View Single Post
Old 03-29-2011, 05:12 PM  
Pushcube
Registered User
 
Pushcube's Avatar
 
Industry Role:
Join Date: Dec 2007
Location: Ireland
Posts: 54
It's a XSS exploit. It's simple to fix so don't panic

If you have access to your .htaccess file add the following to prevent it happening:

Code:
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteRule ^(.*)$ ? [F,L]
If you have SSH you can hunt down modified files by:

Code:
grep -r "eval(base64_decode" *
I don't think I should post the infection PHP code here(obviously), but it will appear at the top of all the modified files, you will know it when you see it. Something like this:

PHP Code:
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQblahblahblahblahblahblah etc et etc etc")); 
I'd also update to the latest version of PHP on your server(s) if you haven't already. Hope this helps
__________________
Server Optimisation - Pentesting - Secure WP Installs.
Pushcube is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote