I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

Workaround

• For temporary disable remote include in php.ini settings.

  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;
  ;;;;;;;;;;;;;;;;;;
  
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  allow_url_fopen = off
  allow_url_include = off
  

• Check your .htaccess for suspicious redirect.
• Find class-mail.php inside “*/wp-includes/” directory and removed it.
• Find the following code inside “*/wp-includes/default_filters.php” and removed it

  add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
  function wpc7c16<>b8466d864eeefd20050625c7775() {
  @include('./wp-includes/class-mail.php');
  if(sizeof($wparr)>0){
  echo "!div id=\"goro\"!";
  foreach($wparr as $k=>$v){
  echo "“.ucwords($v[’key’]).”\n”;
  if($i++==$inum) break;
  }
  echo “!/div!”.$_footer;
  }
  }
  

• Robots.txt Exclusion

  Optional - Prevent googlebot from indexing the static spam page.
  Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.

  User-agent: Googlebot
  Disallow: /*?*
  Disallow: /*?
  

  Refer robots.txt.

Possible WordPress class (suspicious) files that would be tempered

Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

• wp-db.php
• gettext.php

The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

Dec 13, 2007

I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

Firefox Browser

You can also override your useragent string with firefox ↓.

about:config → general.useragent.overide = ‘ua strings‘

Wordpress.net.in Backdoor

Extra info

Dec 14, 2007

I did some research at archive.org. It seem our wordpress.net.in Seo Spam has been going on since 2005. The first variant used file_get_contents() PHP functions to retrieve their sources code (A UTF MAP Decoder 1974 Php Class ).

I also found a signature name alxumuk (at MIT & wordpress.net.in). His first historic test can be root back at *.media.mit.edu/~? server (I hide the userid as it may be “false positive”). After my first search on google for alxumuk all the results has been scraped out by Google & “Google alert” so there is no references to this query in Google Index.

My query for file_get_contents include require allintext:1974.* (the UTF decode package) and the signature (alxumuk) will return 403 Forbidden.

As Google Advanced Search blocked “the query” this may confirm that 1974.* (UTF decode) is probably the package for reading the bootstrap for wordpress.net.in backdoor (similar case like perl.santy net worm).

If this is a true Net Worm, I suggest anyone with older versions of Wordpress should removed\ the meta generator tag (Wordpress versions) and disabled XML-RPC(& RSD) for hardening wordpress from remote vectors vulnerabilities.

Wordpress.net.in Doorway

Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/

Backdoor Files

inside wp-includes directory.

• compat.php - (replace with latest version)
• class-mail.php delete

scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

Options -Indexes

Wordpress.net.in New Partner

Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

removes malicious create_function wp_head filters

This are fixes for wordpress.net.in spams header injection.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

The plugin’s can be download at Kaizeku Ban, goro spam injection fixes

Related Posts

• Bluehost HostMonster CEO’s Blog hacked (wordpress.net.in)
• Matt Heaton Bluehost Hostmonster CEO’s Hacked Again - Strike II

External Links

• Websniffer View HTTP Request and Response Header
• Wordpress Support Forum
• National Vulnerability Database Wordpress 2.0 > 2.0.6

Short URL