Cleaning Up The “Cannot Redeclare Mess”

Looks like there’s an exploit going around that appears to be similar in nature to the TimThumb vulnerability. If you noticed a bunch of “Cannot Redeclare” errors when browsing your website recently with eval code, chances are you’ve become a victim of this attack. Jeff Starr of and co-author of the book, Digging Into WordPress has laid out a series of steps on how you or consultants can clean up the mess that’s left behind. It’s also worth noting the following forum thread on the support forums where a number of people have been trying to investigate how this attack works.


  1. It’s really easy to spot on sites using child themes. They put the same code in all theme files, and because of the child/parent relationship, you get the “cannot redeclare” error – cuz the function is in there twice. ;)

    Note this is not a theme vulnerability, rather a server side one (or possibly plugins). Basically they find a way to be able to edit your files – no matter what files they are.


  2. From reading some of the comments on that thread, it appears to be a generic attack aimed at entire servers instead of a WordPress specific attack.

    Notice the mention by some people of the code being in all index.php files? That indicates a process running on the server searching for index.php files and automatically appending code to them, regardless of whether it’s WP or not.

    One guy found a copy of wunderbar emporium on his site as well. Wunderbar emporium is one possible name for a root privilege escalation trick on older Linux kernels (it was also called sock_sendpage null pointer dereferencing, but that name isn’t very interesting).


  3. @Otto – wunderbar_emporium? My Linux is extremely rusty, if this was indeed used, that kind of indicated that ISP had “remote desktop” enabled?



Comments are closed.