WordPress.org

Ready to get started?Download WordPress

Forums

Dangerous wp-vars.php !? WARNING! (3 posts)

  1. bennyn
    Member
    Posted 4 years ago #

    Hello, I'm using the latest WordPres 2.9.2 and today I noticed a nasty advertisment on my blog. Because my blog normally is free of advertisment I have decided to look for the problem.

    I found a place in my "footer.php" (from my template) where a foreign code was inserted. This code included a file file from "/wp-includes/" called "wp-vars.php". I opened this file in my editor and noticed that the code in there was encrypted with Zend. I also found a file called "wp-version.php" in the same place which has the function of decrypting something with a base64 algorithm. This looked very suspicious to me so I deleted these files. This was really helpful because afterwards the nasty advertisment on my page was removed.

    But as I tried to write a new post on my blog I have noticed another terrible thing... I only get a blank page with a WordPress copyright footer if I try to access "/wp-admin/post-new.php". I searched the web to get some information about this problem and I found some more bloggers who also have this problem. It seems to be a very new problem because all of them had this injection within the last two days and all of them use the latest WordPress version.

    You can see the blog-posts about this problem here:
    http://www.caracasa.de/2010/03/28/ich-wurde-gehackt-2/
    http://www.biggle.de/blog/merkwuerdige-wp-vars-php-im-footer/

    Has somebody already noticed this problem, too?

    Many Greetings from Germany

    Benny

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    You've been hacked. There isn't a wp-vars.php file in WP. Nor a wp-version.php file. And there's no evidence (as yet) that the hackers got in via WP. It could have been through anywhere on the server.

    What to do if you think you've been hacked:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

  3. gregm54
    Member
    Posted 4 years ago #

    Same hack found on my blog 2 days ago. WP 2.9.2 version !

Topic Closed

This topic has been closed to new replies.

About this Topic