Klikvp.com Exploite

Even though things are updated regularly on this blog, an iframe based exploit was discovered today. Unlike the previous iframe attack, which came through a SQL injection, this one involved modified theme files. Unlike the previous googlerank.info iframe attack, this one’s payload does not appear to be malicious, rather it is spammy.

There are a few things that point to some level of sophistication in the injection. First off, the code was injected into the end of the header.php file, only on the active theme. Typically, a script kiddy will not bother figuring out which theme is in use and instead will carpet bomb the place with malicious code. Secondly, the modification date on the file matches the last time the header was uploaded from the testbed. No, the testbed’s code was not compromised. This points to a possible Windows exploit (yes the Weblogs.us server still runs on Windows, unfortunately.) as any changes should have caused the modification date and time to update. Finally, rather than having the iframe hidden via CSS, there is a container div which is hidden instead, making it more difficult to have a general CSS rule to expose the iframe.

< div style="display:none" >< iframe src="http://klikvp.com/css/go.php?sid=1" frameborder="0" height="1" width="1" > < iframe > < div >

That is the offending code. Spaces were added to prevent execution. Klikvp is the same as Klikvip which is a known spammer. The tricky sucker is using a wrapping div now. The good news is that WordPress Exploit Scanner will find this, so keeping it around and periodically scanning is a good thing to do. It doesn’t offer dashboard notifications like Iframe-b-gone does but it scans files and other things that Iframe-b-gone does not.

-John Havlik

[end of transmission, stay tuned]

One thought on “Klikvp.com Exploite

  1. Hi, John! How are you?

    I’m here to publicly thank you for developing and releasing the WordPress plug-in “Breadcrumb NavXT”, which I’m currently using at my new project: ZapShows – http://www.zapshows.com

    I’ve written an open letter so you can be sure I’m really grateful for your help. You can read it at the WP Forum: http://wordpress.org/support/topic/194628

    Feel free to spread the word and to tell me your thoughts about the project.

    Take care and keep up the good work.

    Best regards,
    Mateus Moraes

Leave a Reply

Your email address will not be published. Required fields are marked *