Ma Tasse de Thé

c99Madshell (I think that is the name) seems to be sweeping the net allowing hackers into many php websites. I found c99Madshell or one of its variants inside my wordpress installation today.

c99Madshell works like this…The hacker uploads a file as an image file or something to a CMS (wordpress/moodle/joomla), then browses to that file. And somehow that allows the attacker to call an amazing shell program written in php which then gives him complete control over your server! If you do not have the right php.ini settings, the php script can be off site.

One of my wordpress instalations was hacked. There was an upload of the backdoor shell file call "mdl_utf.php" in the upload directory and then a whole load of other stuff and encoded junk in my theme. 

Madshell obfuscates its php code, so I recommend those worried to grep for
eval(base64_decode

mdl_utf.php may not be related to worpress at all. It could have got in initially via Moodle, another CMS I am using that I hear was weak to this type of attack but moodle user a data file area that is not browsable above public_html, and since the hackers shell file  was in the uploads section of wp-contents, and it seems to be only my wordpress installation that is corrupted, I am wondering how to stop this happening again.

I am also wondering if there is any connection with Flexible UPload.

To recap the symptoms
The hackers shell file was in the uploads area of wp-contents (together with lots of other spam filled uploads). I　am not sure how or where these other spam filled files were being displayed on the net.
The hackers had added obfuscated code to the current theme starting with eval(base64_decode.
There was also a long list of spammy links added to one theme file and at least one post.
When I went to change the current theme from the wordpress theme editor, I was told that I must enter an authentication (username password) so the hacker must have changed the wordpress code as well (which again makes me think that I was attacked by a wordpress dedicated hack). I was using wordpress 2.1.3 and Flexible upload from about a year ago.

I upgraded wordpress and flexible upload completely via http://ftp.

I hear that setting
allow_url_fopen = Off
in php.ini may help to reduce the risk of this problem.

Any other tips to make sure that noone uploads this sort of malware again?

By the way, I think that the attack started with the application of somene to be a user. I thought that our blog
actually had a fan and allowed someone to become a subscriber. Had I not been vain enough to presume that
someone actually wanted to subscribe and rejected the application, then I think that the user would not have
been able to upload the initial script perhaps as an avatar. But perhaps not. There were very few subscribers.
The only one that I remember allowing seems to have joined as a subscriber at the about the same time as
the attack started.