WordPress › Support » Editing triggers popup asking for username and password

robk30
Member
Posted 3 years ago #

i had this problem on haironthebrain.com but i re-installed wp-includes and it went away. i think the site is still compromised though as after publishing a post (which has now been removed) we saw the sidebar and some other formatting to be messed up. will continue to monitor the situation...
physlab
Member
Posted 3 years ago #

I thought I had the "Authentication" problem solved by upgrading to version 2.8.2. After submitting a new blog entry and cleaning up the plugin problems, my blog just vanished. I am not able to access the site through the web or by trying to gain access through three different ftp programs. Did anyone else have this problem? I hope the hacker did not gain access to my username and password, and then change it.
scottop
Member
Posted 3 years ago #

I had many plugin files that were also suffering from this problem. Perhaps they are not causing problems right now, but I'll bet they can be activated.

To find your infected files, if you have shell access, you can run this command:
grep -r -l gzinflate .

This will give you the list of infected files, and ones that legitimately have "gzinflate" in them. The bad ones are easy to spot, they have that some text tacked on to the top.

Here is my list of infected files:
[daxter]$ grep -r -l gzinflate .
./audio/2007/05/pbpost15.mp3
./wp-admin/includes/class-pclzip.php
./wp-content/plugins/akismet/akismet.php
./wp-content/plugins/organizer/plugin_hook.php
./wp-content/plugins/podpress/getid3/module.archive.gzip.php
./wp-content/plugins/podpress/podpress.php
./wp-content/plugins/preach/preach.php
./wp-content/plugins/runPHP/runPHP.php
./wp-content/plugins/simple-tags/simple-tags.php
./wp-content/plugins/tagthis/pclzip.lib.php
./wp-content/plugins/tagthis/tagthis.php
./wp-content/plugins/future-post.php
./wp-includes/class-simplepie.php
./wp-includes/http.php

Interestingly, this is the list of my active plugins, less WP Super Cache. WP Super Cache might have been infected, but I updated when I was trying to fix the problem.

Since it was the active plugins and not the inactive ones, the hack did not reach the plugin files directly through the file system. It must have some connection to the database or attached when the plugins were accessed.
williscreative
Member
Posted 3 years ago #

Yokima,

I followed the process you described above, retrieving the 2.6 version of vars.php and saving it over the hacked file.

Then I tried save a Test file and got this:

Warning: Cannot modify header information - headers already sent by (output started at /home/blindfla/public_html/wp-includes/vars.php:73) in /home/blindfla/public_html/wp-includes/pluggable.php on line 770

I used the back button to return to the Edit Post page, then went to Manage Posts, and found that the post was saved despite the warning. I then tried editing and publishing a draft post following the same process. I got the warning again, but the post published.

So I seem to be halfway there. I'm not getting the obnoxious pop-up anymore. What action do you suggest about the warning?

Thanks so much for your trouble-shooting due diligence, Yokima. You rock!
yokima
Member
Posted 3 years ago #

williscreative: did you use vi or some other editor to edit vars.php? Then there may be blank lines or spaces before or after <?php and ?>.

If you uploaded them via FTP, check the permissions - on my server they are set to 644

scottop: Thanks. I found the below to be affected using grep:

./wp-content/plugins/tantan-reports/tantan_reports.php
./wp-content/plugins/tantan-flickr/flickr.php
./wp-content/plugins/breadcrumb.php
./wp-content/plugins/stats/stats.php
./wp-content/plugins/tantan-spam/plugin.php
./wp-content/plugins/search_pages.php
./wp-content/plugins/wp-db-backup/wp-db-backup.php
./wp-content/plugins/breadcrumb-navigation-xt/breadcrumb-navigation-xt.php
./wp-content/plugins/prevent-browse-happy.php
./wp-content/plugins/one-click-plugin-updater/oneclick-plugin-updater.php
./wp-content/plugins/akismet/akismet.php
./wp-content/plugins/audio-player.php
./wp-content/plugins/attachment-manager/wp-attachment-manager.php
./wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php
./wp-content/plugins/countposts-v-10-wordpress-plugin/CountPosts.php

The below seem to have gzinflate as part of their regular code (but check just in case)

./wp-content/plugins/one-click-plugin-updater/pclzip.lib.php
./wp-content/plugins/wordpress-automatic-upgrade/lib/pclzip.lib.php
./wp-includes/js/tinymce/plugins/spellchecker/classes/HttpClient.class.php
./wp-admin/includes/class-pclzip.php
ryanve
Member
Posted 3 years ago #

"Magic" attack solved by replacing the vars.php file thanks to yokima and tstalcup. I had 2.8.2 installed, and I replaced the vars.php file with the 2.7 version. And obviously for anyone else who has this problem do not enter your username and password into the authentication popup window.
mrmist
Forum Janitor
Posted 3 years ago #

You really should replace your vars.php with one from the version that you are running. Replacing it with a different version could cause unpredictable errors.
danceadvantage
Member
Posted 3 years ago #

Can anyone describe this corrupted code in the plugins and where to find it? (I'm not a coder and don't know where to look to see if I need to upload new plugins). Thanks.
whooami
Member
Posted 3 years ago #

its at the top. you cannot miss it.
yokima
Member
Posted 3 years ago #

danceadvantage: here, have a screenshot: http://www.flickr.com/photos/yonghokim/3777646797/sizes/o/
steveabat
Member
Posted 3 years ago #

Running WordPress 2.3.3, replacing the vars.php from a local backup worked for me.

Anybody have an Idea how this happens?

Thanks for figuring this out.
stefarama
Member
Posted 3 years ago #

whooami cleaned my site and removed the hacked code!! THANK YOU!! Highly recommend!!
mrmist
Forum Janitor
Posted 3 years ago #

If you are running an insecure older version and you simply replace files, be prepared for this to happen again. To help yourselves you should upgrade after you know your site is clean.
ethanator1088
Member
Posted 3 years ago #

I have had the same problem. I went into Pluggin editor and removed the code at the beginning of all of the pluggins.

2 pluggins would not let me do it, so I deleted the pluggin. Those pluggins were "Super Cache" and "Google Site Maps".

I have deleted the cache, but it is still popping up. My site might need a little time to process the change I have made, but for now I am still waiting.
whooami
Member
Posted 3 years ago #

there was MORE than code inside /wp-includes/var.php and some plugin files on stefarama's site.

I suggest that those of you that are looking at specific files in order to do a quick a simple 'fix', look at EVERYTHING.

like was already said -- if you dpnt do it right, it doesnt go away.
ethanator1088
Member
Posted 3 years ago #

I went back and took it off the vars.php file and I am ok now. Any pluggin that refused the update was deleted. Thank you all so much for the help.

If it comes back, I'll let you all know.
EMG
Member
Posted 3 years ago #

This might seem like a funny and irrelevant question to ask, but what sort of machine is everyone running who is an admin to their WP?

Windows? Mac? Linux? Something else?
troutco
Member
Posted 3 years ago #

I'm a mac user... got it today. Macs don't normally acquire viruses, but somehow my wordpress got infected anyway....

After much trial and error, I went to TOOLS, UPGRADE, and used the automatic reinstall function to reinstall wordpress 2.8.2

When I reinstalled it, the problem went away. For now. (But I wonder if my plug-ins are corrupted and if this will return.

What's the best way to fix the plug-ins if they are involved as well? (Are they separate from the main install?) Please advise.

I have only two plugins installed:
Askimet
Add to Any (which I just upgraded today as well AFTER this happened)
bpbailey@gmail.com
Member
Posted 3 years ago #

i couldn't upgrade through the tools menu. but i went and reinstalled through my bluehost simple scripts module. things seem to be back to normal (although i'm worried about my plugins)
PamelaLeavey
Member
Posted 3 years ago #

I'm running version 2.82 and I had this issue. Found the vars.php and wp-twitter plugin had the bogus code in them and I copied over them from clean backup.
whooami
Member
Posted 3 years ago #

Im interested in knowing the hosts for all you folks.
PamelaLeavey
Member
Posted 3 years ago #

One last note - the bogus code appears to be in all the .php files on all my plugins. These can be edited through the admin panel.
pvdj446
Member
Posted 3 years ago #

Here the same problem.

For me it was a RSS feed plugin that had the code my vars.php seemed ok.

I just removed the plugin, deactivated all the other plugins. Logged of and changed my password and then activated my plugins one by one.

It's been 12H so i hope it is solved.
dnr0thwell
Member
Posted 3 years ago #

I had this show up today. I'd made a few changes including installing a new comment-spam plugin (WP-SpamFree) which I thought may have caused it.

Deactivating it didn't help.

Doing the auto-upgrade fixed the problem, and i immediately reset the password of the account i had previously tried to publish with when the Magic comment came up.

Thanks everyone!
yokima
Member
Posted 3 years ago #

whooami Centos 5.3 (VPS env)
Tkres
Member
Posted 3 years ago #

Is the problem scaling elsewhere? Stumbled into this looking for info on Gawker sites being down or just a local(unrelated)issue ? Does it start with a PHP insertion or something else going cross site? Logged into twitter to look up GT and got her tweet immediately after signing up for Smarterware!Baaad timing but the blog appears safe and clean.
williscreative
Member
Posted 3 years ago #

yokima – thanks for additional advice after my post 2 days ago. I ended up copying vars.php from one of my other sites, also WP 2.6.1 All edit/publish functions working smoothly now.

whooami – my host is Bluehost

I do plan to upgrade WP to 2.8.2. I’ve dragged my feet because I prefer dashboard with horizontal nav bar as in WP 2.6. Can anyone recommend a good plugin for customizing the dashboard?
troutco
Member
Posted 3 years ago #

My host is godaddy.com

By the way -- so far so good, (after doing the automatic reinstall of WP) but I really should check my plug-ins to make sure they won't cause a recurrence.

What's the easiest way to examine the code of plug-ins and what should you be on the look-out for?
rachelack
Member
Posted 3 years ago #

I was able to get rid of the problem by going into the vars.php and just deleting that huge chunk of code in the very beginning of the script. It was fixed as soon as I saved the edit, hopefully it stays that way.

Thanks to everyone who posted here, you guys really helped me out. I made sure to reset my password.
iheartbaconsalt
Member
Posted 3 years ago #

I got this for the first time today when I hit Update. I immediately knew something was fishy and changed every domain/blog/etc password to something random and 256-bit (no two passwords were the same for me, but they weren't the best) and googled the problem. Found the funky code in vars.php. The only plugin I use is Akismet. I did a full site backup so I could search for more funky code (no SSH)

Found in:
wp-admin/includes/class-pclzip.php
wp-content/plugins/akismet/akismet.php
wp-includes/class-simplepie.php
wp-includes/http.php

Cleaned them up, but I guess it could come back at any time. Was this fixed in 2.8.3? I just saw the update available a few seconds ago.