Forums

WordPress › Support » Plugins and Hacks

Activating Plugins enables malicious code.... (5 posts)

  1. tazatek
    Member
    Posted 2 years ago #

    I've had a client contact me about a site that has been comprimised...

    I currently have all plugins de-activated, and the bad code doesn't present itself, but up activating a plugin (any plugin, even trusted ones) it is enabling some malicious code to be called via the wp_footer() call....

    I've re-uploaded 2.9.1 to overright any system files, but did nothing to help.

    I've searched for such strings as "document.write", "base64" and "decode" without success in identifying where the malicious code is entering the stream.

    When I first got the site back up, my AV alarms went off alerting me to the problem before I could even see it.

    Any thoughts on where else I need to look for this?

    The database is next for me to grep through, but thought I'd get some more opinions first...

    Thanks

    Matt

  2. @mercime
    Member
    Posted 2 years ago #

    Backup database, server files and folders, then export XML from site

    Then read the following
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    When you've got it fixed
    http://codex.wordpress.org/Hardening_WordPress

  3. tazatek
    Member
    Posted 2 years ago #

    Indeed, I'd tried all those things (except to export XML and restart from scratch)

    I'm really wanting to identify WHERE the problem is... DB/Files have all been sorted through, and I'm not identifying any iframe/base64/etc anywhere.

    I only know that when I activate a plugin (any of them) the malicious code shows up.

    I'll be exporting and restarting from scratch, but I'd still like to know where I could be looking for suspect code.

    Thanks

    Matt

  4. @mercime
    Member
    Posted 2 years ago #

    If you already went through all the ways to resolve the hack per all links I gave you, I would go for exporting XML and starting from scratch.

    To make sure that you've got a clean export, open up the XML file and double-check that there are no <script> tags within XML, there should be none. Then might I suggest, create a free WordPress.com account and import the clean XML while checking "Include Media Attachment" during the process which could take more than one import if the file is large. That way, only clean image/media files are imported, and you can delete the whole wp-content folder which might contain images with backdoor scripts.

    Export XML from WordPress.com and import to new install and include media attachments. Download/install plugins from repository. When all's working well, delete WordPress.com free account to avoid duplication of content.

  5. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Have a look at http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags