PHP create_function()

The new variant from wordpress.net.in & qwetro.com used the “anonymous PHP create_function” to append their spam links on their victim blog. Below is quick patch to disabled the mischievous “create_function” injection on wp_head.

The below code will look for “�lambda_n” function inside wp_head wp_filters array and remove the action hook silently. I assume that any sane developer will never used this unstable PHP function.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

note: This method only disabled the spam link from showing on your blog header. it wont fixed your blog vulnerabilities. your blog still owned thought. Tips → http://wordpress.org/download/

Download

• Note: There is a file embedded within this post, please visit this post to download the file.

Related Articles

• Fixes wordpress.net.in Spam Footer Injection
• Roberto Galoppini’s, Wordpress Spam Injection: ‘Goro’ hacked my blog

Blake Ross

Who's Blake Ross

Excerpt from wikipedia

Blake Aaron Ross is a software developer who is known for his work on the Mozilla web browser; in particular, he started the Mozilla Firefox project with Dave Hyatt, as well as the Spread Firefox project with Asa Dotzler while working as a contractor at the Mozilla Foundation.In 2005, he was nominated for Wired magazine’s top Rave Award, Renegade of the Year, opposite Larry Page, Sergey Brin and Jon Stewart. He was also a part of Rolling Stone magazine’s 2005 hot list.

Image Source, The cover for issue #13.02 (the February 2005 edition) of Wired magazine featuring Blake Ross holding a Firefox globe as part of the lead article, The Firefox Explosion, about the browser’s development history.

HTML Source & ScreenGrab

• blakeross-com-022808-source.txt
• Screenshot taken on Feb 28th, 2008

WordPress Vulnerability

1. Outdated WordPress

   • WordPress 2.0.4 Exploit & Vulnerability

     • Blake’s is running on WordPress 2.0.4 first release on Jul 29th, 2006.
     • wp-db-backup.php directory traversal Rev.4226
     • Mark Jaquith on WordPress 2.0.5 Changelog
   • µ Proxy Cached: blakeross.com WordPress Version (feed)

2. WordPress Core Directory & Plugins Informations Leak

   • View blakeross.com WordPress Core Directory Listing

     Index of /wp-includes
     
      Name Last modified Size Description
     
     [DIR] Parent Directory 25-Dec-2006 01:14 -
     [ ] cache.php 03-Sep-2006 23:52 11k
     [ ] capabilities.php 03-Sep-2006 23:52 11k
     [ ] class-IXR.php 03-Sep-2006 23:52 27k
     [ ] class-pop3.php 03-Sep-2006 23:52 21k
     [ ] class-snoopy.php 03-Sep-2006 23:52 37k
     [ ] classes.php 03-Sep-2006 23:52 51k
     [ ] comment-functions.php 03-Sep-2006 23:52 31k
     [ ] default-filters.php 03-Sep-2006 23:52 5k
     [ ] feed-functions.php 03-Sep-2006 23:52 4k
     [ ] functions-compat.php 03-Sep-2006 23:52 3k
     [ ] functions-formatting..> 03-Sep-2006 23:53 34k
     [ ] functions-post.php 03-Sep-2006 23:53 30k
     [ ] functions.php 03-Sep-2006 23:53 71k
     [ ] gettext.php 03-Sep-2006 23:53 11k
     [DIR] images/ 03-Sep-2006 23:50 -
     [DIR] js/ 03-Sep-2006 23:55 -
     [ ] kses.php 03-Sep-2006 23:55 22k
     [ ] links.php 03-Sep-2006 23:55 20k
     [ ] locale.php 03-Sep-2006 23:55 3k
     [ ] pluggable-functions.php 03-Sep-2006 23:55 17k
     [ ] registration-functio..> 03-Sep-2006 23:55 4k
     [ ] rss-functions.php 03-Sep-2006 23:55 21k
     [ ] streams.php 03-Sep-2006 23:55 4k
     [ ] template-functions-a..> 03-Sep-2006 23:55 5k
     [ ] template-functions-c..> 03-Sep-2006 23:56 13k
     [ ] template-functions-g..> 03-Sep-2006 23:56 21k
     [ ] template-functions-l..> 03-Sep-2006 23:56 15k
     [ ] template-functions-p..> 03-Sep-2006 23:56 15k
     [ ] template-loader.php 03-Sep-2006 23:56 2k
     [ ] vars.php 03-Sep-2006 23:56 3k
     [ ] version.php 03-Sep-2006 23:56 1k
     [ ] wp-db.php 03-Sep-2006 23:56 10k
     [ ] wp-l10n.php 03-Sep-2006 23:56 2k 
     
     Apache/1.3.39 Server at blakeross.com Port 80
     

     µ Proxy Cached: http://blakeross.com/wp-includes/

   • View blakeross.com WordPress Plugins Directory Listing

     Index of /wp-content/plugins
     
      Name Last modified Size Description
     
     [DIR] Parent Directory 27-Sep-2006 22:27 -
     [DIR] akismet/ 03-Sep-2006 23:52 -
     [ ] hello.php 03-Sep-2006 23:52 2k
     [ ] wp-db-backup.php 03-Sep-2006 23:52 30k 
     
     Apache/1.3.39 Server at blakeross.com Port 80
     

     µ Proxy Cached: http://blakeross.com/wp-content/plugins

Hardening Wordpress?

There is 105,000 WordPress blogs leaking their plugins informations for BotNet to scan.

Blackhat SEO targeting High PR WordPress Blog

Blake Ross is not alone, there is similar Spamride cases for the past few months. Below is are few “High PR WordPress Blogs” with similar issues.

Others Popular Victim

• Al Gore’s Blog
• Bluehost Hostmonster CEO’s Blog
• blog.indeed.com
• thinkingphp.org
• floaridablog.org