WordPress.org

Ready to get started?Download WordPress

Forums

Fatal error: Cannot redeclare _765258526() (55 posts)

  1. redlinepc
    Member
    Posted 2 years ago #

    Any fix for this?

    Second time my indexs.php has been changed, all the passwords have been changed last time...

  2. lavalink
    Member
    Posted 2 years ago #

    Read saynototheoffice's post above, and use the script at http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html to find errors (The bug files are all in index.phps, in your root directory, wp-content, themes, plugin folders. Then there are 3 in wp-admin, wp-admin/user/, and wp-admin/network/ - it's all pretty consistent).

  3. lavalink
    Member
    Posted 2 years ago #

    Important: I don't know if this is related to this same malware issue or an another hack but check your source code as well. When I did so I found an invisible link on all of my infected WordPress sites to businessactionforafrica.org/?kids

    Though I can't for the life of me figure out what's causing the link or where it's located yet.

  4. redlinepc
    Member
    Posted 2 years ago #

    yes i know that are indexes.php that are hacked only, stupid hack..

  5. altinkum
    Member
    Posted 2 years ago #

    wordpress blogs hacked same here and removed all the codes and delete the theme for fresh installation.

  6. givesuccess
    Member
    Posted 2 years ago #

    So am I right to assume that if the hack got me then all my sites would be infected not just 1 or 2? I checked 3 of 24 sites on my hostgator vps. Should I check each one w/ the bug check php suggested here :
    http://redleg-redleg.blogspot.com/2011/11/malicious-software-hosted-on-nlai.html#more

    I dont want to check each if not needed. Thanks

  7. Adrian
    Member
    Posted 2 years ago #

    We all know we have something in common, WordPress. We also know in this thread that we have a common infection.

    It is important, very important also mention what? web hosting company we are using.

    Some, very few in this thread have mentioned it, but if we do it all in each post, we might discover another aspect we have in common.

    Currently I have 4 Blogs in a shared hosting account, in Hostgator.

    Twenty Eleven Child Theme, and Plugin not installed. Linux Xfce Desktop, and sftp connection. So far I have none of the symptoms.

    Although this seems commercial, I'm interested to know if I'm using a secure web hosting.

    I read that "givesuccess" is using hostgator vps. So would this be? viruses on a PC, or a plugin.

    The more information on our setup, we add to this thread, the sooner we reach our weak point.

  8. marujobhz
    Member
    Posted 2 years ago #

  9. marujobhz
    Member
    Posted 2 years ago #

  10. Emil Uzelac
    Theme Review Admin
    Posted 2 years ago #

  11. givesuccess
    Member
    Posted 2 years ago #

    @adrian2
    the main reason I went to HGator was bc they made some adjustments to fight the timthumb thing. I read this in the forums back when the tt thing was flying around. I have not had the tt probs or this new one either. Maybe I am just lucky and I really should not brag too much.... I might get in future.
    What info might help to find the common thing with all the infected sites?
    Host, themnes, plugins...ect?
    So we can list them in our replies.

  12. Adrian
    Member
    Posted 2 years ago #

    givesuccess, commenting on your first question, in my case I have verified (from browser) that none of my blog shows the error message.

    Then run a search on cPanel, on the top right has a search filter. In this filter I searched some file names that "saynototheoffice", put in his post.

    And finally in the database search by "eval(gzun" according to a comment made on the website (link) that "Emil" has added this morning. (I read that post yesterday).

    Also I'm paranoid, I check each Blog Log at least every other day. I guess when you have lots of blog, a search on some of them is enough.

  13. Adrian
    Member
    Posted 2 years ago #

    I know adding this information adds time and effort that may not have. But every time something like this happens, we should find our weak point faster.

    And the only way is by sharing this information. If we find that weak point, as users can send a strong message, and also data that can be used in evaluation for;
    WordPress.org
    plugin
    browser
    Web Hosting
    and ourselves, to avoid service or use something that is obviously harmful, according to these data.

    ----- This is a proposal on information to be submitted

    Infected
    - positive|negative

    WordPress
    - Version

    Hosting
    - if, shared
    - if, vps
    - if, ds

    Theme
    - in use (name)
    - additional (number)

    Plugins
    - this
    - this
    - this

    Desktop
    - linux|win|mac|.*

    FTP
    - if, sftp|ftp (name)

    Browser (to login)
    - name
    - last version yes|no

    ----- This is my own information

    Infected
    - negative

    WordPress
    - Version 3.2.1

    Hosting
    - shared Hostgator

    Theme
    - in use Twenty Eleven Child Theme
    - additional 1

    Plugins
    - none

    Desktop
    - Linux Xfce Desktop

    FTP
    - sftp gFTP

    Browser (to login)
    - FireFox
    - last version (yes)

  14. givesuccess
    Member
    Posted 2 years ago #

    I did look at my sides in browser and did not see the error/hack. Some said it is on shared hosting but I have vps w/ many of my own sites. It can be considered "shared" hosting. So has anyone had this prob on a vps w/ many sites or is it mainly truly shared hosting. (not vps)?

    This is results of the checking php code suggested:

    ./wp-app.php -> contains base64_decode
    ./d-64test.php -> contains base64_decode
    ./wp-includes/class-simplepie.php -> contains base64_decode
    ./wp-includes/class-IXR.php -> contains base64_decode
    ./wp-content/plugins/sabre/sabre_captcha.php -> contains base64_decode
    Could not check ./wp-content/plugins/sabre/index.php
    Could not check ./wp-content/plugins/all-in-one-seo-pack/aioseop_options.php
    ./wp-content/themes/arras/library/timthumb.php -> contains base64_decode

    When i look tru them they seem to b ok. the only one worries me is the timthumb one but it is up to date so it is ok i guess.

    If infected will the 64* code be at the very bottom only, (of the *.index.*) or can it show in middle of infected files?

  15. givesuccess
    Member
    Posted 2 years ago #

    My info:

    Hosting
    - vps Hostgator

    Theme
    - arras
    - 2022
    - 2010
    - default

    Plugins
    - aioseo
    - sabre
    - context. related post
    - digg digg
    - Easy Privacy Policy
    - gtranslate
    - wp stats (non jetpack)
    - wp page navi
    - check last login
    - akistmet
    - Easy Privacy Policy
    - Google XML Sitemaps
    - CW Image Optimizer

    Desktop
    - win7

    FTP
    - ProFTPD 1.3.4a Server

    Browser (to login)
    - FireFox
    - last version (yes)

    Most of my sites on my vps use same themes & plugins.

  16. liaaz
    Member
    Posted 2 years ago #

    sucuri scan says that my website is also infected by MW:JS:DEPACK

    There is encrypted code in my main ./index.php file, when I remove that the site becomes clear, however after sometime the infection again comes back
    I am on shared hosting and there are multiple sites in my account and all are infected, One site was using timthumb.php which I have updated to latest version now but that does not seem to have made any difference

    what to do ?

  17. Emil Uzelac
    Theme Review Admin
    Posted 2 years ago #

    @liaaz http://www.victorciobanu.com/how-to-remove-mwjsdepack/

    @givesuccess please recheck your plugins because some of them are no longer available here http://wordpress.org/extend/plugins/easy-privacy-policy/. There must be good reason why that plugin is no longer there. Another one WP-Stats updated in 2009!

    @rest:

    1. http://vaultpress.com or similar
    2. Use regularly updated Themes from trusted sources
    3. Plugins from know authors and always up to date
    4. Don't FTP to your server SFTP instead
    5. Scan your local machines regularly as well
    6. Say NO to timthumb.php regardless of how the latest your version is

    If the plugin is Compatible up to: 3.0 don't install it, always check the compatibility first and compare against the latest release.

    Emil

  18. liaaz
    Member
    Posted 2 years ago #

    @Emil
    The link http://www.victorciobanu.com/how-to-remove-mwjsdepack/ mentions that the malware is hidden somewhere in tmp folder, for me it is not hidden, it is right in-front in the ./index.php files
    I can remove the malicious code from index.php and it gets all clear
    However, it again comes back again after couple of minutes

    I need to find out that how the code is being written to the index.php file and how to stop that from happening

  19. liaaz
    Member
    Posted 2 years ago #

    @Emil and Others

    I have found another infected file in my wordpress
    it is wp-includes/js/crop/cropper.php , this file does not exist in original wordpress install
    I don't understand it, however from the looks, it seems to do something with logins and stuff
    here is it http://pastebin.com/SSuq3wL6

  20. givesuccess
    Member
    Posted 2 years ago #

    @Emil
    I know i am bad...lol I said wp-stats and meant to put WordPress.com Stats. It is not current bc I dont want to use the jetpack stuff, I have most of it in with the vr i have now and stats work ok. The privacy plugin is just makes a page for priv policy. I dont really need i guess now bc i dumped goo*le stuff from my sites besides the translation plugin the i like.
    I like the arras theme and i just backup ev day so not worth messing with unless i get a free day or 2 to find a goo 1 i like. I can spend hours looking for themes. O.o
    I am lucky that i hav not been bugged by the t-thumb or this one ....yet. I hope it is bc of having a hg vps. I feel bad for those who did and i try to help here any way i can. :)

  21. Emil Uzelac
    Theme Review Admin
    Posted 2 years ago #

    @givesuccess you're not bad, these are just things to look for when problems occur that's all :)

  22. liaaz
    Member
    Posted 2 years ago #

    any suggestion guys that how can I find the code/process which keeps on overwriting my inde.php files ?

  23. Emil Uzelac
    Theme Review Admin
    Posted 2 years ago #

    @liaaz if this would happen to one of the sites that I manage, fresh WordPress install is always best thing to do. I am also very positive that your hosting provider is capable to locate any malicious codes for you.

  24. marujobhz
    Member
    Posted 2 years ago #

    i verified 2 types of attacks:
    1) timthumb vulenerability
    http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    2) malicious eval code in wpcinfg and others, that redirect the user to other sites.
    use findstring to check this (in the begin of this post)
    i made this for all sites:
    backup all files (themes, wp dirs, etc)
    change all passwords (ftp, database)
    cleanup all infected files of theme and plugins that i use (other i delete)
    reup the files, and reinstall the latest wp version with SFTP, instead FTP. i notice that ftp is giving the new data to hackers. so, it must upload by SFTP.
    i made this for 3 sites and now its okay.

  25. altinkum
    Member
    Posted 2 years ago #

    timthumb vulenerability and look like made by some polish guys who dosent know anything else. delete and update your themes because all other themes will be effected same.

Topic Closed

This topic has been closed to new replies.

About this Topic