WordPress.org

Ready to get started?Download WordPress

Forums

Code check (looking for backdoors) (3 posts)

  1. Fedner
    Member
    Posted 1 year ago #

    Hi everybody.
    My wordpress website has been recently hacked: links to the xxxindianxxx website were injected in several files. Unfortunately I don't have a backup to restore (I know, I have been stupid!).
    I cleaned up that links and now seems to be ok. But, besides undesired links, I was looking for backdoors to be sure I am safe. After I've read this article http://ottopress.com/2009/hacked-wordpress-backdoors/
    I performed some searches and I'd like to ask you whether this code is legitimate or not.

    Looking for base64_decode():

    /Users/admin/Sites/AikidoVV/wordpress/wp-content/plugins/jetpack/jetpack.php:
     3308  		}
     3309
     3310: 		$data = json_decode( base64_decode( stripslashes( $_GET['data'] ) ) );
     3311  		$data_filters = array(
     3312  			'state'        => 'opaque',
    
    /Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-feed.php:
      115  		}
      116  		if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
      117: 			$data = base64_decode( $data );
      118  		}
      119  		if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) {
    
    /Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-IXR.php:
      301                  break;
      302              case 'base64':
      303:                 $value = base64_decode($this->_currentTagContents);
      304                  $valueFlag = true;
      305                  break;
    
    /Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-wp-atom-server.php:
     1344  		if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
     1345  			list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
     1346: 				explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
     1347  		} else if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
     1348  			// Workaround for setups that do not forward HTTP_AUTHORIZATION
     1349  			// See http://trac.wordpress.org/ticket/7361
     1350  			list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
     1351: 				explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
     1352  		}
     1353  
    
    /Users/admin/Sites/AikidoVV/wordpress/wp-includes/SimplePie/Sanitize.php:
      242  			if ($type & SIMPLEPIE_CONSTRUCT_BASE64)
      243  			{
      244: 				$data = base64_decode($data);
      245  			}

    Looking for strrev():

    /Users/admin/Sites/AikidoVV/wordpress/wp-admin/includes/post.php:
     1017  		$uri = get_page_uri($post);
     1018  		$uri = untrailingslashit($uri);
     1019: 		$uri = strrev( stristr( strrev( $uri ), '/' ) );
     1020  		$uri = untrailingslashit($uri);
     1021  		$uri = apply_filters( 'editable_slug', $uri );
    
    /Users/admin/Sites/AikidoVV/wordpress/wp-includes/SimplePie/gzdecode.php:
      227  			if (current(unpack('S', "\x00\x01")) === 1)
      228  			{
      229: 				$mtime = strrev($mtime);
      230  			}
      231  			$this->MTIME = current(unpack('l', $mtime));

    Thank you in advance.

  2. bcworkz
    Member
    Posted 1 year ago #

    You can check your content against that under the same version at http://core.trac.wordpress.org/browser/tags or simply wipe the wp-admin and wp-includes folders and re-upload from a fresh clean download. Those folders should be identical on all WP installations.

  3. Fedner
    Member
    Posted 1 year ago #

    You can check your content against that under the same version at http://core.trac.wordpress.org/browser/tags or simply wipe the wp-admin and wp-includes folders and re-upload from a fresh clean download. Those folders should be identical on all WP installations.

    Thank you for your suggestions. I think I'll try to re-upload the folders.

Topic Closed

This topic has been closed to new replies.

About this Topic