Security Compromise – 07/27/2012 attack

Just got off the phone with Fraud Watch International and it seem that a phishing page is being forced into WordPress installations.

My research over the pass hour has uncovered the following:

Injected within directory /img

-rw-r–r– 1 xxxxx psacln 5400 Jun 29 14:31 container-box.gif
-rw-r–r– 1 xxxxx psacln 6420 Jun 29 14:31 pcp-box.gif
-rw-r–r– 1 xxxxx psacln 5897 Jun 29 14:31 pd-box.gif
-rw-r–r– 1 xxxxx psacln 5731 Jun 29 14:31 pdfwl-box.gif
-rw-r–r– 1 xxxxx psacln 5928 Jun 29 14:31 poa-box.gif
drwxr-xr-x 6 xxxxx psacln 4096 Jul 27 14:42 santandernet.com.br <—–
-rw-r–r– 1 xxxxx psacln 6222 Jun 29 14:31 server-box.gif
and also this file zwe15.jpg.php <—–

Injected within directory /httpdocs/wp-content/plugins

drwxr-xr-x 6 xxxxx psacln 4096 Jul 27 14:42 santandernet.com.br

Obviously it does not show within ALL <plugins> within wp-admin as it’s not

This directory santandernet.com.br had the phishing code within it.

Next it seems to have randomly placed additional code in this directory:

Injected within directory /httpdocs/wp-content/themes/modularity/includes/temp

Modularity is a theme from Graph Paper Press. I’m guessing this injection into a “temp” directory is random but am not 100% sure. It looks like this

-rw-r–r– 1 focus psacln 163918 Jul 30 21:02 connectdbs.php
-rw-r–r– 1 focus psacln 4310 Jul 30 21:04 index.php
drwxr-xr-x 2 focus psacln 4096 Jul 25 17:12 oi
-rw-r–r– 1 focus psacln 61750 Jul 31 11:27 xskype.jpg.php

There was also a oi.zip file which contained the phishing script files seen above

Finally, this attack was directed at a bank in Brazil and seems to be using WordPress as a host. The actual phishing page forward face to the web was https://xxxxx.com/img/apps/santandernet.com.br/

Unclear if the vulnerability is with WordPress, PHP, both or other.

In the meantime check you installation for similar activity and hope that WORDPRESS SECURITY FOLKS answer this post with a resolution or guidance.