Upgrade Now. This is why I still prefer HTML.
Script kiddies have awesome tools | dow.ngra.de
From the article (a programmer trying to decipher a weird 1st line of code in a Wordpress file):
After 11 iterations I got the code...
Lets see the functionality that it (injected code) has to offer: - Full blown file manager
- Quick menu for
- Finding all suid files
- Finding all sgid files
- Finding all htaccess files
- Finding all writeable folders
- ...
- Interface for the UNIX tool find
- Input field for executing commands as webserver user
- Tools for installing a backdoor
- Perl/C flavoured programs that are downloaded from a Singapore server
- Compiled/Interpreted - depending what is available
- Processes viewer
- FTP brute force cracker using users from /etc/passwd
- System info (CPU, Memory, installed binaries, passwd file, configuration files)
- SQL dump utility
- Interface for executing PHP code
- Self removal
- Adding a password for the script
- Fancy design!
I'm just amazed. This is way too easy. So this is how it works: - Lets scan the internet for Wordpress installation (automated)
- Look for vulnerable versions (automated)
- Exploit (in this case themes were filled with hidden links - semi automated)
- PROFIT! (automated)
How to avoid being hacked: - Keep an eye on your Wordpress installations
- Subscribe to WordPress release emails/RSS and upgrade when needed
- Monitor for changed files (for example fcheck)
- Run Apache in chroot to minimize the available software for the Apache user
- Any other ideas?
PS. The script is 2500 lines of code, supports Windows and Linux and looks great
|
Basically, the line of code inserts an entire operating system into your server that a hacker can access remotely. The rest, as they say, is history.
Suggestions to keep Wordpress secure from the comments section:
- Yep, Your wordpress files should be read-only I know this code, i had this too
- DONT USE CHMOD -R 777 ON ANYTHING
|
Killer Sales Video