Recently we’ve found some kind of a security issue on our WordPress production site.
This issue gives the intruder access to theme’s files and change them.
In our case, there were a function
eval added to the file. This function runs any string with
php code. There is a parameter that is passed to the function and this parameter can be assigned any value by sending POST query directly to the file.
It’s highly likely that itruders use server’s resources to send spam mail.
There is another result of the injection:
Screenshot above is the main WordPress file.
In the file that was disguised as favicon we’ve found this:
We’ve found the hacker, he signed in the code: fb.com/Dz.Gov.iyade. If you take a look at his facebook page you can see lists of hacked sites and all of them run WordPress.
Here is the list of all sites he hacked: [removed by mod; just to reduce exposure because of the eval()]
The funniest thing that our sites run the latest alpha version of WordPress:
Here is the list of all changed and injected sites:
He also injects code to the plugin files:
The most interesting thing that all the injections differ from each other and it is almost impossible to track them by exact signs. We suspect that the malware script randomly injects different files with different types of injections.
We call all ThemeForest authors to check their themes on this topic!