3 Comments

  1. Andrea_R

    It’s really easy to spot on sites using child themes. They put the same code in all theme files, and because of the child/parent relationship, you get the “cannot redeclare” error – cuz the function is in there twice. ;)

    Note this is not a theme vulnerability, rather a server side one (or possibly plugins). Basically they find a way to be able to edit your files – no matter what files they are.

    Report

  2. Otto

    From reading some of the comments on that thread, it appears to be a generic attack aimed at entire servers instead of a WordPress specific attack.

    Notice the mention by some people of the code being in all index.php files? That indicates a process running on the server searching for index.php files and automatically appending code to them, regardless of whether it’s WP or not.

    One guy found a copy of wunderbar emporium on his site as well. Wunderbar emporium is one possible name for a root privilege escalation trick on older Linux kernels (it was also called sock_sendpage null pointer dereferencing, but that name isn’t very interesting).

    Report

  3. Emil

    @Otto – wunderbar_emporium? My Linux is extremely rusty, if this was indeed used, that kind of indicated that ISP had “remote desktop” enabled?

    Emil

    Report

Comments are closed.

%d bloggers like this: