while ($rs=mysql_fetch_array($query)) {
mysql_select_db($rs['Database'],$dbLink) or die("Unable to select database: " . $rs['Database']);
$sql = "show tables";
$query2 = mysql_query($sql) or die("error fetching table names");
while ($rs2=mysql_fetch_array($query2)) {
$key = "Tables_in_" . $rs['Database'];
echo $rs['Database'].":".$rs2[$key];
mysql_query ("delete from ".$rs2[$key]." where option_name='wordpress_options'");
if (mysql_affected_rows()>0) {echo "...exploit detected\n"; $i++;} else {echo "...clean\n";}
}}
echo "============================================\ n";
echo "Infected objects: ".$i."\n";
?>

ilbb 06-04-2008 02:36 AM
Exploit described here: http://wordpress.org/support/topic/169246

Camco 06-04-2008 02:45 AM
Great tool, running it now, thanks ilbb

ilbb 06-04-2008 02:49 AM
If you are not sure about the script, you can remove 'unlink' commands to be 100&#37; safe. Tool will then report if infected files were found.

u-Bob 06-04-2008 04:49 AM
well intended but pretty useless. If your box has been compromised there's only 1 thing to do: wipe and reinstall.

potter 06-04-2008 05:26 AM
hackers suck

Agent 488 06-05-2008 03:51 PM
anyone have a better solution?

fluffygrrl 06-05-2008 09:25 PM
Nice catch.

Do you have any idea how you caught it ?

fluffygrrl 06-05-2008 09:28 PM
And by caught it I mean, how you came to be infected.

Agent 488 06-05-2008 09:30 PM
trying to find out. was using the latest version of wp - when outdated versions were thought to be the culprit.

Agent 488 06-05-2008 09:30 PM
it's only on one of my smaller virtual hosts - so that may be the problem.

fluffygrrl 06-05-2008 09:40 PM
The big concern is if wp is inherently vulnerable, through some mysql injection or xss issue maybe.

AlienQ - BANNED FOR LIFE 06-05-2008 10:28 PM
Quote:
Originally Posted by budsbabes (Post 14285078)
anyone have a better solution?
Yeah...

Upgrade your current version with the newest one.

Agent 488 06-06-2008 06:21 AM
Quote:
Originally Posted by AlienQ (Post 14286592)
Yeah...

Upgrade your current version with the newest one.
it was the newest one.

Agent 488 06-06-2008 06:37 AM
disabling plugins seems to work ... on some of my blogs anyway.

just a punk 06-06-2008 06:38 AM
Quote:
Originally Posted by ilbb (Post 14275706)
I'm reading it already. Thanks for the link!

fluffygrrl 06-06-2008 07:09 AM
I've spent hours poring over this matter, and I have to my satisfaction resolved that

1. The point of infection is template/widget installation.

2. The version number has no bearing. You can get it just as well on 251.

3. It's not an inherent flaw in the wp php/mysql code.

just a punk 06-06-2008 07:59 AM
Quote:
Originally Posted by fluffygrrl (Post 14287524)
1. The point of infection is template/widget installation.
Did you find out how exactly they are using this vulnerability? It's very important to know in order to make an universal protection algorithm.

fluffygrrl 06-06-2008 08:13 AM
It's not really a vulnerability per se.

Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected.

Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.

just a punk 06-06-2008 08:23 AM
Quote:
Originally Posted by fluffygrrl (Post 14287729)
It's not really a vulnerability per se.

Upon installing a new template, you grant code in there same rights as the wp package. An infected template then alters the p_footer() hook, wp_head() hook or both, ads some entries in a bogus wp_options entrace in the options table, and voila. You're infected.

Moral is, never install code you haven't read. Don't be shy to crack "protected" stuff, especially if it's widgets, templates and the like.
Aha, so it's done by trojaned templates. One more reason so say: "free stuff is not always good and to always secure".

fluffygrrl 06-06-2008 08:33 AM
Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI.

If you don't know how to crack your wp template, I've just explained it in my blog.

just a punk 06-06-2008 08:43 AM
Quote:
Originally Posted by fluffygrrl (Post 14287784)
Actually, what I say is, encrypted code should never be run. Decrypt, read, consider, install. DRCI.
Just in case if it's free. If you buy a commercial product you should trust to the developer or never buy it. However that should be a really insane "developer" who will put an exploit into his own product because otherwise sooner or later he will be exposed and will lose all this business, reputation and the money. It's like a shooting into your own leg :2 cents:

fluffygrrl 06-06-2008 09:21 AM
Which reasoning explains why blackhat seo or nigerian scams don't exist. :)

teg0 06-06-2008 09:29 AM
im 100&#37; against any themes that contain encrypted elements.

tranza 06-06-2008 09:38 AM
Quote:
Originally Posted by bringer (Post 14275681)
Liar!!!!!!!!!!!!!
I agree men!!!


All times are GMT -7. The time now is 08:58 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123