3 Comments


  1. It’s really easy to spot on sites using child themes. They put the same code in all theme files, and because of the child/parent relationship, you get the “cannot redeclare” error – cuz the function is in there twice. ;)

    Note this is not a theme vulnerability, rather a server side one (or possibly plugins). Basically they find a way to be able to edit your files – no matter what files they are.


  2. From reading some of the comments on that thread, it appears to be a generic attack aimed at entire servers instead of a WordPress specific attack.

    Notice the mention by some people of the code being in all index.php files? That indicates a process running on the server searching for index.php files and automatically appending code to them, regardless of whether it’s WP or not.

    One guy found a copy of wunderbar emporium on his site as well. Wunderbar emporium is one possible name for a root privilege escalation trick on older Linux kernels (it was also called sock_sendpage null pointer dereferencing, but that name isn’t very interesting).


  3. @Otto – wunderbar_emporium? My Linux is extremely rusty, if this was indeed used, that kind of indicated that ISP had “remote desktop” enabled?

    Emil

Comments are closed.