We are seeing a new batch of the rebots.php infections on WordPress and one thingis intriguing us. On many sites we are analysing, WordPress is updated and no suspiciousbackdoors or plugins were found. All in order, except for the javascript injected inside the theme.
The only thing in common on them is a single login to wp-admin, followed by a visit towp-admin/theme-editor.php to modify the theme:
184.22.164.xx - - [29/Aug/2012:21:03:02 -0300] "POST ///wp-login.php HTTP/1.1" 302 - "-" ""
184.22.164.xx - - [29/Aug/2012:21:03:13 -0300] "POST //wp-admin/theme-editor.php HTTP/1.1" 302 -
"-" ""
184.22.164.xx - - [22/Aug/2012:21:03:16 -0300] "GET //wp-admin//theme-editor.php?file=index.php&theme=classic&scrollto=0&updated=true HTTP/1.1" 200 58188 "-" ""
So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.
Another intereting issue is that on some of these sites, we didn\’t identify any brute force attack trying to guess the passwords. Just this single login.
Since we don\’t know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).