Lee Kelleher

My WordPress hacked by c99madshell script

Posted on

After all the excitement of last Friday’s attempted hack on my travelblog, and the subsequent upgrade to WordPress 2.6 – I thought everything was under control.  Boy was I wrong!

A few hours ago I received a blog comment (from a Mr Andrew Wong) on the travelblog:

http://www.lee-and-lucy.com/travelblog/index.php?p=5817

check this out!!

I clicked the link, my jaw dropped!  It wasn’t an attempted hack, it was a very successful hack… I felt violated -in a digital sense.  The threat was far from over!

From looking through the WordPress management screens, I couldn’t find a blog post with the ID #5817.  I opened up phpMyAdmin to see if it was in the database; nope, nada, nothing!

I wanted to see the extend of the problem, so I googled “site:lee-and-lucy.com“, and found a “lot” of pages… oh yes, LOTS OF SPAM!

To say the least, I was furious!  I wanted to; a. resolve this asap; b. find out how this happened; c. cause pain to this would-be hacker!  Obviously, option c. goes against my good karma nature, but they digitally violated my site; sticking spam in places that spam should never go!!! Furious I tell you!

Digging through my WordPress files, I find a PHP script in my theme folder called “simple.php“; it contains a nested “eval(gzinflate(base64_encode()))” string.  Very suspect. I try to manually decrypt the string, (replacing the eval with an echo), but it’s nested a few levels deep… so I found a snippet of code that would easily decode/decrypt it.

The script turned out to be a modified version of c99madshell, specifically focused on WordPress hi-jacks.  The script tries to inject a small trojan code into one of the core WP files (for me it was the “wp-blog-header.php“).  I removed the hi-jacked code, along with the “simple.php” file (from my theme folder) – then re-upgraded to the latest WordPress (2.6) … just to overwrite any other tampered files.

Hopefully this should be the end of this matter (until next time) ….  I’ll be keeping a careful eye on my WordPress installations now on.