Interesting writeup from an Admin that found an exploit installed in a WordPress blog installation. I have found these before, but beware – a lot of experienced crackers will upload this kind of stuff into an install folder of Phpmyadmin or WordPress so that you become convinced the culprit of your attack was a flaw in the popular software when, in reality, your server has more serious issues.

Today I spent many hours grepping logs, checking the file system for new/changed files to figure out how an old WordPress instance was hacked and what had the hacker done there.

Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:

eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf…

Let’s see the functionality that it has to offer:

• Full blown file manager
• Quick menu for
  • Finding all suid files
  • Finding all sgid files
  • Finding all .htaccess files
  • Finding all writeable folders
  • …
• Interface for the UNIX tool find
• Input field for executing commands as webserver user
• Tools for installing a backdoor
  • Perl/C flavored programs that are downloaded from a Singapore server
  • Compiled/Interpreted – depending what is available
• Processes viewer
• FTP brute force cracker using users from /etc/passwd
• System info (CPU, Memory, installed binaries, passwd file, configuration files)
• SQL dump utility
• Interface for executing PHP code
• Self removal
• Adding a password for the script
• Fancy design!

I’m just amazed. This is way too easy. So this is how it works:

• Lets scan the internet for WordPress installations (automated)
• Look for vulnerable versions (automated)
• Exploit (in this case themes were filled with hidden links – semi automated)
• PROFIT! (automated)

Ohh and here’s the code for c99madshell. It is untested by us and may have it’s own exploits. Use at your own risk.

Read the full article…

Related Posts: On this day...

• Clip of Dark Knight Rises filming today in NYC - 2011
• Avatar Collector's Edition on Blu-ray preorders for $25 shipped - 2010
• TSA official slipped white powder into fliers' bags, told them they'd been caught with coke and were under arrest - 2010
• $2K bounty for free/open Kinect drivers (Microsoft thinks this is illegal!) - 2010
• Botmasters include fake control interface to ensnare security researchers - 2010
• HOWTO: Build a home server in a whisky bottle - 2009
• Love of Shopping is Not a Gene: exposing junk science and ideology in Darwinian Psychology - 2009
• Capitalize on Call Avoidance - 2008
• Vector Magic - 2007