Go do it now. I’ll wait.
I mention this because the Not An Employee blog [offline for the moment] was recently discovered to have been compromised. We’re still doing surgery on the blog itself, since there seems to be a variant of the exploit floating around that we’re trying to identify and contain.
Having spent much of the weekend reading through accounts of the exploit’s signs and symptoms, what we find in this case seems to be be unique. Or at least unrecorded elsewhere:
- Three files present in the Wordpress blog folder’s root that we didn’t put there:
- css.txt, which is base-64 encoded
- docbook.txt, also base-64 encoded
- A file called Usage, which looks like a wget logfile that culminates in a successful download of docbook.txt from http://mdasla.org/help/css/
- No extra javascript or URLs were found in any of the other files in the install
- We’re still checking the database to see if anything was touched there
I haven’t seen this one before. The current wave of Wordpress exploits seem to involve URL modifications. Any insights? Any more information needed?
Subscribe to posts feed