Stumbling Toward 'Awesomeness'

A Technical Art Blog

Monday, June 10, 2013

WordPress Malware Massacre

army_of_darkness_02

Some of my friends alerted me to my site being listed in the google malware database a week ago, but I was focusing on E3 and hadn’t had time to look into it. As it turns out, a vulnerability in a wordpress theme that I didn’t even have active allowed a virus to completely hose all sites on my co-located server with spam and random shit.

I wrote a quick python script [dirTools.py] that looks over all files and directories on linux and reports the following:

  • Html infested with twitter iFrame code injection
  • Malicious PHP, and code injected into existing PHP that eval’s strings obfuscated in
    • base_64
    • gzip
    • rot13
  • .htaccess files that change mod_rewrite.c to re-direct your users to bogus sites and internal php files
  • Files with permissions set greater than 664 and folders greater than 755
  • Hidden directories

I wrote this this afternoon and it’s focused on only this specific wordpress malware, it’s just basically some example code that warns of the above, and has two methods to remove PHP and HTML code injections.  Feel free to ask me questions, use at your own risk, by default the fixer methods are commented out, so this only reports issues. With them uncommented; they do make file edits to fix the code injections.

posted by Chris at 1:56 AM  

Powered by WordPress