According to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was responsible for infecting a large number of websites in a short period of time. This time around however, the Gumblar botnet has buggy code which is leading to a number of infected WordPress sites breaking.
WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation.
So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into files on the same site, they’ll have declarations of identically named functions, which PHP doesn’t allow. Hence the “cannot redeclare zsmh() …†error.
One thing not mentioned in the Unmasked Parasites post is information regarding which specific versions of WordPress are at risk or are safe to use. I’ve left a comment on the blog post to try and get an answer but until then, Denis Sinegubko provides detection and removal instructions while also suggesting the use of the WordPress Exploit Scanner which scans for WordPress files for signs of suspicious activity.
Based on the reports of infection, this does not appear to be a WordPress centric issue pointing to a problem with the software.
