Forum Moderators: coopster
I discovered the footer of my blog was showing the number 4294967295. Upon inspection, the regular index.php from Wordpress had been tampered with, and this code was added:
ob_start("security_update"); //do not remove this line - important security update!
function security_update($buffer)
{
$update = '4294967295';
if (stristr($buffer, '</html') !== FALSE)
{
return eregi_replace('</html', $update.'<html', $buffer);
}
else
{
return $buffer.$update;
}
}
Wordpress 2.6.5 is supposedly a secure version. Needless to say, I updated to WP 2.7, changed all the passwords (cPanel, FTP, email, MySQL and WP users), etc.
Upon audit, it seems that the attacker uploaded the code via FTP (scary!) and I could find no other evidence of tampering. I checked the plugins and users inside the Wordpress database, .htaccess files, etc.
I'm still scared and it's hard to believe that the hacker only did this as a warning or first step towards the second part of the hack (no doubt inserting spammy links, redirecting traffic, etc.)
Do you have any pointers as to what to look for and where?
For example, many attack can be seen in your log that looks like site.com/index.php?task=';DROP DATABASE users--
If you see that in your log you know its a hack attempt, but you might find a system command that was run or FTP information about what happened.
My guess is that this is not a malicious hack but rather someone with WAY too much time on their hands wanting to "prove themselves." Probably this particular number was selected because it is the largest number you can store with 32 bits.
